Renovate Config Generator
Analyze a project's dependency landscape and generate a production-ready Renovate Bot configuration. Handles monorepos, custom registries, grouping strategies, automerge policies, schedule windows, and custom managers — so dependency updates flow smoothly instead of drowning your team in PRs.
Use when: "set up renovate", "configure dependency updates", "generate renovate config", "automate dependency management", "too many renovate PRs", "renovate is noisy", or when onboarding a new repo to Renovate.
Prerequisites
# Check for existing Renovate config
ls renovate.json renovate.json5 .renovaterc .renovaterc.json .github/renovate.json 2>/dev/null
# Check package ecosystem files
ls package.json go.mod requirements.txt Pipfile Gemfile pom.xml build.gradle \
Cargo.toml composer.json *.csproj Dockerfile docker-compose.yml \
*.tf .terraform.lock.hcl .github/workflows/*.yml .gitlab-ci.yml 2>/dev/null
# If using self-hosted Renovate
renovate --version
Usage
Provide:
- Repository path or URL — the repo to configure Renovate for
- Hosting platform — GitHub, GitLab, Bitbucket, Azure DevOps
- Team preferences — automerge tolerance, PR frequency limits, review requirements
- Custom registries — Artifactory, Nexus, private npm/Docker registries
Example invocations:
Generate a Renovate config for our monorepo. We use npm, Docker, Terraform, and GitHub Actions. We want automerge for patch updates, weekly batched PRs for minor, and manual review for major.
Our Renovate is creating too many PRs. Analyze our dependencies and create grouping rules to reduce PR volume by 70%.
Set up Renovate for our Python project with a private PyPI registry at pypi.internal.example.com.
How It Works
Step 1: Dependency Landscape Analysis
Scan the repository to identify all dependency ecosystems:
# Find all dependency files (npm, Go, Python, Ruby, Java, Rust, PHP, .NET, Docker, Terraform, CI, Helm)
find . -maxdepth 5 \( -name "package.json" -o -name "go.mod" -o -name "requirements*.txt" \
-o -name "pyproject.toml" -o -name "Gemfile" -o -name "pom.xml" -o -name "Cargo.toml" \
-o -name "Dockerfile" -o -name "*.tf" -o -name "Chart.yaml" \
\) -not -path "*/node_modules/*" -not -path "*/.git/*" 2>/dev/null
# Count dependencies per ecosystem
jq '.dependencies + .devDependencies | length' package.json 2>/dev/null
Build a dependency inventory per ecosystem: file count, dependency count, lockfile presence, private registry usage.
Step 2: Grouping Strategy
Design grouping rules to reduce PR volume. The goal: related updates in a single PR, not 50 separate PRs per week.
Analyze package org/scope distribution and identify logical groups (lint tools, test frameworks, build tools, AWS SDK, type definitions). Generate grouping rules:
{
"packageRules": [
// Group 1: Lint and formatting tools
{
"groupName": "linting and formatting",
"matchPackagePatterns": ["eslint", "prettier", "stylelint", "biome"],
"matchUpdateTypes": ["minor", "patch"],
"automerge": true
},
// Group 2: Test frameworks
{
"groupName": "test frameworks",
"matchPackagePatterns": ["jest", "vitest", "mocha", "chai", "testing-library", "playwright", "cypress"],
"matchUpdateTypes": ["minor", "patch"],
"automerge": true
},
// Group 3: Build tools
{
"groupName": "build tools",
"matchPackagePatterns": ["webpack", "vite", "rollup", "esbuild", "swc", "tsup", "turbo"],
"matchUpdateTypes": ["minor", "patch"]
},
// Group 4: AWS SDK (often has 20+ packages)
{
"groupName": "aws sdk",
"matchPackagePatterns": ["^@aws-sdk/"],
"automerge": true
},
// Group 5: Type definitions
{
"groupName": "type definitions",
"matchPackagePatterns": ["^@types/"],
"automerge": true
},
// Group 6: Same-org packages
{
"groupName": "{{packagePatterns}} packages",
"matchPackagePatterns": ["^@your-org/"],
"automerge": true
},
// Group 7: Terraform providers
{
"groupName": "terraform providers",
"matchManagers": ["terraform"],
"matchDepTypes": ["provider"],
"matchUpdateTypes": ["minor", "patch"]
},
// Group 8: Docker base images (non-major)
{
"groupName": "docker base images",
"matchManagers": ["dockerfile"],
"matchUpdateTypes": ["minor", "patch", "digest"]
},
// Group 9: GitHub Actions
{
"groupName": "github actions",
"matchManagers": ["github-actions"],
"matchUpdateTypes": ["minor", "patch"],
"automerge": true
}
]
}
Step 3: Automerge Policy
Define what can be automerged safely based on the project's CI pipeline quality and test coverage. Check for CI config files and test frameworks to assess automerge safety:
Automerge tiers:
{
"packageRules": [
// Tier 1: Safe to automerge (dev-only, well-tested ecosystem)
{
"matchDepTypes": ["devDependencies"],
"matchUpdateTypes": ["patch"],
"automerge": true,
"automergeType": "branch", // No PR created, merged directly
"description": "Dev dependency patches — type defs, linters, test runners"
},
// Tier 2: Automerge with PR (want visibility but no review needed)
{
"matchUpdateTypes": ["patch"],
"matchDepTypes": ["dependencies"],
"automerge": true,
"automergeType": "pr",
"platformAutomerge": true, // Use GitHub/GitLab native automerge
"description": "Production dependency patches — automerge after CI passes"
},
// Tier 3: No automerge (needs human review)
{
"matchUpdateTypes": ["major"],
"automerge": false,
"reviewers": ["team:platform"],
"labels": ["breaking-change"],
"prPriority": 10,
"description": "Major version bumps — may contain breaking changes"
}
]
}
Step 4: Schedule Configuration
Set update schedules that respect team workflow:
{
// When Renovate creates PRs
"schedule": ["before 7am on Monday"], // Weekly batch, ready for Monday morning
// Override for security updates (immediate)
"packageRules": [
{
"matchUpdateTypes": ["patch"],
"matchCategories": ["security"],
"schedule": ["at any time"], // Security patches: no schedule delay
"automerge": true,
"prPriority": 20
}
],
// Limit concurrent PRs to avoid overwhelming CI
"prConcurrentLimit": 10,
"prHourlyLimit": 3,
// Branch concurrent limit
"branchConcurrentLimit": 15
}
Step 5: Custom Managers
For dependencies Renovate doesn't detect automatically, create custom managers:
{
"customManagers": [
// Dockerfile ARG versions
{
"customType": "regex",
"fileMatch": ["(^|/)Dockerfile$"],
"matchStrings": [
"ARG \\w+_VERSION=(?<currentValue>\\S+)\\s*#\\s*renovate:\\s*datasource=(?<datasource>\\S+)\\s+depName=(?<depName>\\S+)"
],
"description": "Update version ARGs in Dockerfiles"
},
// .tool-versions (asdf)
{
"customType": "regex",
"fileMatch": ["(^|/)\\.tool-versions$"],
"matchStrings": [
"(?<depName>\\S+)\\s+(?<currentValue>\\S+)"
],
"datasourceTemplate": "github-tags",
"description": "Update .tool-versions entries"
},
// Kubernetes manifests (image tags)
{
"customType": "regex",
"fileMatch": ["(^|/)k8s/.+\\.ya?ml$"],
"matchStrings": [
"image:\\s*(?<depName>[^:]+):(?<currentValue>[^\\s\"]+)"
],
"datasourceTemplate": "docker",
"description": "Update image tags in Kubernetes manifests"
},
// GitHub Actions pinned SHAs
{
"customType": "regex",
"fileMatch": ["^\\.github/workflows/.+\\.ya?ml$"],
"matchStrings": [
"uses:\\s*(?<depName>[\\w-]+/[\\w-]+)@(?<currentDigest>[a-f0-9]{40})\\s*#\\s*v(?<currentValue>\\S+)"
],
"datasourceTemplate": "github-tags",
"description": "Update pinned GitHub Action SHAs"
}
]
}
Step 6: Private Registry Configuration
Generate hostRules entries for each private registry detected (npm, Docker/ECR, Terraform, Artifactory). Each rule includes matchHost, hostType, and token references using {{ secrets.* }} syntax so credentials aren't hardcoded. Also configures registryAliases when internal mirrors are used (e.g., docker.io -> mirror.internal.example.com).
Step 7: Monorepo Configuration
For monorepos, configure per-workspace branch prefixes and commit message prefixes (e.g., api: , web: ) so PRs are scoped to the right package. Group shared devDependencies across workspaces to avoid duplicate PRs. Set ignorePaths for node_modules, vendor, dist, and build directories.
Step 8: Final Config Assembly
Assemble the complete renovate.json5 combining all rules above, extending community presets (config:recommended, helpers:pinGitHubActionDigests, :semanticCommits, group:monorepos, replacements:all, workarounds:all), and adding vulnerability alert overrides (security label, security team reviewers, no schedule delay, automerge enabled).
Output
The agent produces:
- Dependency landscape report — ecosystem breakdown, count of dependencies per type, private registries detected
- Complete
renovate.json5— ready to commit, with comments explaining each rule - Grouping analysis — expected PR volume reduction (e.g., "from ~45 PRs/week to ~8")
- Automerge safety assessment — which tiers are safe to automerge based on CI pipeline quality
- Custom manager definitions — for any dependency sources Renovate doesn't detect natively
- Migration notes — if migrating from Dependabot or another tool, mapping of existing config
- Onboarding PR preview — what the initial Renovate onboarding PR will look like
PR Volume Reduction Strategies
- Group by org/scope — 40-60% reduction, trade-off: larger PRs harder to bisect
- Group dev dependencies — 20-30% reduction, trade-off: may miss tooling breakage
- Automerge patches — 30-50% reduction, requires good CI coverage
- Weekly schedule — 70-80% reduction, updates delayed up to 7 days
- Digest pinning — 10-15% more PRs but better reproducibility