[build] Configure Renovate dashboard approval

[titusfortner]

Note - this is just to get a baseline, not the final product

🔗 Related Issues

Follow on to #17463

Previous use of Renovate resulted in a bunch of unreviewed PRs, so it was disabled. It was thought we were doing sufficient updates with the update tasks in release process, but that ended up being limited to Java

💥 What does this PR do?

1. Single renovate.json file since renovate only looks for first matching
2. No automatic PR creation, just the dashboard
3. Skips editing lockfiles
4. Skips running language tooling to update lockfiles

🔧 Implementation Notes

match managers includes managers that need the "bump" rangeStrategy. It has nothing to do with how bazel will manage the pinning later

🤖 AI assistance

• No substantial AI assistance used
• AI assisted (complete below)
  • Tool(s): codex
  • What was generated: json file
  • I reviewed all AI output and can explain the change

💡 Additional Considerations

• Add restrictions for things we don't want to deal with (likely java and javascript since we can manage those separately)
• Add the labels back so ci-renovate workflow will work properly

[qodo-code-review]

Review Summary by Qodo

Consolidate Renovate config with dashboard approval workflow

✨ Enhancement ⚙️ Configuration changes

Walkthroughs

Description

• Consolidate Renovate configuration into single root file
• Enable dependency dashboard with approval requirement
• Simplify package rules to focus on core managers
• Disable automatic PR creation and lockfile maintenance

Diagram

flowchart LR
  A["Multiple Renovate Configs"] -->|Consolidate| B["Single renovate.json"]
  B -->|Enable| C["Dependency Dashboard"]
  C -->|Require| D["Approval Before PRs"]
  B -->|Simplify| E["Core Package Rules"]
  E -->|Focus on| F["bundler, cargo, npm, poetry, pep621"]

Loading

File Changes

1. .github/renovate.json ⚙️ Configuration changes +0/-26

Remove deprecated GitHub-specific Renovate config

• File deleted as configuration consolidated into root renovate.json
• Previously contained Docker disabling rules and B-dependencies label

.github/renovate.json

---

2. renovate.json ⚙️ Configuration changes +19/-74

Simplify config with dashboard approval and core managers

• Added dependencyDashboard and dependencyDashboardApproval to require manual approval
• Added dashboard header explaining approval workflow and review requirements
• Changed prCreation to "approval" mode to prevent automatic PR creation
• Disabled lockFileMaintenance and enabled skipArtifactsUpdate
• Simplified packageRules from 14 rules to 2 focused rules for core managers
• Reduced scope to bundler, cargo, npm, pep621, poetry, and Bazel/Maven combinations
• Removed language-specific commit prefixes and category labels
• Removed prConcurrentLimit constraint

renovate.json

---

[qodo-code-review]

Code Review by Qodo

🐞 Bugs (2) 📘 Rule violations (0) 📎 Requirement gaps (0)

Context used

✅ Tickets: 🎫 Instance ChroneDriver Error: ConnectFailure 🎫 2.48 doesn't trigger javascript in link's href on click()

1. Missing commit tags 🐞 Bug ☼ Reliability

Description

The Renovate repin workflow selects which repin commands to run by scanning commit messages for
markers like [java]/[js]/[py], but renovate.json no longer sets any commitMessagePrefix to ensure
those markers exist. As a result, Renovate branches can skip required repin steps, leaving
dependency declaration updates without corresponding pinned/lock updates and likely breaking
CI/build reproducibility.

Code

renovate.json[R16-27]

  "packageRules": [
    {
-      "matchManagers": [ "bazel", "bazel-module", "bazelisk" ],
-      "matchPackageNames": [ "!rules_java", "!rules_jvm_external", "!contrib_rules_jvm", "!rules_dotnet", "!aspect_rules_js", "!aspect_rules_ts", "!rules_nodejs", "!rules_python", "!rules_ruby", "!rules_cc" ],
-      "matchDatasources": [ "!maven" ],
-      "commitMessagePrefix": "[dotnet][java][js][py][rb][rust]",
-      "labels": [ "dependencies", "c-build" ]
+      "description": "Treat Renovate as the declaration upgrade mechanism; repo update/pin tasks own resolved lockfile changes.",
+      "matchManagers": ["bundler", "cargo", "npm", "pep621", "poetry"],
+      "rangeStrategy": "bump"
    },
    {
-      "matchManagers": [ "nuget" ],
-      "commitMessagePrefix": "[dotnet]",
-      "labels": [ "dependencies", "c-dotnet" ]
-    },
-    {
-      "matchPackageNames": [ "rules_dotnet" ],
-      "commitMessagePrefix": "[dotnet]",
-      "labels": [ "dependencies", "c-dotnet" ]
-    },
-    {
-      "matchManagers": [ "bazel", "bazel-module" ],
+      "description": "Use Maven version ordering for Maven artifacts found through Bazel managers.",
+      "matchManagers": ["bazel", "bazel-module"],
      "matchDatasources": ["maven"],
-      "versioning": "maven",
-      "commitMessagePrefix": "[java]",
-      "labels": [ "dependencies", "c-java" ]
-    },
-    {
-      "matchManagers": [ "bazel-module" ],
-      "matchPackageNames": [ "rules_java", "rules_jvm_external", "contrib_rules_jvm" ],
-      "commitMessagePrefix": "[java]",
-      "labels": [ "dependencies", "c-java" ]
-    },
-    {
-      "matchManagers": [ "maven" ],
-      "commitMessagePrefix": "[java]",
-      "labels": [ "dependencies", "c-java" ]
-    },
-    {
-      "matchManagers": [ "npm" ],
-      "rangeStrategy": "bump",
-      "commitMessagePrefix": "[js]",
-      "labels": [ "dependencies", "c-nodejs" ]
-    },
-    {
-      "matchPackageNames": [ "aspect_rules_js", "aspect_rules_ts", "rules_nodejs" ],
-      "commitMessagePrefix": "[js]",
-      "labels": [ "dependencies", "c-nodejs" ]
-    },
-    {
-      "matchManagers": [ "pip_requirements", "pip_setup" ],
-      "commitMessagePrefix": "[py]",
-      "labels": [ "dependencies", "c-py" ]
-    },
-    {
-      "matchPackageNames": [ "rules_python" ],
-      "commitMessagePrefix": "[py]",
-      "labels": [ "dependencies", "c-py" ]
-    },
-    {
-      "matchManagers": [ "bundler", "ruby-version" ],
-      "commitMessagePrefix": "[rb]",
-      "labels": [ "dependencies", "c-rb" ]
-    },
-    {
-      "matchPackageNames": [ "rules_ruby" ],
-      "commitMessagePrefix": "[rb]",
-      "labels": [ "dependencies", "c-rb" ]
-    },
-    {
-      "matchManagers": [ "cargo" ],
-      "rangeStrategy": "bump",
-      "commitMessagePrefix": "[rust]",
-      "labels": [ "dependencies", "c-rust" ]
-    },
-    {
-      "matchPackageNames": [ "rules_cc" ],
-      "commitMessagePrefix": "[rust]",
-      "labels": [ "dependencies", "c-rust" ]
+      "versioning": "maven"
    }
-  ],
-  "prConcurrentLimit": 10

Evidence

The Renovate config no longer defines any commit message prefixes, while the Renovate CI workflow
explicitly depends on those prefixes to decide which repin commands to run.

renovate.json[16-27]
.github/workflows/ci-renovate-rbe.yml[20-37]

Agent prompt

The issue below was found during a code review. Follow the provided context and guidance below and implement a solution

## Issue description
`ci-renovate-rbe.yml` gates repin actions on commit-message markers (e.g., `[java]`, `[js]`, `[py]`), but `renovate.json` no longer configures Renovate to emit those markers (no `commitMessagePrefix` rules). This can prevent repin steps from running, leaving dependency updates incomplete.

## Issue Context
- The workflow joins commit messages and checks for fixed substrings like `"[java]"`.
- The updated `renovate.json` package rules only set `matchManagers`/`rangeStrategy`/`versioning` and never set `commitMessagePrefix`.

## Fix Focus Areas
- renovate.json[16-27]
- .github/workflows/ci-renovate-rbe.yml[20-37]

## Suggested fix
Choose one:
1) Re-introduce `commitMessagePrefix` (or equivalent Renovate commit-message templating) per ecosystem so Renovate commits reliably include `[java]`, `[rust]`, `[js]`, `[dotnet]`, `[py]`, `[rb]`.
2) Change the workflow to detect which repin to run based on changed files/managers (e.g., changed paths like `MODULE.bazel`, `py/pyproject.toml`, etc.) instead of commit message content.

(1) is the smallest change if you want to preserve the existing workflow logic.

ⓘ Copy this prompt and use it to remediate the issue with your preferred AI generation tools

---

2. Docker updates re-enabled 🐞 Bug ⚙ Maintainability

Description

The PR deletes the prior Renovate config that explicitly disabled Docker updates, and the new root
renovate.json does not contain any Docker disable rules. Because the repo has Dockerfiles with base
images, enabling Renovate will now surface Docker image updates on the dashboard/PRs, likely
reintroducing unwanted update noise.

Code

.github/renovate.json[L5-24]

-  "docker": {
-    "enabled": false
-  },
-  "packageRules": [
-    {
-      "matchDatasources": [
-        "docker"
-      ],
-      "enabled": false
-    },
-    {
-      "matchPackagePatterns": [
-        "^docker:",
-        "^gcr.io/",
-        "^registry.k8s.io/",
-        "^quay.io/",
-        "^ghcr.io/"
-      ],
-      "enabled": false
-    }

Evidence

The current renovate.json has no Docker-related disables, and Dockerfiles in the repo define base
images; this combination will cause Docker dependencies to be discovered when Renovate runs.

renovate.json[1-15]
scripts/dev-image/Dockerfile[1-3]
scripts/remote-image/Dockerfile[1-3]

Agent prompt

The issue below was found during a code review. Follow the provided context and guidance below and implement a solution

## Issue description
Docker dependency updates were previously explicitly disabled, but the configuration that did that was deleted and the new `renovate.json` does not include an equivalent disable. With Dockerfiles present, Renovate will now detect Docker base image updates.

## Issue Context
The repo includes Dockerfiles (`FROM ...`), so Docker dependency scanning is relevant and will generate dashboard items/PRs unless explicitly disabled.

## Fix Focus Areas
- renovate.json[1-15]
- scripts/dev-image/Dockerfile[1-3]
- scripts/remote-image/Dockerfile[1-3]

## Suggested fix
Add explicit Docker disabling to the new root `renovate.json` (e.g., disable the docker manager and/or add a `packageRules` entry disabling the `docker` datasource / common registry patterns) to preserve the previous behavior and keep the dashboard focused on intended ecosystems.

ⓘ Copy this prompt and use it to remediate the issue with your preferred AI generation tools

---

[Copilot]

Pull request overview

Baseline Renovate configuration that consolidates two competing config files into a single renovate.json, switches to dashboard-only approval (no automatic PR creation), and disables lockfile editing so the repo's existing update/pin tasks remain authoritative for resolved versions.

Changes:

• Delete .github/renovate.json so Renovate only reads the root renovate.json (Renovate stops at the first matching config file).
• Enable dependency dashboard with manual approval (dependencyDashboardApproval, prCreation: "approval", automerge: false) and the B-dependencies label.
• Skip lockfile/artifact updates (skipArtifactsUpdate, lockFileMaintenance.enabled: false) and reduce package rules to a bump rangeStrategy for declaration-based managers plus Maven versioning for Bazel-discovered Maven artifacts.

Reviewed changes

Copilot reviewed 2 out of 2 changed files in this pull request and generated no comments.

File	Description
renovate.json	Adds dashboard-approval settings, label, lockfile/artifact skipping, and simplified package rules (bump for bundler/cargo/npm/pep621/poetry; maven versioning for bazel maven datasource).
.github/renovate.json	Removed so the root config is the single source of truth.