ci: update renovate process [skip chromatic] (#1051)

## Description: - removes all automatic updates from renovate config unless its a security update and add custom PR title prefix - adds branch exception to chromatic workflow to ignore security updates from renovate - adds a new chapter to the developer guide to explain the new procedure closes #914 Co-authored-by: Baumhauer <xz4af76@union-investment.de@l94tm2cp2r.fritz.box> Co-authored-by: Vahid Nesro <63849626+Vahid1919@users.noreply.github.com>
solid-design-system · May 10, 2024 · 1cd2665 · 1cd2665
1 parent d864b58
commit 1cd2665
Show file tree

Hide file tree

Showing 3 changed files with 23 additions and 34 deletions.
diff --git a/.github/workflows/check-pr.yml b/.github/workflows/check-pr.yml
@@ -4,7 +4,7 @@ on:
   pull_request:
     types: [opened, synchronize, reopened, ready_for_review]
 
-jobs: 
+jobs:
     quality-gate:
         name: Install, verify and build
         runs-on: ubuntu-latest
@@ -37,7 +37,7 @@ jobs:
     chromatic-deployment-pr:
         name: Verify Chromatic
         needs: [quality-gate]
-        if: ${{!contains(github.event.pull_request.title, '[skip chromatic]')}}
+        if: ${{!contains(github.event.pull_request.title, '[skip chromatic]' && !startsWith(github.event.pull_request.title, 'chore(security deps): ')}}
         runs-on: ubuntu-latest
         steps:
             # 👇 Version 2 of the action

diff --git a/DEVELOPER_STARTING_GUIDE.md b/DEVELOPER_STARTING_GUIDE.md
@@ -16,6 +16,7 @@
   - [Work Process](#work-process)
     - [Components](#components)
     - [Styles](#styles)
+    - [Security Updates](#security-updates)
   - [Repository Overview](#repository-overview)
   - [Technologies](#technologies)
   - [Figma Library](#figma-library)
@@ -132,6 +133,11 @@ If you are working on a style, follow the steps below:
 
 _ You can always refer to the existing components and styles to familiarize yourself with the workflow!_
 
+### Security Updates
+
+In our security workflow, Renovate (GitHub App) automatically identifies and updates security issues in our project dependencies.
+Renovate also creates a “Dependency Dashboard” ticket to track all found updates. During each iteration, we plan and assign the dashboard ticket to a specific team member. The assigned team member has to update the described packages by runing `pnpm update all`, creating a corresponding PR, and finally closing the ticket. This process ensures efficient handling of security updates while maintaining clear accountability within the team.
+
 ## Repository Overview
 
 - `packages`

diff --git a/renovate.json b/renovate.json
@@ -1,37 +1,20 @@
 {
   "$schema": "https://docs.renovatebot.com/renovate-schema.json",
-  "extends": ["config:base", "schedule:daily", ":disableRateLimiting"],
+  "extends": [
+    "config:base",
+    "schedule:daily",
+    ":disableRateLimiting"
+  ],
   "schedule": "before 5am every weekday",
   "timezone": "Europe/Berlin",
-  "packageRules": [
-    {
-      "matchUpdateTypes": ["minor", "patch"],
-      "matchCurrentVersion": ">= 1.0.0",
-      "automerge": true
-    },
-    {
-      "matchDepNames": ["node", "pnpm"],
-      "enabled": false
-    },
-    {
-      "matchPackagePrefixes": ["@types/"],
-      "automerge": true,
-      "major": {
-        "automerge": false
-      }
-    }
-  ],
-  "lockFileMaintenance": {
-    "enabled": true,
-    "automerge": false
-  },
-  "major": {
-    "automerge": false
+  "rebaseWhen": "never",
+  "vulnerabilityAlerts": {
+  "enabled": true,
+    "labels": [
+      "npm dependencies, renovate, security"
+    ],
+    "automerge": true
   },
-  "prConcurrentLimit": 10,
-  "automergeType": "pr",
-  "automergeStrategy": "squash",
-  "automergeSchedule": ["after 10pm every weekday", "before 5am every weekday"],
-  "autoApprove": true,
-  "rebaseWhen": "never"
-}
+  "osvVulnerabilityAlerts": true,
+  "commitMessagePrefix": "chore(security deps): "
+}