Shared Renovate configuration presets for WorkOS repositories.
Centralize dependency-management policy across the org so that a single edit propagates to every consuming repo. This repository provides two presets:
| Preset | File | Best for |
|---|---|---|
| Default | default.json |
Internal repositories with conservative update policies |
| Public | public.json |
Public SDK and library repositories |
The base preset that all WorkOS repositories can extend. It implements supply-chain hardening and conservative dependency management:
- Pins GitHub Actions to full commit SHAs via
helpers:pinGitHubActionDigests. Any newly-added action referenced by tag (e.g.actions/checkout@v6) gets auto-pinned to a SHA with a version comment (@<sha> # v6). - Enforces a 7-day minimum release age (
minimumReleaseAge: "7 days"). New action releases are not eligible for auto-update until they have been published for 7+ days. - Treats missing release timestamps as "not yet eligible" (
minimumReleaseAgeBehaviour: "timestamp-required") — the safer default introduced in Renovate 42. - Suppresses branches for not-yet-eligible updates (
internalChecksFilter: "strict") so the inbox stays quiet. - Groups and auto-merges minor/patch/digest GitHub Actions updates after CI passes. Major updates open a separate PR and require human review.
- Patch-only policy for software dependencies by default — minor and major dependency updates are disabled in the base preset. Patch updates are auto-merged after CI passes and the 7-day minimum age is met. Patch PRs are labeled
renovate/patchat creation time. Consuming repos can override this to enable minor updates (see Enabling minor updates). - Groups patch updates by dependency name — all packages that use the same dependency are updated in a single PR. This ensures monorepos with version-consistency policies (e.g. Rush) pass lockfile validation. For single-package repos this is a no-op.
- After-hours schedule — Renovate only runs outside business hours for both US coasts: weekdays 9 PM–7 AM Eastern (6 PM–4 AM Pacific), and all day on weekends. The weekend window closes at 7 AM ET Monday.
- Security/vulnerability PRs follow the same schedule — Renovate's built-in default creates vulnerability-fix PRs immediately (
schedule: []), bypassing any configured schedule. This preset overrides that default so security PRs are only opened during the same after-hours window as regular updates.
Extends the default preset with a more permissive update policy suited for public SDK and library repositories:
- Inherits all base protections — SHA pinning, 7-day release age, GitHub Actions grouping.
- Enables minor and major dependency updates — overrides the default patch-only policy.
- Automerges minor and patch updates for all dependencies, grouped together.
- Major updates require human review — not auto-merged.
- Monthly schedule — runs on the 15th of each month before 12pm UTC.
- No merge-queue labels — does not add labels like
aviator/mergesince public repos typically merge PRs directly. - Security/vulnerability PRs fire immediately — overrides the base preset's after-hours constraint so security fixes are not delayed in public repos.
In your repo's renovate.json:
{
"$schema": "https://docs.renovatebot.com/renovate-schema.json",
"extends": ["github>workos/renovate-config"]
}{
"$schema": "https://docs.renovatebot.com/renovate-schema.json",
"extends": ["github>workos/renovate-config:public"]
}If you only want Renovate to manage GitHub Actions in your repo (and not, say, package.json), add enabledManagers:
{
"$schema": "https://docs.renovatebot.com/renovate-schema.json",
"extends": ["github>workos/renovate-config"],
"enabledManagers": ["github-actions"]
}You can also override anything from either preset locally — extends is mergeable.
For most repos, extending a preset is sufficient — Renovate will open and merge eligible PRs directly once CI passes.
Repos that use Aviator as their merge queue require an additional step, because Aviator enforces a minimum approval count before queuing a PR. For those repos, add a small workflow that calls the shared auto-approve workflow hosted here. Create .github/workflows/renovate-auto-approve.yml in your repo:
name: Auto-approve Renovate PRs
on:
pull_request:
types: [opened, labeled]
jobs:
auto-approve:
uses: workos/renovate-config/.github/workflows/auto-approve-renovate.yml@main
permissions:
pull-requests: writeThis workflow approves any PR opened by renovate[bot] that carries the renovate/patch or renovate/minor label, satisfying Aviator's approval precondition. Aviator then queues the PR once CI passes.
The default preset disables minor (and major) updates for software dependencies. To opt in to automerged minor updates in a consuming repo, add a packageRules entry that re-enables them and labels the PRs so the auto-approve workflow fires:
{
"packageRules": [
{
"description": "Enable and automerge minor updates, grouped by dependency name.",
"matchManagers": ["!github-actions"],
"matchUpdateTypes": ["minor"],
"enabled": true,
"groupName": "{{{depName}}}",
"groupSlug": "{{{depNameSanitized}}}",
"automerge": true,
"addLabels": ["renovate/minor"]
}
]
}The addLabels: ["renovate/minor"] is required — without it the auto-approve workflow's label check will never match and PRs will sit without approval.
Repositories are managed by one of two Renovate runners:
| Runner | Repos | postUpgradeTasks |
Setup |
|---|---|---|---|
Self-hosted (.github/workflows/renovate.yml) |
Listed in .github/renovate-global-config.js |
Yes | See below |
| Mend Renovate GitHub App | All other repos | No | Install the app |
The self-hosted runner is a scheduled GitHub Actions workflow in this repository that runs the Renovate Docker container. It supports postUpgradeTasks (e.g. rush update for lockfile generation), which the Mend-hosted app cannot provide.
Configuration:
.github/workflows/renovate.yml— the workflow definition (schedule, runner, auth).github/renovate-global-config.js— self-hosted global config (repo list, allowed commands)
Required secrets (in this repo's Actions settings):
RENOVATE_APP_PRIVATE_KEY— private key for the GitHub App used by the runnerRENOVATE_APP_ID— GitHub App ID (stored as a variable, not a secret)SOCKET_FIREWALL_TOKEN— token for the Socket Firewall npm registry proxy
Adding a repo to the self-hosted runner:
- Add the repo to
repositoriesin.github/renovate-global-config.js - Remove the repo from the Mend Renovate GitHub App's installation (Settings → Integrations → GitHub Apps → Renovate → Configure → deselect the repo)
- If the repo needs post-upgrade commands, add the command regex to
allowedCommandsin the global config and addpostUpgradeTasksto the repo'srenovate.json
Manual trigger:
The workflow supports workflow_dispatch with optional dry-run and log-level inputs for testing.
For repos not yet migrated to self-hosted, the Mend Renovate GitHub App must be installed on the repo (or installed org-wide). Check at the Mend dashboard.
Open a PR against this repo. Once merged, the change applies to every consuming repo on Renovate's next run.