Update renovate config

[AlexSkrypnyk]

Updated renovate.json with standardised config via repoRanger.

Summary by CodeRabbit

• Chores
  • Updated dependency management configuration to improve update strategy and organization.
  • Dependency updates are now grouped together in a single pull request.
  • Major updates for composer dependencies are now skipped.
  • Dependency update branches now use a consistent naming format.

[coderabbitai]

📝 Walkthrough

Walkthrough

The pull request updates the Renovate configuration file, replacing the base configuration with the recommended preset, adding dependency pinning, branch prefixing with "deps/", implementing all-dependency grouping, and disabling major version updates for Composer packages.

Changes

Cohort / File(s)	Summary
Renovate Configuration renovate.json	Updated dependency management configuration: switched from base to recommended preset, added pinDigests, branchPrefix, and packageRules to control update strategy, disable major Composer updates, and group all dependencies.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~10 minutes

🚥 Pre-merge checks | ✅ 2 | ❌ 1

❌ Failed checks (1 inconclusive)

Check name	Status	Explanation	Resolution
Title check	❓ Inconclusive	The title 'Update renovate config' is vague and generic, using non-descriptive terms that don't convey specific information about what changes were made to the configuration.	Consider a more specific title that describes the key changes, such as 'Configure renovate for dependency pinning and grouping' or 'Add dependency pinning and grouping strategy to renovate config'.

✅ Passed checks (2 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch feature/repo-ranger-renovate

📝 Coding Plan

• Generate coding plan for human review comments

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@renovate.json`:
- Around line 15-17: The catch-all group ("groupName": "all", "groupSlug":
"all", "matchPackageNames": ["*"]) must be limited to non-major updates: update
the rule to include a "matchUpdateTypes" filter (e.g.,
["minor","patch","pin","digest"]) so only non-major changes are grouped and can
inherit the top-level "automerge": true, and add a separate rule that matches
major updates (matchUpdateTypes: ["major"]) that explicitly sets "automerge":
false to prevent auto-merging major bumps.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: ASSERTIVE

Plan: Pro

Run ID: a79cc06d-8781-44ef-a57f-8e0bf8577283

📥 Commits

Reviewing files that changed from the base of the PR and between ba1f837 and d584269.

📒 Files selected for processing (1)

• renovate.json

[coderabbitai]

⚠️ Potential issue | 🔴 Critical

🧩 Analysis chain

🌐 Web query:

In Renovate, if top-level "automerge": true and a packageRule groups all dependencies (matchPackageNames ["*"]), does Renovate automerge the grouped PR as one bundle, and what is the recommended way to avoid grouping major updates into that automerge path?

💡 Result:

Yes—if a grouped PR is created and automerge: true applies to that PR, Renovate will automerge the whole grouped PR as a single bundle once its required checks pass. (docs.renovatebot.com)

However, by default Renovate will not put major updates into the same group PR as minor/patch updates: its default behavior is to create separate PRs when both major and minor updates exist, and this “separate major/minor” behavior takes priority over package grouping (unless you explicitly override it in a packageRule). (docs.renovatebot.com)

Recommended way to avoid major updates entering the automerge path: scope your “group + automerge” rule to non-major updates only, and add an explicit “no automerge” rule for majors, e.g.:

{
  "automerge": true,
  "packageRules": [
    {
      "matchPackageNames": ["*"],
      "matchUpdateTypes": ["patch", "minor"],
      "groupName": "all non-major",
      "automerge": true
    },
    {
      "matchPackageNames": ["*"],
      "matchUpdateTypes": ["major"],
      "automerge": false
    }
  ]
}

This keeps the big grouped PR on a safer “patch/minor automerge” track while forcing major upgrades to stay manual. (docs.renovatebot.com)

Citations:

• 1: https://docs.renovatebot.com/key-concepts/automerge/
• 2: https://docs.renovatebot.com/configuration-options/
• 3: https://docs.renovatebot.com/configuration-options/

---

🏁 Script executed:

cat renovate.json

Repository: drevops/behat-format-progress-fail

Length of output: 558

---

Limit catch-all grouping to prevent auto-merging major updates alongside minor/patch changes.

At Lines 15–17, grouping all packages without filtering by update type while top-level automerge: true (Line 3) can bundle major updates with minor/patch changes into a single PR and auto-merge them together, increasing the risk of cascading failures and limiting rollback granularity.

🔧 Suggested adjustment

         {
             "matchPackageNames": ["*"],
+            "matchUpdateTypes": ["minor", "patch", "digest", "pin"],
             "groupName": "all dependencies",
             "groupSlug": "all"
-        }
+        },
+        {
+            "matchPackageNames": ["*"],
+            "matchUpdateTypes": ["major"],
+            "automerge": false
+        }

This filters the grouped rule to non-major updates (while inheriting automerge: true) and explicitly prevents major updates from being auto-merged, protecting against large blast radius incidents.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@renovate.json` around lines 15 - 17, The catch-all group ("groupName": "all",
"groupSlug": "all", "matchPackageNames": ["*"]) must be limited to non-major
updates: update the rule to include a "matchUpdateTypes" filter (e.g.,
["minor","patch","pin","digest"]) so only non-major changes are grouped and can
inherit the top-level "automerge": true, and add a separate rule that matches
major updates (matchUpdateTypes: ["major"]) that explicitly sets "automerge":
false to prevent auto-merging major bumps.