chore: implement automated dependency management with Renovate

- Set up Renovate for automatic dependency updates
- Configure smart grouping of related dependencies
- Add automerge rules for safe updates (minor/patch for dev, patch for prod)
- Create self-hosted Renovate workflow via GitHub Actions
- Schedule updates for off-hours to minimize disruption
- Add comprehensive documentation for dependency management

Author: prosdev

.github/renovate-automerge.json5

@@ -0,0 +1,55 @@
+{
+  // Automerge configuration for Renovate
+  "packageRules": [
+    // Automerge for non-major devDependencies
+    {
+      "description": "Automatically merge minor and patch updates for dev dependencies",
+      "matchDepTypes": ["devDependencies"],
+      "matchUpdateTypes": ["minor", "patch"],
+      "automerge": true,
+      "platformAutomerge": true
+    },
+    
+    // Automerge for patch-only production dependencies
+    {
+      "description": "Automatically merge patch updates for production dependencies",
+      "matchDepTypes": ["dependencies"],
+      "matchUpdateTypes": ["patch"],
+      "automerge": true,
+      "platformAutomerge": true,
+      "prCreation": "immediate"
+    },
+    
+    // Automerge GitHub Action updates
+    {
+      "description": "Automatically merge GitHub Actions",
+      "matchManagers": ["github-actions"],
+      "matchUpdateTypes": ["minor", "patch"],
+      "automerge": true,
+      "platformAutomerge": true
+    },
+    
+    // Skip certain dependency types or packages from automerge
+    {
+      "description": "Don't automerge major dependency updates",
+      "matchUpdateTypes": ["major"],
+      "automerge": false
+    },
+    
+    // Handle peer dependencies correctly
+    {
+      "description": "Widen ranges for peer dependencies",
+      "matchDepTypes": ["peerDependencies"],
+      "rangeStrategy": "widen"
+    }
+  ],
+  
+  // Avoid weekend PRs for major changes
+  "major": {
+    "schedule": ["after 10pm and before 5am every weekday"]
+  },
+  
+  // Additional automerge settings
+  "transitiveRemediation": true,
+  "minimumReleaseAge": "3 days"
+}

.github/renovate-groups.json5

@@ -0,0 +1,84 @@
+{
+  // Package grouping configuration for Renovate
+  "packageRules": [
+    // Group all non-major dependencies
+    {
+      "description": "Group all non-major dependencies together",
+      "matchPackagePatterns": ["*"],
+      "matchUpdateTypes": ["minor", "patch"],
+      "groupName": "all non-major dependencies",
+      "groupSlug": "all-minor-patch"
+    },
+    
+    // Group TypeScript ecosystem
+    {
+      "description": "Group TypeScript and related tooling",
+      "matchPackagePatterns": [
+        "^@tsconfig/",
+        "^typescript",
+        "^ts-",
+        "^@types/"
+      ],
+      "groupName": "typescript ecosystem",
+      "groupSlug": "typescript"
+    },
+    
+    // Group formatting and linting tools
+    {
+      "description": "Group formatting and linting tools",
+      "matchPackagePatterns": [
+        "^@biomejs/",
+        "^eslint",
+        "^@eslint",
+        "^prettier"
+      ],
+      "groupName": "linting and formatting",
+      "groupSlug": "linting-formatting"
+    },
+    
+    // Group testing tools
+    {
+      "description": "Group testing dependencies",
+      "matchPackagePatterns": [
+        "^vitest",
+        "^@vitest/",
+        "^jest",
+        "^@jest/"
+      ],
+      "groupName": "testing dependencies",
+      "groupSlug": "testing"
+    },
+    
+    // Group monorepo tooling
+    {
+      "description": "Group monorepo tooling",
+      "matchPackagePatterns": [
+        "^@changesets/",
+        "^turbo",
+        "^lerna",
+        "^nx"
+      ],
+      "groupName": "monorepo tooling",
+      "groupSlug": "monorepo-tools"
+    },
+    
+    // Group GitHub Actions
+    {
+      "description": "Group GitHub Actions",
+      "matchManagers": ["github-actions"],
+      "groupName": "GitHub Actions",
+      "groupSlug": "github-actions"
+    },
+    
+    // Group internal workspace packages
+    {
+      "description": "Group internal workspace packages",
+      "matchPackagePatterns": [
+        "^@monorepo/"
+      ],
+      "matchUpdateTypes": ["major", "minor", "patch"],
+      "groupName": "internal packages",
+      "groupSlug": "internal-deps"
+    }
+  ]
+}

.github/workflows/renovate.yml

@@ -0,0 +1,61 @@
+name: Renovate
+
+on:
+  # Schedule: run every day at 2am
+  schedule:
+    - cron: '0 2 * * *'
+  
+  # Run on demand via workflow_dispatch
+  workflow_dispatch:
+    inputs:
+      logLevel:
+        description: 'Renovate log level'
+        required: true
+        default: 'info'
+        type: choice
+        options:
+          - debug
+          - info
+          - warn
+          - error
+      dryRun:
+        description: 'Dry run'
+        type: boolean
+        default: false
+
+# Prevent multiple Renovate runs from happening simultaneously
+concurrency:
+  group: renovate
+  cancel-in-progress: false
+
+jobs:
+  renovate:
+    name: Renovate
+    runs-on: ubuntu-latest
+    
+    # Allow renovate to create PRs
+    permissions:
+      contents: write
+      pull-requests: write
+      issues: write
+    
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+      
+      # Use custom docker-based renovate to run self-hosted
+      - name: Self-hosted Renovate
+        uses: renovatebot/github-action@v40.0.4
+        with:
+          configurationFile: renovate.json5
+          token: ${{ secrets.GITHUB_TOKEN }}
+        env:
+          LOG_LEVEL: ${{ inputs.logLevel || 'info' }}
+          DRY_RUN: ${{ inputs.dryRun == true && 'full' || '' }}
+          RENOVATE_BASE_BRANCHES: 'main'
+          RENOVATE_EXTENDS: 'config:recommended,group:allNonMajor'
+          # Include local configuration files
+          RENOVATE_CONFIG_FILE: 'renovate.json5'
+          RENOVATE_EXTENDS_FROM: |
+            .github/renovate-automerge.json5
+            .github/renovate-groups.json5

docs/DEPENDENCY_MANAGEMENT.md

@@ -0,0 +1,92 @@
+# Dependency Management
+
+This project uses [Renovate](https://docs.renovatebot.com/) to automate dependency updates across the monorepo. This document describes how dependency updates are managed and how to work with the system.
+
+## Overview
+
+Renovate automatically:
+
+1. Monitors all dependencies in the monorepo
+2. Creates pull requests for updates
+3. Groups related updates together to reduce PR noise
+4. Automatically merges safe updates
+5. Maintains a dependency dashboard
+
+## Configuration Files
+
+The Renovate configuration is split across several files:
+
+- `renovate.json5` - Main configuration file
+- `.github/renovate-automerge.json5` - Auto-merge settings
+- `.github/renovate-groups.json5` - Package grouping settings
+- `.github/workflows/renovate.yml` - GitHub workflow for self-hosted Renovate
+
+## Update Schedule
+
+Renovate is configured to run:
+
+- Daily at 2:00 AM UTC via GitHub Actions
+- Only creates PRs during off-hours (after 10pm and before 5am on weekdays, and on weekends)
+- Lock file maintenance on Monday mornings
+- Can be triggered manually via GitHub Actions workflow dispatch
+
+## Update Strategy
+
+The system follows these strategies:
+
+1. **Minor and patch updates** are grouped together and auto-merged if tests pass
+2. **Dev dependencies** are automatically merged for minor and patch versions
+3. **Production dependencies** have stricter rules, with only patch versions auto-merged
+4. **Major updates** require manual review and approval
+5. **GitHub Actions** are automatically updated for minor and patch versions
+
+## Package Grouping
+
+Dependencies are grouped into logical categories:
+
+- TypeScript ecosystem (TypeScript, tsconfig, type definitions)
+- Linting and formatting tools (Biome, ESLint, Prettier)
+- Testing tools (Vitest, Jest)
+- Monorepo tooling (Changesets, Turborepo)
+- Internal workspace packages
+
+## Working with Renovate
+
+### Dependency Dashboard
+
+Renovate maintains a dependency dashboard as a pinned issue in the repository. This provides:
+
+- Overview of all pending updates
+- PRs that need attention
+- Rejected/ignored updates
+- Upcoming major updates
+
+### Manual Control
+
+You can influence Renovate behavior:
+
+- Add `renovate:disable` comment in a PR to prevent Renovate from rebasing it
+- Add specific packages to `ignoreDeps` in configuration to prevent updates
+- Use the dashboard to manually trigger specific updates
+
+### Best Practices
+
+1. **Review major updates carefully** - These can contain breaking changes
+2. **Don't modify package.json versions directly** - Let Renovate manage this
+3. **Use the dashboard** to monitor and manage update flow
+4. **Create changeset entries** for dependency updates that affect consumers
+
+## Troubleshooting
+
+If Renovate isn't working as expected:
+
+1. Check the Renovate logs in GitHub Actions
+2. Verify configuration files are valid JSON5
+3. Look at the dependency dashboard for errors
+4. Run Renovate manually via workflow dispatch with debug logging
+
+## Further Reading
+
+- [Renovate Documentation](https://docs.renovatebot.com/)
+- [Renovate GitHub Action](https://github.com/renovatebot/github-action)
+- [Monorepo Support in Renovate](https://docs.renovatebot.com/getting-started/installing-onboarding/#monorepos)

renovate.json

@@ -0,0 +1,64 @@
+{
+  "$schema": "https://docs.renovatebot.com/renovate-schema.json",
+  "extends": [
+    "config:recommended",
+    ":semanticCommits",
+    "helpers:pinGitHubActionDigests"
+  ],
+  "baseBranches": ["main"],
+  "rangeStrategy": "bump",
+  "dependencyDashboard": true,
+  "schedule": ["after 10pm and before 5am every weekday", "every weekend"],
+  "prConcurrentLimit": 5,
+  "prHourlyLimit": 2,
+  
+  "packageRules": [
+    {
+      "matchDepTypes": ["devDependencies"],
+      "matchUpdateTypes": ["minor", "patch"],
+      "automerge": true
+    },
+    {
+      "matchPackagePatterns": ["*"],
+      "matchUpdateTypes": ["minor", "patch"],
+      "groupName": "all non-major dependencies",
+      "groupSlug": "all-minor-patch"
+    },
+    {
+      "matchPackagePatterns": ["^@biomejs/", "^typescript"],
+      "groupName": "typescript and formatting dependencies",
+      "groupSlug": "typescript-formatting"
+    },
+    {
+      "matchPackagePatterns": ["^vitest", "^@vitest/"],
+      "groupName": "testing dependencies",
+      "groupSlug": "testing-deps"
+    },
+    {
+      "matchPackagePatterns": ["^@changesets/", "turbo"],
+      "groupName": "monorepo tooling",
+      "groupSlug": "monorepo-tools"
+    },
+    {
+      "matchDepTypes": ["peerDependencies"],
+      "rangeStrategy": "widen"
+    }
+  ],
+  
+  "lockFileMaintenance": {
+    "enabled": true,
+    "schedule": ["before 5am on monday"]
+  },
+  
+  "ignoreDeps": [
+    "pnpm"
+  ],
+  
+  "commitMessagePrefix": "chore(deps):",
+  "commitMessageAction": "update",
+  "commitMessageTopic": "{{depName}}",
+  "commitBodyTable": true,
+  
+  "pnpmShrinkwrap": true,
+  "npmrc": "@monorepo:registry=https://registry.npmjs.org/"
+}