From 89fc216dfbab4655777aaedbd756ae8133d7b17a Mon Sep 17 00:00:00 2001 From: Jesse Attas Date: Mon, 20 Nov 2023 08:51:19 -0600 Subject: [PATCH] Enable Renovate for nuget dependencies (#1673) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit # Pull Request ## ๐Ÿคจ Rationale We have a few Nuget dependencies that would be good to keep up to date. Some of them have security vulnerabilities as revealed by Snyk PRs like #1670 but we didn't like the way those PRs looked as we'd prefer they be updated in a group. ## ๐Ÿ‘ฉโ€๐Ÿ’ป Implementation 1. Configure Renovate to update Nuget dependencies in addition to npm ones. It [doesn't look like](https://docs.renovatebot.com/configuration-options/#rangestrategy) Renovate supports [lockfile only updates for Nuget](https://devblogs.microsoft.com/nuget/enable-repeatable-package-restores-using-a-lock-file/#:~:text=To%20enable%20the%20use%20of%20lock%20file%20with,%E2%80%93%20packages.lock.json%20file%20at%20the%20project%20root%20directory.) so I think owners will have to push beachball change files to these PRs. 2. Update CONTRIBUTING docs to mention that Renovate might modify `.csproj` files and thus might need beachball change files. ## ๐Ÿงช Testing When this PR completes I'll poke Renovate and see what PRs it creates. ## โœ… Checklist - [x] I have updated the project documentation to reflect my changes or determined no changes are needed. --- .github/renovate.json | 11 ++++++++--- CONTRIBUTING.md | 2 +- 2 files changed, 9 insertions(+), 4 deletions(-) diff --git a/.github/renovate.json b/.github/renovate.json index 414daf8a85..3b30eb7ce0 100644 --- a/.github/renovate.json +++ b/.github/renovate.json @@ -3,7 +3,7 @@ "extends": [ "config:base" ], - "enabledManagers": ["npm"], + "enabledManagers": ["npm", "nuget"], "rangeStrategy": "update-lockfile", "rebaseWhen": "conflicted", "schedule": [ @@ -15,7 +15,7 @@ "enabled": false }, { - "groupName": "Dependencies", + "groupName": "npm dependencies", "matchDepTypes": ["dependencies"], "matchPackagePatterns":[ "^@microsoft/fast", @@ -28,7 +28,7 @@ "enabled": true }, { - "groupName": "Dev Dependencies", + "groupName": "npm dev dependencies", "matchDepTypes": ["devDependencies"], "matchPackagePatterns":[ "^@ni/eslint-config", @@ -36,6 +36,11 @@ "storybook" ], "enabled": true + }, + { + "groupName": "Nuget dependencies", + "rangeStrategy": "auto", + "enabled": true } ] } diff --git a/CONTRIBUTING.md b/CONTRIBUTING.md index 263fe16ae7..4f8aed53ac 100644 --- a/CONTRIBUTING.md +++ b/CONTRIBUTING.md @@ -181,7 +181,7 @@ npm install @ni/nimble-tokens --workspace=@ni/nimble-components This repository uses [Renovate](https://docs.renovatebot.com/) to automatically create pull requests that bump the version of dependencies on a schedule. Renovate is configured via [`renovate.json`](./.github/renovate.json). -Code owners are responsible for completing or rejecting Renovate PRs. Completing a PR may require manually adding a beachball change file to the branch. The change `type` will typically be `patch` if any `package.json` is changing. The `comment` should summarize which set of dependencies are being updated. To complete a PR you may need to manually trigger a rebase by clicking the checkbox in the PR description. **Note:** prefer the checkbox over GitHub's "Update branch" button so that Renovate can remain in control of all commits to its branch. +Code owners are responsible for completing or rejecting Renovate PRs. Completing a PR may require manually adding a beachball change file to the branch. The change `type` will typically be `patch` if any `package.json` or `.csproj` is changing. The `comment` should summarize which set of dependencies are being updated. To complete a PR you may need to manually trigger a rebase by clicking the checkbox in the PR description. **Note:** prefer the checkbox over GitHub's "Update branch" button so that Renovate can remain in control of all commits to its branch. ## Handling intermittent test failures