From dfab0c346afb35005ed6345c5dce5c1961e78d13 Mon Sep 17 00:00:00 2001 From: JacobPEvans <20714140+JacobPEvans@users.noreply.github.com> Date: Tue, 31 Mar 2026 04:24:50 -0400 Subject: [PATCH] fix(renovate): unified manager-agnostic trusted orgs rule + lock file automerge MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Trust is org-based, not manager-based. A package from github/** should auto-merge whether detected by github-actions, custom.regex, or nix manager. Changes: - Remove matchManagers constraint from trusted orgs rule - Remove matchUpdateTypes constraint — trusted orgs get ALL update types (major, minor, patch, digest, pin, etc.) - Merge GitHub Actions + Nix flake input trust lists into single rule - Include both bare (github/**) and URL-prefixed (https://github.com/github/**) patterns since different managers report depName differently - Add automerge to lockFileMaintenance config - Remove redundant Nix flake inputs rule (orgs now in unified rule) - Remove redundant HuggingFace custom.regex rule (covered by source URL rule) - Remove hashicorp/* from Terraform providers rule (now in unified rule) - Expand trusted orgs: ansible, aws-ia, bitwarden, codecov, criblio, DopplerHQ, huggingface, kubernetes, kubernetes-sigs, nix-darwin, nix-systems, obra, open-telemetry, ossf, pre-commit, pypa, renovatebot, semgrep, sigstore Fixes: nix-ai#381 (github/gh-aw not auto-merging via custom.regex manager) (claude) --- renovate-presets.json | 140 +++++++++++++++++++++++++++--------------- 1 file changed, 90 insertions(+), 50 deletions(-) diff --git a/renovate-presets.json b/renovate-presets.json index ea676ee..57222fb 100644 --- a/renovate-presets.json +++ b/renovate-presets.json @@ -13,7 +13,10 @@ "timezone": "America/Chicago", "lockFileMaintenance": { "enabled": true, - "schedule": ["before 7am on Monday", "before 7am on Thursday"] + "schedule": ["before 7am on Monday", "before 7am on Thursday"], + "automerge": true, + "automergeType": "pr", + "automergeStrategy": "squash" }, "customManagers": [ { @@ -43,31 +46,103 @@ "minimumReleaseAge": "0 days" }, { - "description": "Auto-merge trusted GitHub Actions including major (3-day stabilization)", - "matchManagers": ["github-actions"], + "description": "Auto-merge trusted orgs — all managers, all update types (3-day stabilization)", "matchPackageNames": [ "actions/**", - "googleapis/**", + "ansible/**", "anthropics/**", "astral-sh/**", - "DeterminateSystems/**", - "peter-evans/**", + "aws-actions/**", + "aws-ia/**", + "Azure/**", + "bitwarden/**", + "cachix/**", + "codecov/**", + "criblio/**", "DavidAnson/**", + "DeterminateSystems/**", + "docker/**", + "DopplerHQ/**", "dorny/**", + "edolstra/**", "github/**", - "softprops/**", + "google/**", + "google-github-actions/**", + "googleapis/**", "hashicorp/**", + "hercules-ci/**", + "huggingface/**", + "kubernetes/**", + "kubernetes-sigs/**", + "microsoft/**", + "nix-community/**", + "nix-darwin/**", + "nix-systems/**", + "NixOS/**", + "numtide/**", + "obra/**", + "open-telemetry/**", "opentofu/**", + "ossf/**", + "oxalica/**", + "peter-evans/**", + "pre-commit/**", + "pypa/**", "python/**", - "microsoft/**", - "Azure/**", "raycast/**", - "aws-actions/**", - "google/**", - "google-github-actions/**", - "docker/**" + "renovatebot/**", + "semgrep/**", + "sigstore/**", + "softprops/**", + "wakatime/**", + "https://github.com/actions/**", + "https://github.com/ansible/**", + "https://github.com/anthropics/**", + "https://github.com/astral-sh/**", + "https://github.com/aws-actions/**", + "https://github.com/aws-ia/**", + "https://github.com/Azure/**", + "https://github.com/bitwarden/**", + "https://github.com/cachix/**", + "https://github.com/codecov/**", + "https://github.com/criblio/**", + "https://github.com/DavidAnson/**", + "https://github.com/DeterminateSystems/**", + "https://github.com/docker/**", + "https://github.com/DopplerHQ/**", + "https://github.com/dorny/**", + "https://github.com/edolstra/**", + "https://github.com/github/**", + "https://github.com/google/**", + "https://github.com/google-github-actions/**", + "https://github.com/googleapis/**", + "https://github.com/hashicorp/**", + "https://github.com/hercules-ci/**", + "https://github.com/huggingface/**", + "https://github.com/kubernetes/**", + "https://github.com/kubernetes-sigs/**", + "https://github.com/microsoft/**", + "https://github.com/nix-community/**", + "https://github.com/nix-darwin/**", + "https://github.com/nix-systems/**", + "https://github.com/NixOS/**", + "https://github.com/numtide/**", + "https://github.com/obra/**", + "https://github.com/open-telemetry/**", + "https://github.com/opentofu/**", + "https://github.com/ossf/**", + "https://github.com/oxalica/**", + "https://github.com/peter-evans/**", + "https://github.com/pre-commit/**", + "https://github.com/pypa/**", + "https://github.com/python/**", + "https://github.com/raycast/**", + "https://github.com/renovatebot/**", + "https://github.com/semgrep/**", + "https://github.com/sigstore/**", + "https://github.com/softprops/**", + "https://github.com/wakatime/**" ], - "matchUpdateTypes": ["major", "minor", "patch"], "automerge": true, "automergeType": "pr", "automergeStrategy": "squash", @@ -86,10 +161,7 @@ "description": "Auto-merge trusted Terraform providers (3-day stabilization, minor/patch only)", "matchManagers": ["terraform"], "matchDatasources": ["terraform-provider"], - "matchPackageNames": [ - "hashicorp/*", - "bpg/*" - ], + "matchPackageNames": ["bpg/*"], "matchUpdateTypes": ["minor", "patch"], "automerge": true, "automergeType": "pr", @@ -106,44 +178,12 @@ "automergeStrategy": "squash", "minimumReleaseAge": "3 days" }, - { - "description": "Auto-merge trusted Nix flake inputs (3-day stabilization, CI-gated)", - "matchManagers": ["nix"], - "matchDatasources": ["git-refs"], - "matchPackageNames": [ - "https://github.com/NixOS/**", - "https://github.com/nix-community/**", - "https://github.com/cachix/**", - "https://github.com/anthropics/**", - "https://github.com/numtide/**", - "https://github.com/hercules-ci/**", - "https://github.com/DeterminateSystems/**", - "https://github.com/edolstra/**", - "https://github.com/oxalica/**", - "https://github.com/wakatime/**" - ], - "automerge": true, - "automergeType": "pr", - "automergeStrategy": "squash", - "minimumReleaseAge": "3 days" - }, { "description": "GitHub releases use v-prefixed tags for custom Nix packages", "matchDatasources": ["github-releases"], "matchManagers": ["custom.regex"], "extractVersion": "^v(?.+)$" }, - { - "description": "Auto-merge trusted PyPI packages from HuggingFace (custom managers)", - "matchDatasources": ["pypi"], - "matchManagers": ["custom.regex"], - "matchPackageNames": ["huggingface-hub", "huggingface-mcp-server"], - "matchUpdateTypes": ["minor", "patch"], - "automerge": true, - "automergeType": "pr", - "automergeStrategy": "squash", - "minimumReleaseAge": "3 days" - }, { "description": "Twice-weekly schedule for all custom regex managers", "matchManagers": ["custom.regex"],