Skip to content

Dependabot and Renovate are both configured for github-actions updates; Renovate config appears inert #16

Description

@dceoy

Problem

The repo carries two dependency-update configurations for the same — and only — managed ecosystem:

  • .github/dependabot.yml: github-actions, daily schedule, 7-day cooldown. Active: it opened PRs Bump actions/cache from 4.3.0 to 5.0.5 #2 and Bump actions/cache from 5.0.5 to 6.1.0 #8, which the dependabot-auto-merge job in ci.yml merges automatically.
  • .github/renovate.json: config:recommended (which includes the github-actions manager), minimumReleaseAge: 7 days, and branch-based automerge for minor/patch/digest updates.

Renovate shows no activity anywhere: no Dependency Dashboard issue, no renovate/* branches, no PRs or commits by renovate[bot] — yet .github/workflows/opencode.yml:30 still special-cases renovate/ branches.

Evidence

  • gh pr list --state all → only dceoy and app/dependabot authors.
  • gh api repos/dceoy/opencode-action/branchesmain only; git log --all --author=renovate → empty.
  • Both configs target the same two SHA-pinned actions (actions/checkout, actions/cache) with different, independent automerge mechanisms.

Impact

Today the Renovate config is dead weight: it suggests update behavior that never happens, and the renovate/ branch exclusion in opencode.yml guards nothing. If the Renovate app is ever installed (e.g. org-wide), both bots will race on the same updates through two independent automerge paths (Dependabot PR-automerge vs. Renovate branch-automerge), producing duplicate updates and conflicts.

Suggested fix

Pick one updater for github-actions. Simplest given current state: keep Dependabot and delete .github/renovate.json plus the renovate/ exclusion in opencode.yml. Alternatively, if Renovate is the intended tool, install the app and remove .github/dependabot.yml (or disable Renovate's github-actions manager so the scopes are disjoint).

Validation

After removal, confirm the next Dependabot PR still opens and auto-merges normally, and that opencode.yml conditions still lint (actionlint).

Metadata

Metadata

Assignees

No one assigned

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions