Renovate

Renovate is the standard dependency update tool across all Groupe-3D repositories. It handles both package updates (npm, bundler, pip, …) and language runtime updates (Node.js, Bun.js, Ruby, …), which Dependabot cannot do.

See 2026-03-19: Renovate over Dependabot for the full rationale.

Setting up a new repository

1. Create renovate.json

Add a renovate.json at the root of the repository. It must extend the shared organisation config and define grouping rules for the project’s specific directories.

Template:

{
  "$schema": "https://docs.renovatebot.com/renovate-schema.json",
  "extends": ["github>Groupe-3D/Groupe-3D"],
  "packageRules": [
    {
      "description": "Group all minor and patch updates in astro/",
      "groupName": "astro minor and patch",
      "matchFileNames": ["astro/**"],
      "matchUpdateTypes": ["minor", "patch"]
    },
    {
      "description": "Group all minor and patch updates in next/",
      "groupName": "next minor and patch",
      "matchFileNames": ["next/**"],
      "matchUpdateTypes": ["minor", "patch"]
    },
    {
      "description": "Group all minor and patch updates in strapi/",
      "groupName": "strapi minor and patch",
      "matchFileNames": ["strapi/**"],
      "matchUpdateTypes": ["minor", "patch"]
    },
    {
      "description": "Group minor and patch updates for GitHub Actions",
      "groupName": "github-actions minor and patch",
      "matchManagers": ["github-actions"],
      "matchUpdateTypes": ["minor", "patch"]
    },
    {
      "description": "Group minor and patch updates for devcontainers",
      "groupName": "devcontainer minor and patch",
      "matchManagers": ["devcontainer"],
      "matchUpdateTypes": ["minor", "patch"]
    }
  ]
}

Adapt the matchFileNames entries to match the actual directory structure of the repository. Remove rules for directories that do not exist.

Grouping strategy:

• Minor and patch updates are always grouped per area (one PR per group). This keeps noise low for routine updates.
• Major updates are always individual PRs so they receive deliberate review. This is the default Renovate behaviour when no matchUpdateTypes rule covers major.

2. Create .github/workflows/dependencies.yml

Add the following GitHub Actions workflow. It runs Renovate every Monday at 08:00 Paris time and can also be triggered manually.

name: Dependencies

on:
  schedule:
    # Run every Monday at 6:00 AM UTC (8:00 AM in Paris time)
    - cron: '0 6 * * 1'
  workflow_dispatch:

jobs:
  renovate:
    name: Renovate
    runs-on: ubuntu-24.04
    permissions:
      contents: write
      pull-requests: write

    steps:
      - name: Checkout repository
        uses: actions/checkout@v6

      - name: Run Renovate
        uses: renovatebot/github-action@v46.1.5
        with:
          configurationFile: renovate.json
          token: ${{ secrets.RENOVATE_TOKEN }}
        env:
          RENOVATE_REPOSITORIES: ${{ github.repository }}

The RENOVATE_TOKEN secret

RENOVATE_TOKEN is a GitHub PAT (Personal Access Token) provisioned at the organisation level. It is automatically available to all repositories — no per-repository configuration is needed.

If the token needs to be regenerated, create a new fine-grained PAT with the following settings:

Setting	Value
Expiration	No expiration
Resource owner	@Groupe-3D organisation
Repository access	All repositories

Repository permissions required:

Permission	Access
Metadata	Read
Code	Read and Write
Issues	Read and Write
Pull requests	Read and Write
Dependabot alerts	Read and Write

Once generated, store the token as an organisation-level Actions secret named RENOVATE_TOKEN.