feat(renovate): enable automerge for low-risk PRs

[rh-hemartin]

Summary

• Scope automerge to patch and pin update types via packageRules
• automergeType: pr and platformAutomerge: true configure merge behavior
• Repo-level allow_auto_merge already enabled via API
• renovate-fullsend app added as bypass actor on main ruleset via API

Low-risk dependency updates (patch bumps and pin updates) will merge automatically after CI passes. Major/minor updates still require human review.

Closes #2506

Test plan

• Verify a patch update PR gets automerge enabled
• Verify a minor/major update PR does NOT get automerge

🤖 Generated with Claude Code

[qodo-code-review]

PR Summary by Qodo

Enable Renovate automerge for low-risk dependency PRs
✨ Enhancement ⚙️ Configuration changes 🕐 10-20 Minutes

Description

• Enable Renovate automerge so eligible dependency PRs merge after CI passes.
• Configure PR-based automerge using Renovate + platform automerge support.
• Reduce manual maintenance for patch bumps and pin updates.

Diagram

graph TD
  A[/"Renovate App"/] --> B["renovate.json"] --> C["Dependency PR"] --> D(["CI checks"]) --> E{"CI passed?"} --> F["Platform automerge"] --> G[("main branch")]
  H["Repo settings (API)"] --> F
  subgraph Legend
    direction LR
    _ext[/"External"/] ~~~ _cfg["Config"] ~~~ _ci(["CI"]) ~~~ _dec{"Decision"} ~~~ _db[("Branch")]
  end

Loading

High-Level Assessment

The following are alternative approaches to this PR:

1. Scope automerge via Renovate packageRules

• ➕ Keeps automerge limited to patch/pin (and optionally devDependencies) as stated in the PR description
• ➕ Reduces risk of unintended minor/major updates merging automatically
• ➖ Slightly more verbose config
• ➖ Requires agreeing on the exact allowed updateTypes/datasources and exceptions

2. Use branch automerge (automergeType: branch) + PR checks

• ➕ Can reduce PR noise by updating/merging branches directly in some workflows
• ➕ May be simpler for repos that prefer fewer PR merges
• ➖ Less transparent than PR-based merges in many teams
• ➖ May not match existing review/audit expectations

3. Require an additional “automerge-safe” label/status gate

• ➕ Adds a human/automation-controlled safety valve for unexpected update classes
• ➕ Works well when CI alone is not a sufficient quality signal
• ➖ Adds operational overhead to label or set the extra gate
• ➖ Can reduce the time-saving benefit of automerge

Recommendation: If the intent is strictly “patch bumps and pin updates” only, prefer adding Renovate packageRules to explicitly constrain automerge to those update types (and exclude minor/major) to avoid accidental widening of automerge scope. If broader automerge is acceptable, the current approach is appropriately minimal and leverages GitHub platform automerge + CI as the merge gate.

Files changed (1) +3 / -0

Other (1) +3 / -0

renovate.jsonEnable Renovate PR automerge via platform automerge settings +3/-0

Enable Renovate PR automerge via platform automerge settings

• Adds Renovate automerge configuration ('automerge', 'automergeType: pr', and 'platformAutomerge'). This allows Renovate-created dependency PRs to merge automatically once required checks pass (assuming repo/ruleset settings permit automerge).

renovate.json

[github-actions]

Site preview

Preview: https://0721cbaa-site.fullsend-ai.workers.dev

Commit: ec62ff0b62d35d903d2c9e022decfe0fc62b61b3

[qodo-code-review]

Code Review by Qodo

🐞 Bugs (0) 📘 Rule violations (0) 📎 Requirement gaps (1) 📜 Skill insights (0)

Context used

✅ Tickets: 🎫 Enable auto-merge for Renovate PRs

✅ Compliance rules (platform): 51 rules

✅ Skills: writing-user-docs, writing-adrs

1. automerge unscoped in renovate.json 📎 Requirement gap ⛨ Security

Description

renovate.json enables automerge globally, which means any Renovate PR that meets merge
conditions—including higher-risk minor/major updates and updates produced by the custom regex
manager (e.g., OpenShell version pins)—can be auto-merged rather than limiting auto-merge to patch
bumps and pin updates. This violates the requirement to configure conservative, low-risk-only
auto-merge behavior.

Code

renovate.json[R4-6]

+  "automerge": true,
+  "automergeType": "pr",
+  "platformAutomerge": true,

Relevance

⭐⭐ Medium

No prior reviews on Renovate automerge scoping; renovate.json previously had no
automerge/packageRules. Only recent Renovate setup PRs.

PR-#2315
PR-#2480

ⓘ Recommendations generated based on similar findings in past PRs

Evidence

PR Compliance ID 1062109 requires Renovate auto-merge to be limited to low-risk patch/pin updates,
but the current Renovate configuration enables automerge at the top level without any packageRules
or update-type scoping to enforce that constraint. Because there is no rule-based restriction,
automerge is not demonstrably limited to patch/pin updates and can apply broadly, despite repository
documentation describing automerging as intended for “known-safe” / “patch version” dependency
bumps.

renovate.json enables conservative auto-merge for low-risk updates (patch bumps and pin updates)
renovate.json[4-6]
renovate.json[1-8]
renovate.json[12-25]
docs/glossary.md[57-60]
docs/problems/intent-representation.md[34-37]

Agent prompt

The issue below was found during a code review. Follow the provided context and guidance below and implement a solution

## Issue description
`automerge` is enabled globally in `renovate.json` (`automerge: true`) without any `packageRules` or update-type scoping, so Renovate can auto-merge updates beyond the intended low-risk set (patch bumps and pin updates), including potentially higher-risk minor/major upgrades and updates produced by the custom regex manager.

## Issue Context
PR Compliance ID 1062109 requires Renovate auto-merge to be configured conservatively (patch/pin-only) after CI passes. Repo documentation also characterizes automerging as appropriate for “known-safe dependency bumps” / “patch version” bumps, but the current Renovate config does not encode or enforce that limitation.

## Fix Focus Areas
- renovate.json[1-27]
- docs/glossary.md[57-60]
- docs/problems/intent-representation.md[34-37]

ⓘ Copy this prompt and use it to remediate the issue with your preferred AI generation tools

---

[qodo-code-review]

1. automerge unscoped in renovate.json 📎 Requirement gap ⛨ Security

renovate.json enables automerge globally, which means any Renovate PR that meets merge
conditions—including higher-risk minor/major updates and updates produced by the custom regex
manager (e.g., OpenShell version pins)—can be auto-merged rather than limiting auto-merge to patch
bumps and pin updates. This violates the requirement to configure conservative, low-risk-only
auto-merge behavior.

Agent Prompt

## Issue description
`automerge` is enabled globally in `renovate.json` (`automerge: true`) without any `packageRules` or update-type scoping, so Renovate can auto-merge updates beyond the intended low-risk set (patch bumps and pin updates), including potentially higher-risk minor/major upgrades and updates produced by the custom regex manager.

## Issue Context
PR Compliance ID 1062109 requires Renovate auto-merge to be configured conservatively (patch/pin-only) after CI passes. Repo documentation also characterizes automerging as appropriate for “known-safe dependency bumps” / “patch version” bumps, but the current Renovate config does not encode or enforce that limitation.

## Fix Focus Areas
- renovate.json[1-27]
- docs/glossary.md[57-60]
- docs/problems/intent-representation.md[34-37]

ⓘ Copy this prompt and use it to remediate the issue with your preferred AI generation tools

[fullsend-ai-review]

🤖 Finished Review · ✅ Success · Started 9:33 AM UTC · Completed 9:44 AM UTC
Commit: c0dd35b · View workflow run →

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.

📢 Thoughts on this report? Let us know!

[fullsend-ai-review]

Review

Findings

Low

• [authorization] renovate.json:8 — Automerge is enabled for patch and pin update types. Combined with the Renovate app being a bypass actor on the main branch ruleset (configured outside this diff), these PRs will merge without human review after CI passes. This is scoped to the lowest-risk update types, which is appropriate, but relies on required status checks being correctly configured for dependency-only PRs to provide the CI gate.

• [authorization] renovate.json:5 — platformAutomerge: true delegates merge execution to GitHub's native auto-merge. If any required CI status checks are path-filtered and do not trigger on dependency-only file changes (e.g., go.mod, go.sum, package.json), the PR could merge with no effective CI validation. Verify that required status checks fire on all file paths that Renovate PRs touch.

Previous run

Review

Findings

High

• [logic-error] renovate.json:4 — Top-level automerge: true applies to ALL update types (major, minor, patch, pin, digest), but the issue (Enable auto-merge for Renovate PRs #2506) and PR title both specify scoping to "low-risk PRs" / "patch bumps and pin updates" only. The config:recommended preset does NOT restrict automerge scope — it does not set automerge at all. As written, a major version bump that passes CI will be automerged without human review.
  Remediation: Remove the top-level automerge: true and instead scope it via packageRules:

  "packageRules": [
    {
      "matchUpdateTypes": ["patch", "pin"],
      "automerge": true
    }
  ]

  automergeType and platformAutomerge can remain at the top level since they only take effect when automerge is true for a given update.

• [authorization] renovate.json:4 — Top-level automerge: true combined with the Renovate app being a bypass actor on the main branch ruleset means major and minor dependency upgrades can land on main with no human approval. See also: [logic-error] finding at this location.
  Remediation: Scope automerge to low-risk update types only by moving the automerge setting into packageRules:

  "packageRules": [
    {
      "matchUpdateTypes": ["patch", "pin", "digest"],
      "automerge": true,
      "automergeType": "pr",
      "platformAutomerge": true
    }
  ]

Low

• [authorization] renovate.json:6 — platformAutomerge: true delegates merge execution to GitHub's native auto-merge feature. If CI workflows are path-filtered or misconfigured for dependency-only changes, the PR could merge with no effective review. Risk is reduced if the high finding above is addressed (scoping to patch/pin only).

• [issue-linkage] renovate.json — The PR claims prerequisite infrastructure changes (repo-level allow_auto_merge, Renovate bypass actor) were completed via API. Verify these are in place before merging, as they are not visible in git history.

• [json-formatting] renovate.json:4 — Minor: the three new automerge fields are inserted before prHourlyLimit rather than grouped with other behavior configuration. No action required if intentional.

---

Labels: PR modifies renovate.json dependency management configuration to enable automerge.

[fullsend-ai-review]

See the review comment for full details.

[fullsend-ai-review]

[high] logic-error

Top-level automerge: true applies to ALL update types (major, minor, patch, pin, digest), but the issue (#2506) and PR title both specify scoping to 'low-risk PRs' / 'patch bumps and pin updates' only. The config:recommended preset does NOT restrict automerge scope -- it does not set automerge at all. As written, a major version bump that passes CI will be automerged without human review.

Suggested fix: Remove the top-level automerge: true and instead scope it via packageRules with matchUpdateTypes: ["patch", "pin"]. automergeType and platformAutomerge can remain at the top level since they only take effect when automerge is true for a given update.

[fullsend-ai-review]

[high] authorization

Top-level automerge: true combined with the Renovate app being a bypass actor on the main branch ruleset means major and minor dependency upgrades can land on main with no human approval.

Suggested fix: Scope automerge to low-risk update types only by moving the automerge setting into packageRules with matchUpdateTypes: ["patch", "pin", "digest"].

[fullsend-ai-review]

[low] authorization

platformAutomerge: true delegates merge execution to GitHub's native auto-merge feature. If CI workflows are path-filtered or misconfigured for dependency-only changes, the PR could merge with no effective review. Risk is significantly reduced if the high finding is addressed (scoping automerge to patch/pin only).

[fullsend-ai-review]

[low] json-formatting

The three new automerge fields are inserted before prHourlyLimit rather than grouped with other behavior configuration. Minor style preference.

[fullsend-ai-review]

🤖 Finished Review · ✅ Success · Started 11:43 AM UTC · Completed 11:51 AM UTC
Commit: ec62ff0 · View workflow run →

[fullsend-ai-review]

[low] authorization

Automerge is enabled for patch and pin update types. Combined with the Renovate app being a bypass actor on the main branch ruleset (configured outside this diff), these PRs will merge without human review after CI passes. This is scoped to the lowest-risk update types, which is appropriate, but relies on required status checks being correctly configured for dependency-only PRs to provide the CI gate.

[fullsend-ai-review]

[low] authorization

platformAutomerge: true delegates merge execution to GitHub's native auto-merge. If any required CI status checks are path-filtered and do not trigger on dependency-only file changes (e.g., go.mod, go.sum, package.json), the PR could merge with no effective CI validation. Verify that required status checks fire on all file paths that Renovate PRs touch.