feat(renovate): auto-merge pip_requirements + onboarding docs#228
feat(renovate): auto-merge pip_requirements + onboarding docs#228JacobPEvans merged 4 commits intomainfrom
Conversation
…arding Two related gaps surfaced while auditing why mlx-benchmarks's lockfile and space/requirements.txt fell years behind on dependency updates: 1. The org renovate-presets had an auto-merge rule for `pep621` (pyproject .toml) but no equivalent for `pip_requirements` (requirements.txt). Repos like mlx-benchmarks that ship a HuggingFace Spaces requirements.txt would accumulate manual-review minor/patch PRs even when the package source is already trusted via the org-wide allow-list. Merge the two managers into a single rule — they have identical update semantics. 2. There was no documentation telling repo maintainers that Mend's auto- generated "Configure Renovate" PR (which scaffolds only `config:recommended`) must be edited to extend `local>JacobPEvans/.github:renovate-presets`. The audit found 31 of 32 public repos compliant; mlx-benchmarks slipped through because the on-board PR was merged without that edit. Result: `lockFileMaintenance`, `vulnerabilityAlerts` automerge, the trusted-org 1-day stabilization, and the 3-day default were all silently disabled for that repo. Add a "New repository onboarding" section to CLAUDE.md plus the audit one-liner so the same drift is detectable going forward. The 3-day default / 1-day trusted-org / 0-day vulnerability stabilization policy itself is unchanged — already correct in renovate-presets.json. (claude)
There was a problem hiding this comment.
Pull request overview
Updates the org-wide Renovate preset and repository documentation to prevent new repositories from drifting onto incomplete Renovate configs and to reduce manual review burden for safe Python dependency updates.
Changes:
- Extend the existing Renovate auto-merge rule for Python minor/patch updates to cover both
pep621andpip_requirements. - Document the required org-preset extension during new-repo Renovate onboarding, including an audit one-liner to detect drift.
Reviewed changes
Copilot reviewed 2 out of 2 changed files in this pull request and generated 1 comment.
| File | Description |
|---|---|
| renovate-presets.json | Expands Python auto-merge coverage to include requirements.txt via pip_requirements. |
| CLAUDE.md | Adds onboarding guidance and an audit command to ensure repos extend the org Renovate preset. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
Summary of ChangesHello, I'm Gemini Code Assist1! I'm currently reviewing this pull request and will post my feedback shortly. In the meantime, here's a summary to help you and other reviewers quickly get up to speed! This pull request enhances the organization's dependency management by expanding Renovate's auto-merge capabilities for Python packages and providing clear documentation for new repository onboarding. These changes aim to prevent future dependency drift and security vulnerabilities by ensuring all repositories correctly inherit and utilize the established Renovate presets. Highlights
Using Gemini Code AssistThe full guide for Gemini Code Assist can be found on our documentation page, here are some quick tips. Invoking Gemini You can request assistance from Gemini at any point by creating a comment using either
Customization To customize Gemini Code Assist for GitHub experience, repository maintainers can create a configuration file and/or provide a custom code review style guide (such as PEP-8 for Python) by creating and adding files to a Limitations & Feedback Gemini Code Assist may make mistakes. Please leave feedback on any instances where its feedback is incorrect or counter productive. You can react with 👍 and 👎 on @gemini-code-assist comments. If you're interested in giving your feedback about your experience with Gemini Code Assist for GitHub and other Google products, sign up here. Old code, new updates,Renovate keeps watch for all,Security blooms. Footnotes
|
--limit 50 silently truncates; --limit 1000 covers the full public repo set. (claude)
Adjacent entries average ~50 chars; new description was 239 chars. (claude)
JacobPEvans
changed the title
CLAUDE.md should stay brief. Moved the onboarding guide and audit one-liner to docs/RENOVATE.md; left a one-line pointer in CLAUDE.md. (claude)
JacobPEvans
changed the title
Summary
pip_requirements(requirements.txt) in addition topep621(pyproject.toml) for trusted-org packagesdocs/RENOVATE.mdwith canonical config and audit scriptChanges
renovate-presets.json: Merged
pip_requirementsinto the existing pep621 auto-merge rule (identical update semantics, trusted-org sources only). Shortened description for consistency with terse org style. Raised audit one-liner repo limit from 50 to 1000.docs/RENOVATE.md: New onboarding guide with 4-line canonical config and one-liner audit script to detect future config drift (moved out of CLAUDE.md).
Root cause
31 of 32 JacobPEvans public repos extend
local>JacobPEvans/.github:renovate-presetscorrectly; mlx-benchmarks' Mend-auto-generated stub ({"extends": ["config:recommended"]}) silently lost lock maintenance, vulnerability alert automation, and trusted-org auto-merge. This PR hardens the org config and documents the onboarding requirement.Test plan
jq empty renovate-presets.json— valid JSONpre-commit run --files docs/RENOVATE.md renovate-presets.json— all hooks passpip_requirementsPRs auto-merge per new rule