From c053e8ac7235c9c08576f52120a2d09a963f14a0 Mon Sep 17 00:00:00 2001
From: Will Manning <will@willmanning.io>
Date: Mon, 4 May 2026 14:07:21 -0400
Subject: [PATCH] Switch from Dependabot to Renovate to match org convention

The flagship vortex repo plus duckdb-vortex and vortex-datafusion-cli all
use Renovate; bring vortex.dev in line.

The new renovate.json is modeled on vortex/renovate.json but tailored for
a Next.js marketing site:

- config:recommended + :automergeStableNonMajor + :automergePr +
  :automergeRequireAllStatusChecks for safe auto-merge of non-major
  bumps once CI passes (replaces the dependabot-auto-merge.yml workflow,
  which is now removed since Renovate's platformAutomerge handles this
  natively).
- :dependencyDashboard for a single tracking issue.
- schedule:earlyMondays preserves the previous Monday cadence.
- helpers:pinGitHubActionDigests keeps workflow actions SHA-pinned to
  match the existing ci.yml style.
- lockFileMaintenance enabled for periodic bun.lock refresh.
- packageRules group Next.js, React, TailwindCSS, MDX pipeline,
  Analytics, Biome, and GitHub Actions; "all patch updates" collapses
  patch noise into a single weekly PR.

Note: this is not a restore of the original renovate.json from #13. That
config had no grouping, which is part of why the post-Biome-migration
Renovate PRs piled up uncollapsed. The new config groups by ecosystem so
a future toolchain change won't generate a flood of independent PRs.

Signed-off-by: Will Manning <will@willmanning.io>
---
 .github/dependabot.yml                      | 60 ------------------
 .github/workflows/dependabot-auto-merge.yml | 57 ------------------
 renovate.json                               | 67 +++++++++++++++++++++
 3 files changed, 67 insertions(+), 117 deletions(-)
 delete mode 100644 .github/dependabot.yml
 delete mode 100644 .github/workflows/dependabot-auto-merge.yml
 create mode 100644 renovate.json

diff --git a/.github/dependabot.yml b/.github/dependabot.yml
deleted file mode 100644
index 4e3c83f..0000000
--- a/.github/dependabot.yml
+++ /dev/null
@@ -1,60 +0,0 @@
-version: 2
-updates:
-  - package-ecosystem: bun
-    directory: "/"
-    schedule:
-      interval: weekly
-      day: monday
-      time: "08:00"
-      timezone: "America/New_York"
-    open-pull-requests-limit: 5
-    # Wait 14 days after a release before proposing a bump. Avoids dragging in
-    # day-old versions that get yanked or hot-patched within their first week.
-    cooldown:
-      default-days: 14
-    # Logical groups so related bumps land together. Patterns are matched
-    # against package names; a package can only belong to one group, so order
-    # matters (more-specific groups first).
-    groups:
-      react:
-        patterns:
-          - "react"
-          - "react-dom"
-          - "@types/react"
-          - "@types/react-dom"
-      content-pipeline:
-        patterns:
-          - "remark-*"
-          - "rehype-*"
-          - "@next/mdx"
-          - "@mdx-js/*"
-          - "react-markdown"
-          - "velite"
-      lint-format:
-        patterns:
-          - "@biomejs/*"
-      minor-and-patch:
-        update-types:
-          - minor
-          - patch
-    labels:
-      - dependencies
-
-  - package-ecosystem: github-actions
-    directory: "/"
-    schedule:
-      interval: weekly
-      day: monday
-      time: "08:00"
-      timezone: "America/New_York"
-    cooldown:
-      default-days: 14
-    groups:
-      actions:
-        update-types:
-          - minor
-          - patch
-          - major
-    labels:
-      - dependencies
-      - github-actions
diff --git a/.github/workflows/dependabot-auto-merge.yml b/.github/workflows/dependabot-auto-merge.yml
deleted file mode 100644
index a19aa41..0000000
--- a/.github/workflows/dependabot-auto-merge.yml
+++ /dev/null
@@ -1,57 +0,0 @@
-name: Dependabot auto-merge
-
-# Auto-enables merge on Dependabot PRs for patch + minor bumps.
-# Major bumps stay open for manual review.
-#
-# Required setup (one-time, in repo settings):
-#   1. Settings → General → Pull Requests → "Allow auto-merge" ✓
-#   2. (optional but recommended) Branch protection on main with the
-#      CI status check marked Required. Otherwise merge fires immediately
-#      without waiting for CI.
-#
-# Uses pull_request_target rather than pull_request because Dependabot
-# PRs are treated as fork PRs by default, so pull_request runs with a
-# read-only GITHUB_TOKEN that can't enable auto-merge. pull_request_target
-# is safe here because we never check out or run PR-side code — we only
-# read metadata from the GitHub API.
-
-on:
-  pull_request_target:
-    types: [opened, reopened, synchronize]
-
-permissions:
-  contents: write
-  pull-requests: write
-
-jobs:
-  auto-merge:
-    name: Enable auto-merge for patch + minor bumps
-    runs-on: ubuntu-latest
-    if: github.actor == 'dependabot[bot]'
-    steps:
-      - name: Get Dependabot metadata
-        id: metadata
-        uses: dependabot/fetch-metadata@25dd0e34f4fe68f24cc83900b1fe3fe149efef98  # v3.1.0
-        with:
-          github-token: ${{ secrets.GITHUB_TOKEN }}
-
-      - name: Enable auto-merge (patch + minor)
-        if: |
-          steps.metadata.outputs.update-type == 'version-update:semver-patch' ||
-          steps.metadata.outputs.update-type == 'version-update:semver-minor'
-        run: gh pr merge --auto --squash "$PR_URL"
-        env:
-          PR_URL: ${{ github.event.pull_request.html_url }}
-          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-
-      - name: Comment on major bumps
-        if: steps.metadata.outputs.update-type == 'version-update:semver-major'
-        run: |
-          gh pr comment "$PR_URL" --body "🛑 Major version bump — auto-merge skipped, please review manually.
-
-          - Package: \`${{ steps.metadata.outputs.dependency-names }}\`
-          - From: \`${{ steps.metadata.outputs.previous-version }}\`
-          - To: \`${{ steps.metadata.outputs.new-version }}\`"
-        env:
-          PR_URL: ${{ github.event.pull_request.html_url }}
-          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
diff --git a/renovate.json b/renovate.json
new file mode 100644
index 0000000..33536da
--- /dev/null
+++ b/renovate.json
@@ -0,0 +1,67 @@
+{
+  "$schema": "https://docs.renovatebot.com/renovate-schema.json",
+  "extends": [
+    "config:recommended",
+    ":automergeStableNonMajor",
+    ":automergePr",
+    ":automergeRequireAllStatusChecks",
+    ":combinePatchMinorReleases",
+    ":dependencyDashboard",
+    ":separateMultipleMajorReleases",
+    ":configMigration",
+    "schedule:earlyMondays",
+    "helpers:pinGitHubActionDigests"
+  ],
+  "lockFileMaintenance": {
+    "enabled": true
+  },
+  "automergeStrategy": "squash",
+  "rebaseWhen": "conflicted",
+  "platformAutomerge": true,
+  "labels": ["dependencies"],
+  "patch": {
+    "groupName": "all patch updates"
+  },
+  "packageRules": [
+    {
+      "groupName": "Next.js",
+      "matchPackageNames": ["next", "@next/**"]
+    },
+    {
+      "groupName": "React",
+      "matchPackageNames": [
+        "react",
+        "react-dom",
+        "@types/react",
+        "@types/react-dom"
+      ]
+    },
+    {
+      "groupName": "TailwindCSS",
+      "matchPackageNames": ["tailwindcss", "@tailwindcss/**"]
+    },
+    {
+      "groupName": "MDX content pipeline",
+      "matchPackageNames": [
+        "@mdx-js/**",
+        "react-markdown",
+        "remark-**",
+        "rehype-**",
+        "velite"
+      ]
+    },
+    {
+      "groupName": "Analytics",
+      "matchPackageNames": ["@vercel/analytics", "next-plausible"]
+    },
+    {
+      "groupName": "Biome",
+      "matchPackageNames": ["@biomejs/**"]
+    },
+    {
+      "matchManagers": ["github-actions"],
+      "groupName": "GitHub Actions",
+      "addLabels": ["github-actions"]
+    }
+  ]
+}