renovate.json5

{
  // Validate against Renovate's published schema so editor tooling can catch
  // typos early and Renovate-specific fields stay discoverable in autocomplete.
  $schema: 'https://docs.renovatebot.com/renovate-schema.json',

  // Start from Renovate's baseline best-practice preset and then layer in only
  // the extra grouping/workaround presets that are specifically useful for the
  // ecosystems you said you actually use across your repos.
  //
  // Notes:
  // - `workarounds:typesNodeVersioning` handles `@types/node` correctly without
  //   the more fragile datasource/package-name overrides you had before.
  // - `config:best-practices` already pulls in Renovate's cross-language
  //   baseline, including:
  //   - `config:recommended`
  //   - digest pinning for Docker and GitHub Actions
  //   - lock file maintenance
  //   - abandonment detection
  //   - the Go x/* helper presets
  //   - the Java LTS runtime workaround that comes through `workarounds:all`
  // - The explicit group presets here are only the extra ecosystem groupings
  //   you called out or that are especially useful for reducing PR noise.
  // - The old `:automergeMinor` preset is intentionally removed. The fast-path
  //   policy now lives in one explicit rule below instead of being spread across
  //   presets plus global settings plus package rules.
  extends: [
    'config:best-practices',
    'mergeConfidence:all-badges',
    ':timezone(America/Indiana/Indianapolis)',
    ':enableVulnerabilityAlerts',
    'workarounds:typesNodeVersioning',
    'group:allDigest',
    'group:dropwizardMonorepo',
    'group:react',
    'group:reactMonorepo',
    'group:eslintMonorepo',
    'group:linters',
    'group:jestMonorepo',
    'group:jestPlusTypes',
    'group:jestPlusTSJest',
    'group:springBoot',
    'group:terraformMonorepo',
    'group:allNonMajor',
  ],

  // Keep declared ranges moving forward when Renovate edits package files
  // instead of only refreshing the lockfile.
  rangeStrategy: 'bump',

  // You explicitly asked to keep version bumping enabled. This means Renovate
  // may also increment package version fields when it edits package files.
  //
  // Important: this is not npm-only. Renovate documents `bumpVersion` support
  // for managers including npm, maven, helmv3, nuget, sbt, cargo, poetry, and
  // several others. In other words, this choice is intentionally broad.
  bumpVersion: 'patch',

  // Commit titles stay plain instead of being forced into semantic-commit form.
  semanticCommits: 'disabled',

  // The dependency dashboard is still useful for items waiting on human review.
  dependencyDashboard: true,

  // Keep the number of simultaneous review PRs reasonable, but do not throttle
  // them hour-by-hour inside the allowed review window.
  //
  // Why no hourly cap:
  // - you said the annoying part is staggered PR creation over multiple hours
  // - if review PRs need to exist, it is better for them to appear together
  //   during the scheduled review window than to dribble out across the day
  //
  // Noise control therefore comes from:
  // - grouping related updates into shared PRs where reasonable
  // - restricting review PR creation to the Tuesday/Saturday review windows
  //   below
  //
  // The fast path still is not affected:
  // - successful branch automerges do not need PRs
  // - vulnerability PRs bypass normal PR rate limits anyway
  prConcurrentLimit: 10,
  prHourlyLimit: 0,

  // Let Renovate rebase when it determines a rebase is actually necessary.
  rebaseWhen: 'auto',

  // Default schedule for "review-required" work:
  // - normal PR-creating updates are only allowed in two short weekly windows
  // - Tuesday during the 5 PM hour
  // - Saturday during the 8 AM hour
  // - this keeps Renovate from opening review PRs overnight or randomly
  //   throughout the week
  //
  // The fast-path minor/patch rule below intentionally overrides this with a
  // broader weekday schedule so low-risk updates can still land promptly after
  // the soak period.
  //
  // Cron format here is:
  // - minute hour day-of-month month day-of-week
  // - Renovate requires `*` for the minute field
  // - `2` means Tuesday
  // - `5` means Friday
  // - `6` means Saturday
  schedule: [
    '* 17 * * 2',
    '* 17 * * 5',
    '* 8 * * 6',
  ],

  // Enforce the schedule strictly so Renovate does not keep pushing branch
  // updates outside the allowed windows.
  updateNotScheduled: false,

  // Review-required updates get a short soak period so extremely fresh releases
  // do not show up immediately. The fast-path minor/patch rule below inherits
  // this too, which means "merge quickly" still does not mean "merge on day 1".
  minimumReleaseAge: '7 days',

  // Default posture:
  // - open a PR
  // - do not automerge
  //
  // Specific rules below opt back into fast-path behavior where appropriate.
  automerge: false,
  automergeType: 'pr',

  // Use Renovate's own automerge flow instead of GitHub's platform-native
  // automerge so the behavior follows the package rules in this file directly.
  platformAutomerge: false,

  // Security fixes should still appear immediately, but because you asked for
  // only normal minor/patch updates to fast-path into `main`, vulnerability
  // fixes stay reviewable as PRs.
  //
  // Renovate treats vulnerability PRs specially:
  // - they are created immediately
  // - they are not blocked by normal schedules or PR limits
  // - they should not wait through the normal 7-day soak period
  //
  // `minimumReleaseAge: null` is included here to make that last point obvious
  // in the config itself, even though vulnerability alert handling is already
  // special-cased by Renovate.
  vulnerabilityAlerts: {
    automerge: true,
    automergeType: 'pr',
    minimumReleaseAge: null,
    labels: [
      'security',
    ],
    vulnerabilityFixStrategy: 'lowest',
    prCreation: 'immediate',
  },

  // Also consult OSV for direct-dependency vulnerability information.
  osvVulnerabilityAlerts: true,

  // Review PR hygiene.
  assignees: [
    'stanlemon',
  ],
  labels: [
    'renovate-pr',
  ],

  packageRules: [
    {
      // This is the main behavior change in the config.
      //
      // For stable semver dependencies already on 1.0.0 or newer:
      // - create a Renovate branch immediately
      // - still wait for the global 7-day minimum release age
      // - run CI on that branch
      // - merge directly into `main` with no PR if CI passes
      // - only do this during weekday business hours
      //
      // This rule is intentionally not limited to npm. If Renovate can classify
      // an update as `minor` or `patch`, this is the default fast path unless a
      // later, narrower rule overrides it.
      //
      // Why `automergeType: 'branch'`:
      // - this is the Renovate setting that actually means "land directly into
      //   the base branch" instead of "open a PR and let that PR automerge"
      //
      // Operational requirement:
      // - your CI must run on `renovate/**` branches
      // - Renovate must be allowed to update the base branch after checks pass
      //
      // If branch protection blocks that second requirement, Renovate will fall
      // back to opening PRs instead of silently landing these updates.
      description: 'Fast-path stable semver minor/patch updates directly into main when CI passes.',
      matchUpdateTypes: [
        'minor',
        'patch',
      ],
      matchCurrentVersion: '!/^0\\./',
      // Override the global 7-day soak — 1 day is enough for stable releases
      // on the fast path; anything riskier is handled by later, narrower rules.
      minimumReleaseAge: '1 day',
      // Cron `1-5` means Monday through Friday, and `8-16` keeps this in the
      // 8 AM through 4:59 PM business-hours window in your configured timezone.
      schedule: [
        '* 8-16 * * 1-5',
      ],
      automergeSchedule: [
        '* 8-16 * * 1-5',
      ],
      automerge: true,
      automergeType: 'branch',
    },
    {
      // Pre-1.0 packages are deliberately excluded from the fast path because
      // `0.x` minor bumps can contain breaking changes. Keeping them reviewable
      // prevents a "looks safe on paper, breaks in practice" upgrade from
      // landing automatically.
      description: 'Keep pre-1.0 minor/patch updates in review PRs.',
      matchUpdateTypes: [
        'minor',
        'patch',
      ],
      matchCurrentVersion: '/^0\\./',
      automerge: false,
      groupName: 'pre-1.0 dependency updates',
      groupSlug: 'pre-1-updates',
    },
    {
      // Peer dependency ranges are part of the published compatibility promise
      // of a package. Changes here can affect consumers in ways that are hard to
      // detect automatically, so disable all peer dependency updates entirely.
      description: 'Disable all peer dependency updates.',
      matchDepTypes: [
        'peerDependencies',
      ],
      enabled: false,
    },
    {
      // Keep workflow runner/action updates together so CI maintenance lands as
      // one coherent change instead of multiple small PRs. Renovate will still
      // split majors from non-majors according to its normal separation rules.
      //
      // These are also safe enough to use the same branch automerge flow as
      // other low-risk maintenance updates, including digest refreshes for
      // pinned actions. Majors still remain review-only because the broader
      // major-version rule below overrides automerge for that update type.
      description: 'Group GitHub Actions updates together and automerge non-major changes.',
      matchManagers: [
        'github-actions',
      ],
      matchUpdateTypes: [
        'minor',
        'patch',
        'digest',
        'pinDigest',
      ],
      groupName: 'GitHub Actions',
      groupSlug: 'github-actions',
      minimumReleaseAge: '1 day',
      schedule: [
        '* 8-16 * * 1-5',
      ],
      automergeSchedule: [
        '* 8-16 * * 1-5',
      ],
      automerge: true,
      automergeType: 'branch',
    },
    {
      // Any major version bump requires review. The ecosystem grouping presets
      // above still apply, so related React / ESLint / Jest major bumps can stay
      // grouped together instead of becoming a pile of unrelated review PRs.
      description: 'All major version bumps require review.',
      matchUpdateTypes: [
        'major',
      ],
      automerge: false,
    },
    {
      // Node.js runtime majors are worth treating even more conservatively than
      // ordinary package majors. Renovate already understands `engines.node`,
      // so this rule only adds a long soak period before such majors are even
      // proposed for review.
      description: 'Hold Node.js major runtime upgrades until they have aged.',
      matchDatasources: [
        'node-version',
      ],
      matchPackageNames: [
        'node',
      ],
      matchUpdateTypes: [
        'major',
      ],
      minimumReleaseAge: '7 months',
      automerge: false,
      groupName: 'node.js major updates',
      groupSlug: 'node-major-updates',
    },
    {
      // Lock file maintenance runs once a month (1st of the month at 8 AM) and
      // automerges directly into main when CI passes — no review needed since
      // no dependency versions are changing.
      description: 'Run lock file maintenance once a month and automerge when CI passes.',
      matchUpdateTypes: ['lockFileMaintenance'],
      minimumReleaseAge: null,
      schedule: ['* 8 1 * *'],
      automergeSchedule: ['* 8-16 * * 1-5'],
      automerge: true,
      automergeType: 'branch',
    },
    {
      // Pin and replacement updates are not normal semver minor or patch
      // changes, so they stay reviewable instead of joining the fast path rule
      // above. Digest updates are already grouped by `group:allDigest`.
      description: 'Non-semver maintenance updates stay reviewable.',
      matchUpdateTypes: [
        'pin',
        'pinDigest',
        'replacement',
      ],
      automerge: false,
      groupName: 'review-required maintenance updates',
      groupSlug: 'review-maintenance',
    },
  ],
}