Skip to content

Replace pre-commit.ci auto-updates with Renovate for release age gating #3878

Open
Open
Replace pre-commit.ci auto-updates with Renovate for release age gating#3878
Labels
chore
@maxrjones

Description

@maxrjones
maxrjones
opened on Apr 6, 2026

Summary

Replace pre-commit.ci's autoupdate functionality with Renovate to gain minimumReleaseAge support. This prevents bumping hook versions within the first week of release, given that new releases are more likely to have un-noticed vulnerabilities. We could also consider using Renovate instead of dependabot.

Proposal

  1. Add Renovate with minimumReleaseAge: "7 days" for pre-commit hook updates
  2. Remove the ci: autoupdate config from .pre-commit-config.yaml (keep pre-commit.ci for PR status checks if desired, just disable autoupdates)
  3. Optionally consolidate Dependabot's GitHub Actions updates into Renovate as well, since Renovate supports both and Dependabot already uses a 7-day cooldown

Renovate config sketch

{
  "$schema": "https://docs.renovatebot.com/renovate-schema.json",
  "extends": ["config:recommended"],
  "pre-commit": {
    "enabled": true
  },
  "packageRules": [
    {
      "matchManagers": ["pre-commit"],
      "minimumReleaseAge": "7 days",
      "automerge": true,
      "schedule": ["before 9am on monday"],
      "groupName": "pre-commit hooks"
    }
  ]
}

Metadata

Metadata

Assignees

No one assigned

    Labels

    chore

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions