changes to renovate workflow

Author: dschwartz-ftadvisory

.github/renovate.json

@@ -53,13 +53,26 @@
       ]
     },
     {
-      "description": "Always open PRs immediately for Renovate GitHub Action updates",
+      "description": "Always open PRs immediately and prioritize Renovate GitHub Action updates",
       "matchManagers": ["github-actions"],
-        "matchPackageNames": ["renovatebot/github-action"],
-        "prCreation": "immediate",
-        "stabilityDays": 0,
-        "minimumReleaseAge": "0 days",
-        "schedule": ["at any time"]
-    }    
+      "matchPackageNames": ["renovatebot/github-action"],
+      "prCreation": "immediate",
+      "prPriority": 100,
+      "stabilityDays": 0,
+      "minimumReleaseAge": "0 days",
+      "schedule": ["at any time"]
+    },
+    {
+      "description": "Automerge safe GitHub Actions patch updates",
+      "matchManagers": ["github-actions"],
+      "matchUpdateTypes": ["patch"],
+      "automerge": true,
+      "automergeType": "pr"
+    },
+    {
+      "description": "Require dashboard approval for major updates",
+      "matchUpdateTypes": ["major"],
+      "dependencyDashboardApproval": true
+    }
   ]
 }

.github/workflows/ci-renovate.yml

@@ -0,0 +1,20 @@
+# .github/workflows/ci-main.yml
+
+name: CI - Main
+
+on:
+  push:
+    branches: [main]
+  pull_request:
+    branches: [main]
+
+concurrency:
+  group: ci-main-${{ github.ref }}
+  cancel-in-progress: true
+
+jobs:
+  build-and-test:
+    uses: ./.github/workflows/build-and-test.yml
+    with:
+      java-version: '21'
+      python-version: '3.11'

.github/workflows/renovate.yml

@@ -4,36 +4,35 @@
 
 name: Renovate
 
-on:
+on: 
   # Allows you to run this workflow manually from the Actions tab
   workflow_dispatch:
   # Runs the workflow on a schedule (e.g., every day at 2 AM)
   schedule:
     - cron: '0 2 * * *'
+  push:
+    paths:
+      - .github/renovate.json
+      - .github/workflows/renovate.yml
 
 jobs:
   renovate:
     runs-on: ubuntu-latest
+    timeout-minutes: 30
+    concurrency:
+      group: renovate-${{ github.repository }}
+      cancel-in-progress: true
     # 👇 Expanded permissions so Renovate can do everything it needs
     permissions:
-      contents: write          # push branches, update files
-      pull-requests: write     # open/update PRs
-      issues: write            # create/update Dependency Dashboard issue
-      security-events: read    # read Dependabot vulnerability alerts
+      contents: write
+      pull-requests: write
+      issues: write
+      security-events: read
     steps:
-      # Checks out the repository under $GITHUB_WORKSPACE
-      - uses: actions/checkout@v5
-
       # Runs the Renovate GitHub Action
       - name: Renovate
         uses: renovatebot/[email protected]
         with:
-          token: ${{ secrets.GITHUB_TOKEN }} # required to create PRs/issues
+          token: ${{ secrets.GITHUB_TOKEN }}
           configurationFile: .github/renovate.json
-        env:
-          RENOVATE_REPOSITORIES: ${{ github.repository }} # scan current repo
-
-  # Optional: run your build/test workflow after Renovate finishes
-  build_and_test:
-    needs: renovate
-    uses: ./.github/workflows/build-and-test.yml
+          renovate-version: 43   # pin to a major; bump intentionally when ready