From 87989ccd92abb91a5996e25ab151ea888ccc7619 Mon Sep 17 00:00:00 2001
From: Nigel Bazzeghin <nbazzeghin@gmail.com>
Date: Wed, 11 Feb 2026 22:15:33 -0600
Subject: [PATCH] chore: migrate from Dependabot to Renovate
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Replace Dependabot with Renovate for dependency management.
Renovate has native Bun support and correctly handles bun.lock,
which Dependabot does not — causing CI failures on every PR.

Config highlights:
- Groups non-major npm updates into single PRs
- Separate PRs for major version bumps (require review)
- Groups GitHub Actions updates
- Auto-merges minor/patch updates
- Uses chore(deps): and ci(deps): conventional commit prefixes
- Weekend schedule to avoid weekday noise
---
 .github/dependabot.yml | 24 ------------------------
 AGENTS.md              |  2 +-
 renovate.json          | 39 +++++++++++++++++++++++++++++++++++++++
 3 files changed, 40 insertions(+), 25 deletions(-)
 delete mode 100644 .github/dependabot.yml
 create mode 100644 renovate.json

diff --git a/.github/dependabot.yml b/.github/dependabot.yml
deleted file mode 100644
index f7b45e5..0000000
--- a/.github/dependabot.yml
+++ /dev/null
@@ -1,24 +0,0 @@
-version: 2
-updates:
-  - package-ecosystem: npm
-    directory: /
-    schedule:
-      interval: weekly
-      day: monday
-    open-pull-requests-limit: 10
-    labels:
-      - dependencies
-    commit-message:
-      prefix: "chore(deps):"
-
-  - package-ecosystem: github-actions
-    directory: /
-    schedule:
-      interval: weekly
-      day: monday
-    open-pull-requests-limit: 5
-    labels:
-      - dependencies
-      - ci
-    commit-message:
-      prefix: "ci(deps):"
diff --git a/AGENTS.md b/AGENTS.md
index e000468..1787c21 100644
--- a/AGENTS.md
+++ b/AGENTS.md
@@ -48,7 +48,7 @@ If tests fail, identify whether failures are pre-existing vs introduced by your
 - **Conventional Commits** (`.github/workflows/conventional-commits.yml`) — Validates PR titles follow the convention.
 - **CodeQL** (`.github/workflows/codeql.yml`) — Static analysis for TypeScript; runs on PRs, pushes to `main`, and weekly.
 - **Publish** (`.github/workflows/publish.yml`) — semantic-release to npm on `main`.
-- **Dependabot** (`.github/dependabot.yml`) — Opens weekly PRs for npm and GitHub Actions dependency updates. These use `chore(deps):` and `ci(deps):` commit prefixes.
+- **Renovate** (`renovate.json`) — Automated dependency updates via the Renovate GitHub App. Groups non-major npm updates, creates separate PRs for majors, and auto-merges minor/patch. Uses `chore(deps):` and `ci(deps):` commit prefixes.
 
 ## Branch & Merge Rules
 
diff --git a/renovate.json b/renovate.json
new file mode 100644
index 0000000..2b63dc6
--- /dev/null
+++ b/renovate.json
@@ -0,0 +1,39 @@
+{
+  "$schema": "https://docs.renovatebot.com/renovate-schema.json",
+  "extends": [
+    "config:recommended",
+    "schedule:weekends",
+    ":semanticCommits",
+    ":automergeMinor",
+    ":automergePatch"
+  ],
+  "labels": ["dependencies"],
+  "prHourlyLimit": 3,
+  "prConcurrentLimit": 5,
+  "rebaseWhen": "behind-base-branch",
+  "packageRules": [
+    {
+      "description": "Group non-major npm dependency updates",
+      "matchManagers": ["bun"],
+      "matchUpdateTypes": ["minor", "patch"],
+      "groupName": "npm non-major dependencies",
+      "commitMessagePrefix": "chore(deps):",
+      "labels": ["dependencies"]
+    },
+    {
+      "description": "Major npm dependency updates (separate PRs for review)",
+      "matchManagers": ["bun"],
+      "matchUpdateTypes": ["major"],
+      "commitMessagePrefix": "chore(deps):",
+      "labels": ["dependencies"],
+      "automerge": false
+    },
+    {
+      "description": "Group GitHub Actions updates",
+      "matchManagers": ["github-actions"],
+      "groupName": "github actions",
+      "commitMessagePrefix": "ci(deps):",
+      "labels": ["dependencies", "ci"]
+    }
+  ]
+}