Skip to content

Evaluate replacing Dependabot with Renovate to enable secret-based E2E tests for dependency bumps #242

New issue
New issue
Open
💡 Idea / Suggestion
Open
Evaluate replacing Dependabot with Renovate to enable secret-based E2E tests for dependency bumps#242
💡 Idea / Suggestion
Milestone
1.2.0
@jeffpaul

Description

@jeffpaul
jeffpaul
opened on May 22, 2025

Is your enhancement related to a problem? Please describe.

We’re currently using Dependabot for dependency updates, but it’s limited by GitHub’s security model where it cannot access repository secrets (example), which blocks us from running full end-to-end tests that require Apple credentials.

This limitation introduces friction:

  • We can’t automatically verify that dependency bumps pass secret-dependent E2E tests.
  • As a result, human testing is required for many updates, adding overhead and slowing down our workflow.

Proposal

Switch from Dependabot to Renovate to manage dependency updates. Renovate runs as a GitHub Action or self-hosted process, meaning:

  • It executes in the context of our GitHub Actions runner.
  • It can access repo secrets (e.g., Apple credentials) when using secure workflows.
  • We can fully automate E2E testing for dependency updates, removing the need for manual validation.

Tasks

  • Disable or pause Dependabot configuration.
  • Add a Renovate config (renovate.json or .github/renovate.json).
  • Set up a Renovate GitHub Action workflow, ensuring it uses a trusted context (e.g., via pull_request_target) for secret access.
  • Ensure the E2E test job runs on Renovate PRs and uses secrets correctly.
  • Confirm that updates triggering E2E tests succeed and the workflow is secure (e.g., run only if github.actor == 'renovate[bot]' or similar).
  • Monitor initial Renovate PRs to ensure smooth operation and safe automation.
  • Document and share learnings (e.g., in CONTRIBUTING.md or a team handbook) for future projects.

Security Considerations

  • Ensure workflows triggered by Renovate are tightly scoped and only run trusted code (do not run arbitrary PR code with access to secrets).
  • Use branch protections or manual review requirements until we're confident in the new setup.

Designs

No response

Describe alternatives you've considered

If this works well here, then we can look to replicate to other repos that need to utilize a repo secret during testing to replace Dependabot with Renovate.

Code of Conduct

  • I agree to follow this project's Code of Conduct

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    💡 Idea / Suggestion

    Projects

    Open Source Practice

    Status

    To Do

    Milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions