You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
.github/renovate.json: config:recommended (which includes the github-actions manager), minimumReleaseAge: 7 days, and branch-based automerge for minor/patch/digest updates.
Renovate shows no activity anywhere: no Dependency Dashboard issue, no renovate/* branches, no PRs or commits by renovate[bot] — yet .github/workflows/opencode.yml:30 still special-cases renovate/ branches.
Evidence
gh pr list --state all → only dceoy and app/dependabot authors.
gh api repos/dceoy/opencode-action/branches → main only; git log --all --author=renovate → empty.
Both configs target the same two SHA-pinned actions (actions/checkout, actions/cache) with different, independent automerge mechanisms.
Impact
Today the Renovate config is dead weight: it suggests update behavior that never happens, and the renovate/ branch exclusion in opencode.yml guards nothing. If the Renovate app is ever installed (e.g. org-wide), both bots will race on the same updates through two independent automerge paths (Dependabot PR-automerge vs. Renovate branch-automerge), producing duplicate updates and conflicts.
Suggested fix
Pick one updater for github-actions. Simplest given current state: keep Dependabot and delete .github/renovate.json plus the renovate/ exclusion in opencode.yml. Alternatively, if Renovate is the intended tool, install the app and remove .github/dependabot.yml (or disable Renovate's github-actions manager so the scopes are disjoint).
Validation
After removal, confirm the next Dependabot PR still opens and auto-merges normally, and that opencode.yml conditions still lint (actionlint).
Problem
The repo carries two dependency-update configurations for the same — and only — managed ecosystem:
.github/dependabot.yml:github-actions, daily schedule, 7-day cooldown. Active: it opened PRs Bump actions/cache from 4.3.0 to 5.0.5 #2 and Bump actions/cache from 5.0.5 to 6.1.0 #8, which thedependabot-auto-mergejob inci.ymlmerges automatically..github/renovate.json:config:recommended(which includes the github-actions manager),minimumReleaseAge: 7 days, and branch-based automerge for minor/patch/digest updates.Renovate shows no activity anywhere: no Dependency Dashboard issue, no
renovate/*branches, no PRs or commits byrenovate[bot]— yet.github/workflows/opencode.yml:30still special-casesrenovate/branches.Evidence
gh pr list --state all→ onlydceoyandapp/dependabotauthors.gh api repos/dceoy/opencode-action/branches→mainonly;git log --all --author=renovate→ empty.actions/checkout,actions/cache) with different, independent automerge mechanisms.Impact
Today the Renovate config is dead weight: it suggests update behavior that never happens, and the
renovate/branch exclusion inopencode.ymlguards nothing. If the Renovate app is ever installed (e.g. org-wide), both bots will race on the same updates through two independent automerge paths (Dependabot PR-automerge vs. Renovate branch-automerge), producing duplicate updates and conflicts.Suggested fix
Pick one updater for github-actions. Simplest given current state: keep Dependabot and delete
.github/renovate.jsonplus therenovate/exclusion inopencode.yml. Alternatively, if Renovate is the intended tool, install the app and remove.github/dependabot.yml(or disable Renovate's github-actions manager so the scopes are disjoint).Validation
After removal, confirm the next Dependabot PR still opens and auto-merges normally, and that
opencode.ymlconditions still lint (actionlint).