⚙️ [meta] renovate treats all gha updates as first-class updates

[chicks-net]

Done

• ⚙️ [meta] renovate treats all gha updates as first-class updates

Meta

(Automated in .just/gh-process.just.)

[Copilot]

Pull request overview

Updates Renovate configuration so GitHub Actions dependency updates are no longer auto-merged and instead require the normal PR review/merge flow, aligning them with “first-class” dependency updates.

Changes:

• Consolidates GitHub Actions package rules into a single rule covering major/minor/patch updates.
• Disables automerge for all GitHub Actions updates while keeping a 3-day minimum release age.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[claude]

Code Review

This is a small but meaningful change to the Renovate configuration. Here's my analysis:

What the change does

Consolidates two separate packageRules for GitHub Actions updates into one:

• Before: minor/patch updates were automerged and grouped (groupName: "GitHub Actions (minor/patch)"); major updates required manual merge
• After: all update types (major, minor, patch) require manual merge, no grouping

Strengths

• Security posture improvement: GitHub Actions run with potentially broad repository permissions. Requiring human review on all GHA updates (including minor/patch) is a sound supply-chain security practice — a malicious or broken minor update could cause real harm.
• Simplification: One rule instead of two is easier to reason about and maintain.
• Parity: All GHA updates now follow the same lifecycle, which is less surprising.

Considerations / Potential Issues

1. Increased PR volume without grouping: Removing groupName means Renovate will no longer batch minor/patch updates into a single PR. Combined with prConcurrentLimit: 3, several individual action-update PRs could queue up and slow down other dependency updates from reaching the limit. Consider whether adding a groupName to the merged rule (e.g. "GitHub Actions") would reduce noise while still requiring manual merge.

2. Maintenance burden: Disabling automerge for minor/patch updates shifts more merge work to a human. If there are many GHA dependencies, this could get noisy over time. This is a deliberate tradeoff — just worth being conscious of.

3. automerge: false is the default: In Renovate, automerge defaults to false, so the explicit field is not strictly required but doesn't hurt — it makes intent clear.

Suggestion (optional)

If the goal is manual review for all updates while still reducing PR noise, consider:

{
  "matchManagers": ["github-actions"],
  "matchUpdateTypes": ["major", "minor", "patch"],
  "automerge": false,
  "minimumReleaseAge": "3 days",
  "groupName": "GitHub Actions"
}

This groups all GHA updates into one PR per cycle rather than one PR per action — less noise, same review requirement.

Summary

The change is correct and the security reasoning is solid. The only real question is whether losing the grouping is intentional — if you're comfortable reviewing individual action PRs, this works fine as-is. If grouping is preferred, adding a groupName back would be a small improvement.