mirrors/uv
1
0
Fork 0
mirror of https://github.com/astral-sh/uv.git synced 2025-07-07 13:25:00 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 2
uv/.github/renovate.json5
Charlie Marsh 4d989b3630
Instruct Renovate to pin GitHub Actions based on SHA (#12189) 
## Summary

The intent here is that all actions should be pinned to an immutable SHA
(but that Renovate should annotate each SHA with the corresponding
SemVer version).
2025-03-15 17:24:33 +00:00

106 lines
3.6 KiB
Text
Raw Permalink Blame History

{
$schema: "https://docs.renovatebot.com/renovate-schema.json",
dependencyDashboard: true,
suppressNotifications: ["prEditedNotification"],
extends: [
"config:recommended",
// For tool versions defined in GitHub Actions:
"customManagers:githubActionsVersions",
],
labels: ["internal"],
schedule: ["before 4am on Monday"],
semanticCommits: "disabled",
separateMajorMinor: false,
prHourlyLimit: 10,
enabledManagers: ["github-actions", "pre-commit", "cargo", "custom.regex"],
cargo: {
// See https://docs.renovatebot.com/configuration-options/#rangestrategy
rangeStrategy: "update-lockfile",
fileMatch: ["^crates/.*Cargo\\.toml$"],
},
"pre-commit": {
enabled: true,
},
packageRules: [
// Pin GitHub Actions to immutable SHAs.
{
matchDepTypes: ["action"],
pinDigests: true,
},
// Annotate GitHub Actions SHAs with a SemVer version.
{
extends: ["helpers:pinGitHubActionDigests"],
extractVersion: "^(?<version>v?\\d+\\.\\d+\\.\\d+)$",
versioning: "regex:^v?(?<major>\\d+)(\\.(?<minor>\\d+)\\.(?<patch>\\d+))?$",
},
{
// Disable updates of `zip-rs`; intentionally pinned for now due to ownership change
// See: https://github.com/astral-sh/uv/issues/3642
matchPackageNames: ["/zip/"],
matchManagers: ["cargo"],
enabled: false,
},
{
// Create dedicated branches to update references to dependencies in the documentation.
matchFileNames: ["docs/**/*.md"],
commitMessageTopic: "documentation references to {{{depName}}}",
semanticCommitType: "docs",
semanticCommitScope: null,
additionalBranchPrefix: "docs-",
},
{
// Group upload/download artifact updates, the versions are dependent
groupName: "Artifact GitHub Actions dependencies",
matchManagers: ["github-actions"],
matchDatasources: ["gitea-tags", "github-tags"],
matchPackageNames: ["/actions/.*-artifact/"],
description: "Weekly update of artifact-related GitHub Actions dependencies",
},
{
// This package rule disables updates for GitHub runners:
// we'd only pin them to a specific version
// if there was a deliberate reason to do so
groupName: "GitHub runners",
matchManagers: ["github-actions"],
matchDatasources: ["github-runners"],
description: "Disable PRs updating GitHub runners (e.g. 'runs-on: macos-14')",
enabled: false,
},
{
groupName: "pre-commit dependencies",
matchManagers: ["pre-commit"],
description: "Weekly update of pre-commit dependencies",
},
{
groupName: "Rust dev-dependencies",
matchManagers: ["cargo"],
matchDepTypes: ["devDependencies"],
description: "Weekly update of Rust development dependencies",
},
{
// We don't really use PyO3 in this project; it's pulled in as an optional feature
// of the PEP 440 and PEP 508 crates, which we vendored and forked.
groupName: "pyo3",
matchManagers: ["cargo"],
matchPackageNames: ["/pyo3/"],
description: "Weekly update of pyo3 dependencies",
enabled: false,
},
],
customManagers: [
// Update major GitHub actions references in documentation.
{
customType: "regex",
fileMatch: ["^docs/.*\\.md$"],
matchStrings: [
"\\suses: (?<depName>[\\w-]+/[\\w-]+)(?<path>/.*)?@(?<currentValue>.+?)\\s",
],
datasourceTemplate: "github-tags",
versioningTemplate: "regex:^v(?<major>\\d+)$",
},
],
vulnerabilityAlerts: {
commitMessageSuffix: "",
labels: ["internal", "security"],
},
}
Reference in a new issue View git blame Copy permalink