🤖 Integrate Renovatebot for Automated Dependency Updates

[matrixise]

Overview

Explore integrating Renovatebot as our automated dependency management solution. This complements our recent migration to uv while providing automated dependency updates without requiring migration to pyproject.toml immediately.

Why Renovatebot?

Following discussion in #184, Renovatebot emerged as a superior alternative to Dependabot for our workflow:

✅ Advantages over Manual Workflow

1. Automated security updates: Get notified of vulnerabilities with automated fix PRs
2. Time savings: No more manual task dependencies:upgrade runs
3. Granular control: Group related updates (e.g., Django ecosystem), schedule updates (e.g., Mondays only)
4. Better visibility: Track all dependency updates in one place with proper PR descriptions

✅ Advantages over Dependabot

Based on research and community feedback (see #184):

• ✅ Native uv support: Handles both uv.lock and pip-compile workflows
• ✅ Better lock file handling: No issues with marking security fixes as resolved without updating locks
• ✅ More mature: ~10 years old, actively maintained
• ✅ Better configuration: Advanced grouping, scheduling, automerge options
• ✅ Higher API limits: 15,000 requests/hour vs 5,000/hour

✅ Works with Our Current Workflow

Renovatebot supports our current requirements/*.in → requirements/*.txt (pip-compile) workflow:

• Updates source files (.in)
• Automatically regenerates compiled files (.txt)
• Creates PRs with both changes included

Heroku Native uv Support

Heroku now supports uv natively (announcement, docs) as of May 2025.

Requirements for Heroku uv support:

• pyproject.toml + uv.lock + .python-version
• Must remove requirements.txt files (other package managers take precedence)

Implication: To use Heroku's native uv support, we'd need to migrate from our current .in/.txt workflow to pyproject.toml + uv.lock.

Renovatebot advantage: Supports BOTH workflows, so we can:

1. Enable Renovatebot now with our current pip-compile setup
2. Migrate to pyproject.toml + uv.lock when ready for Heroku's native uv support
3. Renovatebot will continue working seamlessly after migration

Implementation Cost

Zero cost, minimal setup:

• ✅ Free: Mend Renovate GitHub App is free for open source projects
• ✅ No infrastructure: Cloud-hosted, no self-hosting required
• ✅ 5-minute setup: Install GitHub App + merge onboarding PR
• ✅ No scripts: Just a renovate.json config file

Proposed Configuration

{
  "$schema": "https://docs.renovatebot.com/renovate-schema.json",
  "extends": ["config:recommended"],
  "pip-compile": {
    "managerFilePatterns": ["requirements/.*\\.txt$"]
  },
  "pip_requirements": { "enabled": false },
  "packageRules": [
    {
      "groupName": "Django ecosystem",
      "matchPackagePatterns": ["^[Dd]jango", "^[Ww]agtail"],
      "schedule": ["before 9am on monday"]
    },
    {
      "matchUpdateTypes": ["patch"],
      "automerge": true,
      "automergeType": "pr"
    }
  ],
  "lockFileMaintenance": {
    "enabled": true,
    "schedule": ["before 9am on the first day of the month"]
  }
}

Key features:

• Groups Django/Wagtail updates together
• Schedules updates for Monday mornings
• Auto-merges patch updates (e.g., 6.0.1 → 6.0.2)
• Monthly lock file refresh for transitive dependencies

Migration Path

Phase 1: Enable Renovatebot (current workflow)

1. Install Mend Renovate GitHub App
2. Configure for pip-compile workflow
3. Merge onboarding PR
4. Monitor and tune configuration

Phase 2 (Future): Migrate to pyproject.toml + uv.lock

When ready to use Heroku's native uv support:

1. Migrate to pyproject.toml + uv.lock
2. Update Renovatebot config to use PEP 621 manager
3. Remove pip-compile configuration
4. Benefit from Heroku's faster uv deployments

Comparison with Manual Workflow

Aspect	Manual (task dependencies:upgrade)	Renovatebot
Frequency	When we remember	Automated schedule
Security alerts	Manual monitoring	Automated PRs
Granularity	All-or-nothing	Per-package or grouped
Test before merge	Manual	CI runs automatically
Time investment	~30min monthly	~5min to review PRs

Next Steps

• Community feedback on this proposal
• Install Mend Renovate GitHub App: https://github.com/apps/renovate
• Create renovate.json with proposed configuration
• Merge onboarding PR
• Monitor first round of dependency update PRs
• Fine-tune configuration based on experience

References

• Issue 📋 Dependabot research: Continue manual dependency management until uv support #184: Dependabot research discussion
• Renovatebot pip-compile docs
• Renovatebot PEP 621/uv docs
• Using uv with dependency bots
• Heroku uv support announcement
• Heroku uv buildpack changelog