From aa3bd90bc4f3d10d83cbd06c3ca6a39647c9a903 Mon Sep 17 00:00:00 2001
From: Claude <noreply@anthropic.com>
Date: Fri, 22 May 2026 13:37:20 +0000
Subject: [PATCH] chore: migrate npm/github-actions/docker-compose from
 Renovate to Dependabot

Move dependency updates that Dependabot supports natively into
.github/dependabot.yml (npm, github-actions, docker-compose) and slim
down Renovate to handle only what Dependabot cannot: mise, nvm, the
biome custom manager, and quarterly lockFileMaintenance.

Add a dependabot-auto-merge workflow that mirrors the previous Renovate
auto-merge policy: enable auto-merge for devDependencies (npm),
github-actions, and docker-compose non-major updates; production deps
and major updates stay manual.

Drop the self-hosted Renovate runner (renovate.yaml workflow) since the
remaining scope is small enough for Mend Cloud's Renovate App to handle
under its 3GB memory cap, especially with ignoreScripts already in place.

https://claude.ai/code/session_01CYmb4Y4iPCpjXMwxXsyxSh
---
 .github/dependabot.yml                       | 69 +++++++++++++++++
 .github/renovate.json5                       | 79 +++-----------------
 .github/workflows/dependabot-auto-merge.yaml | 38 ++++++++++
 .github/workflows/renovate.yaml              | 54 -------------
 4 files changed, 116 insertions(+), 124 deletions(-)
 create mode 100644 .github/dependabot.yml
 create mode 100644 .github/workflows/dependabot-auto-merge.yaml
 delete mode 100644 .github/workflows/renovate.yaml

diff --git a/.github/dependabot.yml b/.github/dependabot.yml
new file mode 100644
index 000000000..73bbb7a9c
--- /dev/null
+++ b/.github/dependabot.yml
@@ -0,0 +1,69 @@
+version: 2
+updates:
+  - package-ecosystem: npm
+    directory: /
+    schedule:
+      interval: weekly
+      day: monday
+      time: "09:00"
+      timezone: Asia/Tokyo
+    open-pull-requests-limit: 5
+    labels:
+      - dependencies
+    versioning-strategy: increase
+    commit-message:
+      prefix: chore
+      include: scope
+    cooldown:
+      default-days: 2
+    groups:
+      production-non-major:
+        dependency-type: production
+        update-types:
+          - patch
+          - minor
+      development-non-major:
+        dependency-type: development
+        update-types:
+          - patch
+          - minor
+
+  - package-ecosystem: github-actions
+    directory: /
+    schedule:
+      interval: weekly
+      day: monday
+      time: "09:00"
+      timezone: Asia/Tokyo
+    open-pull-requests-limit: 5
+    labels:
+      - dependencies
+    commit-message:
+      prefix: chore
+    cooldown:
+      default-days: 2
+    groups:
+      github-actions:
+        patterns:
+          - "*"
+
+  - package-ecosystem: docker-compose
+    directory: /
+    schedule:
+      interval: weekly
+      day: monday
+      time: "09:00"
+      timezone: Asia/Tokyo
+    open-pull-requests-limit: 5
+    labels:
+      - dependencies
+    commit-message:
+      prefix: chore
+    cooldown:
+      default-days: 2
+    ignore:
+      - dependency-name: s0hirano/embedding-api
+    groups:
+      docker-compose:
+        patterns:
+          - "*"
diff --git a/.github/renovate.json5 b/.github/renovate.json5
index bb5a0a548..b7f46d3c5 100644
--- a/.github/renovate.json5
+++ b/.github/renovate.json5
@@ -14,20 +14,22 @@
   reviewers: [
     's-hirano-ist',
   ],
+  // Dependabot がサポートしない範囲のみ Renovate で扱う:
+  //   - mise / nvm: ツールバージョン管理
+  //   - biome customManager: extends の customManagers:biomeVersions が拾う
+  //   - lockFileMaintenance: 四半期に pnpm-lock 全リフレッシュ
+  // npm / github-actions / docker-compose は .github/dependabot.yml に移行済み。
   enabledManagers: [
-    'npm',
-    'github-actions',
-    'docker-compose',
     'mise',
     'nvm',
   ],
-  // Mend Cloud で pnpm install の lifecycle scripts (sharp / @prisma/engines /
-  // @sentry/cli / esbuild) がメモリを使い切り OOM kill される問題への対処。
+  // Mend Cloud / self-host いずれでも pnpm install の lifecycle scripts (sharp /
+  // @prisma/engines / @sentry/cli / esbuild) によるメモリ消費を抑える保険。
   // CI (--frozen-lockfile) と本番 deploy 側の install では通常通りバイナリを取得する。
   ignoreScripts: true,
   dependencyDashboard: true,
-  branchConcurrentLimit: 3,
-  prConcurrentLimit: 5,
+  branchConcurrentLimit: 2,
+  prConcurrentLimit: 2,
   separateMultipleMajor: false,
   schedule: [
     'before 11am on monday',
@@ -49,52 +51,6 @@
     ],
   },
   packageRules: [
-    {
-      matchManagers: [
-        'npm',
-      ],
-      matchUpdateTypes: [
-        'patch',
-        'minor',
-      ],
-      matchPackageNames: [
-        '*',
-      ],
-      matchDepTypes: [
-        'dependencies',
-        'peerDependencies',
-      ],
-      groupName: 'non-major',
-      minimumReleaseAge: '2 days',
-    },
-    {
-      matchManagers: [
-        'npm',
-      ],
-      matchUpdateTypes: [
-        'patch',
-        'minor',
-      ],
-      matchPackageNames: [
-        '*',
-      ],
-      matchDepTypes: [
-        'devDependencies',
-      ],
-      groupName: 'non-major (devDependencies)',
-      groupSlug: 'non-major-dev',
-      minimumReleaseAge: '2 days',
-      automerge: true,
-    },
-    {
-      matchManagers: [
-        'github-actions',
-      ],
-      groupName: 'GitHub Actions',
-      groupSlug: 'github-actions',
-      minimumReleaseAge: '2 days',
-      automerge: true,
-    },
     {
       matchManagers: [
         'mise',
@@ -111,7 +67,6 @@
       ],
       matchManagers: [
         'mise',
-        'npm',
         'nvm',
       ],
       groupName: 'node and pnpm',
@@ -119,21 +74,5 @@
       minimumReleaseAge: '2 days',
       automerge: false,
     },
-    {
-      matchManagers: [
-        'docker-compose',
-      ],
-      minimumReleaseAge: '2 days',
-      automerge: true,
-    },
-    {
-      matchManagers: [
-        'docker-compose',
-      ],
-      matchPackageNames: [
-        's0hirano/embedding-api',
-      ],
-      enabled: false,
-    },
   ],
 }
diff --git a/.github/workflows/dependabot-auto-merge.yaml b/.github/workflows/dependabot-auto-merge.yaml
new file mode 100644
index 000000000..1a6d3519b
--- /dev/null
+++ b/.github/workflows/dependabot-auto-merge.yaml
@@ -0,0 +1,38 @@
+name: dependabot-auto-merge
+
+on:
+  pull_request:
+    types: [opened, reopened, synchronize, ready_for_review]
+
+permissions: {}
+
+jobs:
+  auto-merge:
+    if: github.actor == 'dependabot[bot]'
+    runs-on: ubuntu-24.04
+    timeout-minutes: 5
+    permissions:
+      contents: write
+      pull-requests: write
+    steps:
+      - name: Fetch Dependabot metadata
+        id: meta
+        uses: dependabot/fetch-metadata@25dd0e34f4fe68f24cc83900b1fe3fe149efef98 # v3.1.0
+
+      - name: Enable auto-merge for low-risk updates
+        # Renovate 旧設定相当:
+        #   - devDependencies (npm) の patch/minor: automerge
+        #   - github-actions の patch/minor: automerge
+        #   - docker-compose の patch/minor: automerge
+        # production deps と major は手動レビュー (auto-merge しない)。
+        if: |
+          steps.meta.outputs.update-type != 'version-update:semver-major' && (
+            (steps.meta.outputs.package-ecosystem == 'npm' &&
+              steps.meta.outputs.dependency-type == 'direct:development') ||
+            steps.meta.outputs.package-ecosystem == 'github_actions' ||
+            steps.meta.outputs.package-ecosystem == 'docker_compose'
+          )
+        run: gh pr merge --auto --squash "$PR_URL"
+        env:
+          PR_URL: ${{ github.event.pull_request.html_url }}
+          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
diff --git a/.github/workflows/renovate.yaml b/.github/workflows/renovate.yaml
deleted file mode 100644
index 90ee272e0..000000000
--- a/.github/workflows/renovate.yaml
+++ /dev/null
@@ -1,54 +0,0 @@
-name: renovate
-
-permissions: {}
-
-on:
-  schedule:
-    # 00:00 UTC Mon = 09:00 JST Mon。renovate.json5 内の
-    # `before 11am on monday` 設定で PR 生成ウィンドウは Renovate 側でゲートされる。
-    - cron: "0 0 * * 1"
-  workflow_dispatch:
-    inputs:
-      logLevel:
-        description: ログレベル
-        type: choice
-        default: info
-        options: [info, debug]
-      dryRun:
-        description: dry-run (書き込みなしでログ出力のみ)
-        type: boolean
-        default: false
-  # NOTE: `issues: edited` トリガーは外している。Renovate 自身が
-  # Dependency Dashboard issue の body を毎回更新するため、トリガーを残すと
-  # 「Renovate run が dashboard を更新 → issues:edited が発火 → 別の run が起動」
-  # の自走ループになり大量の `repository-changed` abort を生む。
-  # PAT 所有者と人間ユーザが同一なので sender フィルタも効かない。
-  # Dashboard checkbox を toggle しても次の scheduled / workflow_dispatch run で
-  # 読み取られるので機能は失われない (即時反応しなくなるだけ)。
-
-jobs:
-  renovate:
-    runs-on: ubuntu-24.04
-    timeout-minutes: 60
-    concurrency:
-      group: renovate
-      cancel-in-progress: false
-    steps:
-      - name: Self-hosted Renovate
-        uses: renovatebot/github-action@79dc0ba74dc3de28db0a7aeb1d0b95d5bf5fde2a # v46.1.13
-        with:
-          token: ${{ secrets.RENOVATE_TOKEN }}
-        env:
-          # Mend Cloud は 3GB cap で OOM kill されていたため self-host へ移行。
-          # ubuntu-24.04 runner は ~7GB メモリを持つので Node ヒープに 6GB 割り当てる。
-          NODE_OPTIONS: --max-old-space-size=6144
-          LOG_LEVEL: ${{ inputs.logLevel || 'info' }}
-          RENOVATE_DRY_RUN: ${{ inputs.dryRun && 'full' || '' }}
-          RENOVATE_REPOSITORIES: ${{ github.repository }}
-          RENOVATE_PLATFORM: github
-          # PAT 所有者 (s-hirano-ist) を commit author に固定。
-          # 既定値の renovate@whitesourcesoftware.com は Mend 所有アドレスのため警告が出る。
-          RENOVATE_GIT_AUTHOR: "s-hirano-ist <s-hirano-ist@users.noreply.github.com>"
-          # schedule trigger 以外 (workflow_dispatch / issues / pull_request) は
-          # ユーザの能動的なアクションなので renovate.json5 の schedule を無視して即時実行する。
-          RENOVATE_FORCE: ${{ github.event_name != 'schedule' && '{"schedule":[]}' || '' }}