Skip to content

[MISC] UV configuration for renovate#38

Open
dragomirp wants to merge 1 commit into
mainfrom
uv-renovate
Open

[MISC] UV configuration for renovate#38
dragomirp wants to merge 1 commit into
mainfrom
uv-renovate

Conversation

@dragomirp

@dragomirp dragomirp commented May 9, 2025

Copy link
Copy Markdown
Contributor

UV presets, in case we switch permanently.

Tested on https://github.com/dragomirp/pgbouncer-operator/pull/9

// Exclude Renovate PRs from auto-generated release notes
"labels": ["not bug or enhancement"],
"enabledManagers": ["poetry", "github-actions", "regex"],
"enabledManagers": ["poetry", "pep621", "github-actions", "regex"],

Copy link
Copy Markdown
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The manager is pep621, lockFileMaintenance from line 11 will make renovate updated the uv.lock as well.

{
"matchManagers": ["pep621"],
"matchDepNames": ["python"],
"matchDatasources": ["python-version"],

Copy link
Copy Markdown
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think we can merge with the poetry rule above based on datasource.

"matchManagers": ["pep621"],
"rangeStrategy": "in-range-only",
"matchJsonata": [
"depType = 'dependency-groups' and managerData.depGroup = 'charm-libs'"

Copy link
Copy Markdown
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@carlcsaposs-canonical carlcsaposs-canonical left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Dependabot vulnerability alerts—which Renovate uses to segment security updates from normal PRs (and to open security update PRs immediately, instead of waiting for the weekly schedule)—do not currently support uv.lock

@astrojuanlu

Copy link
Copy Markdown

This should now be fixed! Dependabot can now detect vulnerable dependencies from uv.lock files and create security updates for them.

dependabot/dependabot-core#11913

@taurus-forever

Copy link
Copy Markdown
Contributor

discussed in backlog grooming: waiting here for 26.04 *craft tools changes to test all of them and valuate complete migration to uv for all repos. There are several blockers right now here (c) @carlcsaposs-canonical .

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

4 participants