splunk-platform-apps · edro15 · Mar 13, 2026 · Mar 13, 2026 · Mar 13, 2026 · Mar 17, 2026
@@ -139,6 +139,13 @@ Do not forget to provide the name of the repository the request is referring to.
 
 :point_right: It is at the discretion of the organization administrators to decide if a repository shall be archived in case of inactivity greater than 1 year, during which time there are active Issues or Pull Requests to address.
 
+## Dependency Updates
+This organization uses [Renovate](https://docs.renovatebot.com/) for automated dependency updates. PRs from Renovate are created automatically.
+
+- Review and approve Renovate PRs to trigger auto-merge whenever applicable
+- Review, evaluate and manually merge Renovate PRs whenever auto-merge is disabled
+- For more details, incl. organization-wide standards, see the [CONVENTIONS.md](https://github.com/splunk-platform-apps/.github/blob/main/CONVENTIONS.md#renovate-automated-dependency-updates) file
+
 ## Legal Notice
 By submitting a Contribution to this Work, You agree that Your Contribution is made subject to the primary license in the Apache 2.0 license (found [here](https://www.apache.org/licenses/LICENSE-2.0.txt)). In addition, You represent that: (i) You are the copyright owner of the Contribution or (ii) You have the requisite rights to make the Contribution.
 

@@ -30,3 +30,28 @@ It's recommended to follow this convention when contributing to the repositories
 Apps should follow the [Splunkbase naming guidelines](https://dev.splunk.com/enterprise/docs/releaseapps/splunkbase/namingguidelines/). Further details for Splunk naming conventions can be found [here](https://lantern.splunk.com/Splunk_Success_Framework/Data_Management/Naming_conventions).
 
 An example repository which meets these conventions can be found in the [splunkcommunity\_ta](https://github.com/splunk-platform-apps/splunkcommunity_ta_ucc)
+
+## Renovate (Automated Dependency Updates)
+Renovate is configured to automatically manage dependency updates across all repositories in this organization.
+
+### How It Works
+- Renovate runs on a schedule via GitHub Actions
+- It scans all repositories for outdated dependencies
+- PRs are automatically created with updates
+
+### Supported Managers
+- GitHub Actions
+- Splunk Docker images
+- npm (`package.json`)
+- Pre-commit hooks (`.pre-commit-config.yaml`)
+
+### Configuration
+- **Global config**: `.github/renovate-config.js` (applies to all repos)
+- **Repo-level overrides**: `.github/renovate.json` (added in each repo in need for specific settings)
+
+:point_right: More about [configuration options](https://docs.renovatebot.com/configuration-options/)
+
+### Automerge
+- PRs with `automerge: true` will auto-merge via GitHub's platform automerge
+- Branch protection rules and reviewer approval are still required
+- Reviewers are assigned even on automerge PRs (`assignAutomerge: true`)
@@ -0,0 +1,166 @@
+module.exports = {
+    platform: 'github',
+    // Author must match the one opening PRs -> Use github app name
+    username: 'renovate4splunk-platform-apps[bot]',
+    gitAuthor: 'renovate4splunk-platform-apps <renovate4splunk-platform-apps[bot]@users.noreply.github.com>',
+
+    // Organization setup
+    autodiscover: true,
+    autodiscoverFilter: [
+        'splunk-platform-apps/*',
+        '!splunk-platform-apps/splunkcommunity-vale'
+    ],
+
+    // Require some config
+    // -> repos without a config will be skipped after onboarding PR
+    requireConfig: 'optional',
+
+    // pre-commit functionality is in beta testing
+    // -> opt-in to test it
+    "pre-commit": {
+        "enabled": true
+    },
+
+    // Managers
+    enabledManagers: [
+        'github-actions',
+        // 'docker',
+        'npm',
+        "pre-commit",
+        'regex'
+    ],
+
+    // Global settings
+    dependencyDashboard: false,
+    dependencyDashboardTitle: '🔄 Dependency Updates Dashboard',
+
+    // Commit messages
+    semanticCommits: 'enabled',
+    commitMessagePrefix: 'chore(deps):',
+
+    // PR settings
+    prConcurrentLimit: 10,
+    prHourlyLimit: 0, // No limit
+    branchConcurrentLimit: 20,
+
+    // To reduce PR rebases
+    rebaseWhen: 'behind-base-branch',
+
+    // Branch cleanup and recreation settings
+    branchPrefix: 'renovate/',
+
+    // Labels
+    labels: ['dependency-update', 'renovate', 'automerge-enabled' ],
+
+    // Assignees/Reviewers
+    reviewersFromCodeOwners: true,
+
+    // Allow the following setting only for testing purposes
+    // recreateClosed: true,
+
+    regexManagers: [
+        {
+            description: 'Detect Docker images in GitHub Actions matrix with renovate comments',
+            managerFilePatterns: [
+                '/^\\.github/workflows/.+\\.ya?ml$/'
+            ],
+            matchStrings: [
+                "-\\s+\"(?<currentValue>[^\"]+)\"\\s+#\\s+renovate:\\s+datasource=(?<datasource>\\S+)\\s+depName=(?<depName>\\S+)"
+            ],
+            // depNameTemplate: '{{depName}}',
+            versioningTemplate: 'docker'
+        }
+    ],
+
+    // Package rules
+    // !! Evaluated **in order**: later rules override earlier ones for overlapping matches !!
+    packageRules: [
+        {
+            description: "Auto-update 9.3.x patches only",
+            matchDatasources: [ "docker" ],
+            matchPackageNames: [ "splunk/splunk" ],
+            matchCurrentVersion: "/^9\\.3\\./",
+            allowedVersions: "9.3.x",
+            automerge: true,
+            automergeType: "pr",
+            platformAutomerge: true,
+            minimumReleaseAge: "3 days",  // Wait for stability
+            groupName: "Splunk 9.3.x Patches"
+        },
+        {
+            description: "Auto-update 9.4.x patches only",
+            matchDatasources: [ "docker" ],
+            matchPackageNames: [ "splunk/splunk" ],
+            matchCurrentVersion: "/^9\\.4\\./",
+            matchUpdateTypes: [ "patch" ],
+            automerge: true,
+            automergeType: "pr",
+            platformAutomerge: true,
+            minimumReleaseAge: "3 days",
+            groupName: "Splunk 9.4.x Patches"
+        },
+        {
+            description: "Notify 9.4.x minor/major updates availability",
+            matchDatasources: [ "docker" ],
+            matchPackageNames: [ "splunk/splunk" ],
+            matchCurrentVersion: "/^9\\.4\\./",
+            matchUpdateTypes: [ "minor", "major" ],
+            minimumReleaseAge: "3 days",
+            labels: [ 'dependency-update', 'renovate', 'needs-review' ],
+            groupName: "Splunk 9.4.x Major/Minor Available"
+        },
+        // GitHub Actions specific
+        {
+            description: "Update all public GitHub Actions",
+            matchManagers: ["github-actions"],
+            groupName: "Public GitHub actions",
+            // Ensures to get PRs for major updates (v4 -> v5)
+            separateMajorMinor: true,
+            excludePackagePatterns: ["^splunk-platform-apps/"],
+            labels: ['dependency-update', 'renovate', 'needs-review'],
+            minimumReleaseAge: "3 days"
+        },
+        {
+            description: "Update internal reusable workflows",
+            matchManagers: ["github-actions"],
+            matchPackagePatterns: ["^splunk-platform-apps/"],
+            groupName: "Internal Reusable Workflows",
+            versioning: "docker",
+            automerge: true,
+            automergeType: "pr",
+            platformAutomerge: true,
+            minimumReleaseAge: "3 days"
+        },
+        // All npm dependencies (from package.json)
+        {
+            matchManagers: ["npm"],
+            description: "Update all npm dependencies",
+            groupName: "all npm dependencies",
+            matchUpdateTypes: ["minor", "major"],
+            automerge: true,
+            automergeType: "pr",
+            platformAutomerge: true,
+            minimumReleaseAge: "3 days"
+        },
+        // Docusaurus specific
+        {
+            extends: [ "monorepo:docusaurus" ],
+            description: "Update docusaurus and its dependencies",
+            groupName: "docusaurus monorepo",
+            matchUpdateTypes: [ "minor", "major" ],
+            automerge: true,
+            automergeType: "pr",
+            platformAutomerge: true,
+            minimumReleaseAge: "3 days"
+        },
+        // pre-commit hooks updates
+        {
+            matchManagers: ["pre-commit"],
+            groupName: "Update pre-commit hooks",
+            automerge: true,
+            automergeType: "pr",
+            platformAutomerge: true,
+            minimumReleaseAge: "3 days"
+        }
+    ]
+};
@@ -0,0 +1,8 @@
+{
+    "$schema": "https://docs.renovatebot.com/renovate-schema.json",
+    "extends": [ "config:recommended" ],
+    "description": "Override org config for .github repo",
+    "reviewersFromCodeOwners": false,
+    "assignAutomerge": true,
+    "reviewers": [ "team:admins" ]
+}
@@ -0,0 +1,35 @@
+name: Renovate
+
+on:
+  schedule:
+    - cron: "0 0 1 * *"   # At 00:00 on day-of-month 1
+  # Allow manual execution
+  workflow_dispatch:
+
+concurrency: renovate
+permissions:
+  contents: read
+
+jobs:
+  renovate:
+    name: Renovate
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v6
+      - name: Get token
+        id: get_token
+        uses: actions/create-github-app-token@v2
+        with:
+          private-key: ${{ secrets.RENOVATE_PRIVATE_KEY }}
+          app-id: ${{ secrets.RENOVATE_APP_ID }}
+          owner: "splunk-platform-apps"
+          # The owner of the GitHub App installation
+      - name: Self-hosted Renovate
+        uses: renovatebot/github-action@v46.1.4
+        env:
+          LOG_LEVEL: debug
+          # Onboarding not needed for self-hosted usage
+          RENOVATE_ONBOARDING: "false"
+        with:
+          configurationFile: .github/renovate-config.js
+          token: '${{ steps.get_token.outputs.token }}'
@@ -3,6 +3,9 @@ name: Quality Assessment
 on:
   workflow_call
 
+permissions:
+  contents: read
+
 jobs:
   build:
     name: Bundle the App