Want a better package management upgrade workflow?

[HonkingGoose]

I see you're using Dependabot, but in a "noisy way". It looks like you're updating the dependencies manually after getting a weekly nudge from Dependabot. This causes quite a bit of noise, as Dependabot opens a lot of PRs, which you then auto-close by updating the dependencies.

Did you ever consider using Renovate? It can help you update your dependencies in a smoother way. For example:

• Get updates only when you request them on the Dependency Dashboard
• Group updates into a single PR (Renovate comes with common groupings already)
• Automerge things like Prettier or ESLint updates that don't affect user-facing behavior
• Reduce noise by setting other smart rules/behavior

I've set up a basic Renovate configuration in a copy of your repository, so you can see what the Dependency Dashboard could look like:

• https://github.com/HonkingGoose/mkdocs-material-renovate-config/issues/2

I'm willing to help you use Renovate, and to help you configure it so it fits your workflow better. If you're happy with your current Dependabot workflow, that's also fine. Let me know what you think!

[squidfunk]

Thanks for offering. I'm not happy with dependabot, and I honestly only treat it as a weekly reminder that I need to upgrade the dependencies. Keeping PRs separate allows to quickly scan what dependency breaks a build, which is essential information, as we needed to pin some dependencies because we currently don't have the time to upgrade to new major versions (only related to build tools). Auto-merging is something I tried but it broke too often, so before we have actual tests, it's nothing we should enable.

We're currently building an examples repository (and further necessary plugins to manage it more efficiently). In the near future, we'll be using those examples as simple regression tests that we can run before a merge, so I might ping you once that's finished 😊

[HonkingGoose]

How about something like this for your main repository?

{
  "$schema": "https://docs.renovatebot.com/renovate-schema.json",
  "extends": ["config:recommended", "schedule:weekly"],
  "packageRules": [
    {
      "description": "Require Dependency Dashboard approval for major updates for npm packages that are user-facing.",
      "matchManagers": ["npm"],
      "matchDepTypes": ["dependencies"],
      "matchUpdateTypes": "major",
      "dependencyDashboardApproval": true
    },
    {
      "description": "Require Dependency Dashboard approval for major updates for Python dependencies.",
      "matchManagers": ["pip_requirements"],
      "matchUpdateTypes": "major",
      "dependencyDashboardApproval": true
    }
  ]
}

Explanation:

• "$schema" makes it so you can get partial auto-fill when you're working on the renovate.json config file in your code editor program.
• I extends from the config:recommended preset, which gives you good default behavior for most things
• Extending from the schedule:weekly preset makes it so Renovate creates updates on mondays, in the morning. Renovate will update currently open PR's all the time though, this setting only affects PR creation times
• The packageRules for the npm manager makes it so you only get major updates for development dependencies automatically. Think things like ESLint, Prettier, so on. For any other major update, request it from the Dependency Dashboard.
• You'll have to request any major update for pip_requirements, I don't think Renovate can know which is developer-only, and which are user-facing.

Optional: only ever get updates with passing checks

Optionally, I can set prCreation to status-success, so you would only ever see a Renovate PR if your tests pass. But this has some drawbacks:

With prCreation set to status-success, Renovate creates the PR only if/ once all tests have passed.

And:

For all cases of non-immediate PR creation, Renovate doesn't run instantly once tests complete. Instead, Renovate can create the PR on its next run after relevant tests have completed, so there will be some delay.

I think you can always force create a PR, by using the Dependency Dashboard on a "pending status checks" PR though.

[squidfunk]

Thanks for the suggestion. I'll come back to this at some point 😊

[HonkingGoose]

Ping me when you're ready for me to help you! 😉