Use Renovate to handle dependency updates at organization-level #7
Description
Description
Currently dependency update configuration is handled at the repository level using Dependabot configuration. This means that:
-
Dependency update tooling isn't enforced across all repositories in the sigstore organisation
Dependency update tools are recommended by OSSF scorecard1
-
There's a lot of manual effort going on to update dependencies that Dependabot doesn't handle
For example this commit updating versions in helm charts can be done by Renovate. Our own helm-charts2 are maintained this way.
I'm suggesting an organization-level configuration3 for Renovate, with repository level configuration overrides where required. It can evolve and grow over time to better fit the needs of sigstore maintainers, but a simple example might look like:
`sigstore/.github/default.json`
{
"$schema": "https://docs.renovatebot.com/renovate-schema.json",
"description": "Default preset for use with sigstore's repositories",
"extends": ["config:base"]
}In this repository, with renovate.json files in each individual repository that refer back to the organization-level configuration like so:
`sigstore/.github/default.json`
{
"$schema": "https://docs.renovatebot.com/renovate-schema.json",
"extends": ["github>sigstore/.github"],
}I am happy to implement this, and narrow down a config that fits your existing workflow, if this would be a welcome contribution 😅