Configure Renovate (#25255)

Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
Co-authored-by: Renaud Chaput <renchap@gmail.com>

.github/dependabot.yml

@@ -1,99 +0,0 @@
-# To get started with Dependabot version updates, you'll need to specify which
-# package ecosystems to update and where the package manifests are located.
-# Please see the documentation for all configuration options:
-# https://help.github.com/github/administering-a-repository/configuration-options-for-dependency-updates
-
-version: 2
-updates:
-  - package-ecosystem: npm
-    directory: '/'
-    schedule:
-      interval: weekly
-    open-pull-requests-limit: 99
-    allow:
-      - dependency-type: direct
-    ignore:
-      # This version needs to match Rails major version, so stick to 6.x only
-      - dependency-name: '@rails/ujs'
-        versions:
-          - '>= 7'
-      # TODO: This requires code changes for migration
-      - dependency-name: 'tesseract.js'
-        versions:
-          - '>= 3'
-      # TODO: This version needs manual updates for breaking changes
-      - dependency-name: 'react-hotkeys'
-        versions:
-          - '>= 2'
-      # TODO: This version requires code changes
-      - dependency-name: 'webpack-dev-server'
-        versions:
-          - '>= 4'
-      # TODO: This version was ignored in https://github.com/mastodon/mastodon/pull/15238
-      - dependency-name: 'webpack-cli'
-        versions:
-          - '>= 4'
-
-  - package-ecosystem: bundler
-    directory: '/'
-    schedule:
-      interval: weekly
-    open-pull-requests-limit: 99
-    allow:
-      - dependency-type: direct
-    ignore:
-      # This version needs to match Rails major version, so stick to 6.x only
-      - dependency-name: 'rails-i18n'
-        versions:
-          - '>= 7.0.0'
-      # This version needs manual updates https://github.com/rails/sprockets/blob/master/UPGRADING.md#guide-to-upgrading-from-sprockets-3x-to-4x
-      - dependency-name: 'sprockets'
-        versions:
-          - '>= 4.0.0'
-      # This version needs manual updates https://github.com/rails/sprockets/blob/master/UPGRADING.md#guide-to-upgrading-from-sprockets-3x-to-4x
-      - dependency-name: 'strong_migrations'
-        versions:
-          - '>= 1.0.0'
-      # This version needs updates and to sync with sidekiq-unique-jobs
-      - dependency-name: 'sidekiq'
-        versions:
-          - '>= 7.0.0'
-      # This version needs updates and to sync with sidekiq
-      - dependency-name: 'sidekiq-unique-jobs'
-        versions:
-          - '>= 8.0.0'
-      # This version needs updates and to sync with sidekiq and sidekiq-unique-jobs
-      - dependency-name: 'redis'
-        versions:
-          - '>= 5.0.0'
-      # TODO: was ignored in https://github.com/mastodon/mastodon/pull/13964
-      - dependency-name: 'fog-openstack'
-        versions:
-          - '>= 1.0.0'
-      # sassc dependency issue tracked in https://github.com/BetterErrors/better_errors/issues/516
-      - dependency-name: 'better_errors'
-        versions:
-          - '2.10.0'
-
-  - package-ecosystem: github-actions
-    directory: '/'
-    schedule:
-      interval: weekly
-    open-pull-requests-limit: 99
-    allow:
-      - dependency-type: direct
-
-  - package-ecosystem: docker
-    directory: '/'
-    schedule:
-      interval: weekly
-    open-pull-requests-limit: 99
-    ignore:
-      - dependency-name: 'moritzheiber/ruby-jemalloc'
-        update-types:
-          # only suggest patch releases for ruby and needs to sync with .ruby-version
-          - 'version-update:semver-minor'
-      - dependency-name: 'node'
-        update-types:
-          # only node minor releases allowed unless .nvmrc major is changed
-          - 'version-update:semver-major'

.github/renovate.json5

@@ -0,0 +1,109 @@
+{
+  $schema: 'https://docs.renovatebot.com/renovate-schema.json',
+  extends: [
+    'config:base',
+    ':dependencyDashboard',
+    ':labels(dependencies)',
+    ':maintainLockFilesMonthly', // update non-direct dependencies monthly
+    ':prConcurrentLimit10', // only 10 open PRs at the same time
+  ],
+  stabilityDays: 3, // Wait 3 days after the package has been published before upgrading it
+  // packageRules order is important, they are applied from top to bottom and are merged,
+  // so for example grouping rules needs to be at the bottom
+  packageRules: [
+    {
+      // Ignore major version bumps for these node packages
+      matchManagers: ['npm'],
+      matchPackageNames: [
+        '@rails/ujs', // Needs to match the major Rails version
+        'tesseract.js', // Requires code changes
+        'react-hotkeys', // Requires code changes
+
+        // Requires Webpacker upgrade or replacement
+        '@types/webpack',
+        'babel-loader',
+        'compression-webpack-plugin',
+        'css-loader',
+        'imports-loader',
+        'mini-css-extract-plugin',
+        'postcss-loader',
+        'sass-loader',
+        'terser-webpack-plugin',
+        'webpack',
+        'webpack-assets-manifest',
+        'webpack-bundle-analyzer',
+        'webpack-dev-server',
+        'webpack-cli',
+
+        // react-router: Requires manual upgrade
+        'history',
+        'react-router-dom',
+      ],
+      matchUpdateTypes: ['major'],
+      enabled: false,
+    },
+    {
+      // Ignore major version bumps for these Ruby packages
+      matchManagers: ['bundler'],
+      matchPackageNames: [
+        'sprockets', // Requires manual upgrade https://github.com/rails/sprockets/blob/master/UPGRADING.md#guide-to-upgrading-from-sprockets-3x-to-4x
+        'strong_migrations', // Requires manual upgrade
+        'sidekiq', // Requires manual upgrade
+        'sidekiq-unique-jobs', // Requires manual upgrades and sync with Sidekiq version
+        'redis', // Requires manual upgrade and sync with Sidekiq version
+        'fog-openstack', // TODO: was ignored in https://github.com/mastodon/mastodon/pull/13964
+
+        // Needs major Rails version bump
+        'rack',
+        'rails',
+        'rails-i18n',
+      ],
+      matchUpdateTypes: ['major'],
+      enabled: false,
+    },
+    {
+      // Update Github Actions and Docker images weekly
+      matchManagers: ['github-actions', 'dockerfile', 'docker-compose'],
+      extends: ['schedule:weekly'],
+    },
+    {
+      // Ignore major & minor bumps for the ruby image, this needs to be synced with .ruby-version
+      matchManagers: ['dockerfile'],
+      matchPackageNames: ['moritzheiber/ruby-jemalloc'],
+      matchUpdateTypes: ['minor', 'major'],
+      enabled: false,
+    },
+    {
+      // Ignore major bump for the node image, this needs to be synced with .nvmrc
+      matchManagers: ['dockerfile'],
+      matchPackageNames: ['node'],
+      matchUpdateTypes: ['major'],
+      enabled: false,
+    },
+    {
+      // Ignore major postgres bumps in the docker-compose file, as those break dev environments
+      matchManagers: ['docker-compose'],
+      matchPackageNames: ['postgres'],
+      matchUpdateTypes: ['major'],
+      enabled: false,
+    },
+    {
+      // Update devDependencies every week, with one grouped PR
+      matchDepTypes: 'devDependencies',
+      matchUpdateTypes: ['patch', 'minor'],
+      excludePackageNames: [
+        'typescript', // Typescript has many changes in minor versions, needs to be checked every time
+      ],
+      groupName: 'devDependencies (non-major)',
+      extends: ['schedule:weekly'],
+    },
+    {
+      // Update @types/* packages every week, with one grouped PR
+      matchPackagePrefixes: '@types/',
+      matchUpdateTypes: ['patch', 'minor'],
+      groupName: 'DefinitelyTyped types (non-major)',
+      extends: ['schedule:weekly'],
+      addLabels: ['typescript'],
+    },
+  ],
+}

.github/workflows/lint-css.yml

@@ -3,6 +3,7 @@ on:
   push:
     branches-ignore:
       - 'dependabot/**'
+      - 'renovate/**'
     paths:
       - 'package.json'
       - 'yarn.lock'

.github/workflows/lint-haml.yml

@@ -3,6 +3,7 @@ on:
   push:
     branches-ignore:
       - 'dependabot/**'
+      - 'renovate/**'
     paths:
       - '.github/workflows/haml-lint-problem-matcher.json'
       - '.github/workflows/lint-haml.yml'

.github/workflows/lint-js.yml

@@ -3,6 +3,7 @@ on:
   push:
     branches-ignore:
       - 'dependabot/**'
+      - 'renovate/**'
     paths:
       - 'package.json'
       - 'yarn.lock'

.github/workflows/lint-json.yml

@@ -3,6 +3,7 @@ on:
   push:
     branches-ignore:
       - 'dependabot/**'
+      - 'renovate/**'
     paths:
       - 'package.json'
       - 'yarn.lock'

.github/workflows/lint-md.yml

@@ -3,6 +3,7 @@ on:
   push:
     branches-ignore:
       - 'dependabot/**'
+      - 'renovate/**'
     paths:
       - '.github/workflows/lint-md.yml'
       - '.nvmrc'

.github/workflows/lint-ruby.yml

@@ -3,6 +3,7 @@ on:
   push:
     branches-ignore:
       - 'dependabot/**'
+      - 'renovate/**'
     paths:
       - 'Gemfile*'
       - '.rubocop*.yml'

.github/workflows/lint-yml.yml

@@ -3,6 +3,7 @@ on:
   push:
     branches-ignore:
       - 'dependabot/**'
+      - 'renovate/**'
     paths:
       - 'package.json'
       - 'yarn.lock'

.github/workflows/rebase-needed.yml

@@ -4,10 +4,12 @@ on:
   push:
     branches-ignore:
       - 'dependabot/**'
+      - 'renovate/**'
       - 'l10n_main'
   pull_request_target:
     branches-ignore:
       - 'dependabot/**'
+      - 'renovate/**'
       - 'l10n_main'
     types: [synchronize]
 

.github/workflows/test-js.yml

@@ -3,6 +3,7 @@ on:
   push:
     branches-ignore:
       - 'dependabot/**'
+      - 'renovate/**'
     paths:
       - 'package.json'
       - 'yarn.lock'

.github/workflows/test-migrations-one-step.yml

@@ -3,6 +3,7 @@ on:
   push:
     branches-ignore:
       - 'dependabot/**'
+      - 'renovate/**'
   pull_request:
 
 jobs:

.github/workflows/test-migrations-two-step.yml

@@ -3,6 +3,7 @@ on:
   push:
     branches-ignore:
       - 'dependabot/**'
+      - 'renovate/**'
   pull_request:
 
 jobs:

.github/workflows/test-ruby.yml

@@ -4,6 +4,7 @@ on:
   push:
     branches-ignore:
       - 'dependabot/**'
+      - 'renovate/**'
   pull_request:
 
 env: