ci: migrate from Dependabot to Renovate

[pilat]

Why

Moving dependency automation from Dependabot to Renovate. Renovate groups non-major bumps into a single PR (far less noise than Dependabot's one-PR-per-dependency), waits a stability cooldown before opening PRs, and gives us a cleaner config to standardize on.

What

• Replace .github/dependabot.yml with .github/renovate.json.
• Config: config:recommended, weekly schedule, all non-major updates grouped into a single PR, semantic fix: commits with scope disabled, and a 24h minimumReleaseAge so freshly published versions settle before we get a PR.
• GitHub Actions bumps are grouped into their own PR.
• Carried over the one Dependabot-specific rule: @types/node stays off major bumps so it tracks the supported Node engine.

Notes

• Renovate runs via the org-level GitHub App; the app needs markfluence in scope to start opening PRs. Handled separately.
• No release impact: publishing fires on v* tags, not commit type, so fix: dependency bumps won't auto-trigger npm releases.

[coderabbitai]

Warning

Review limit reached

@pilat, we couldn't start this review because you've reached your PR review rate limit.

More reviews will be available in 50 minutes and 8 seconds. Learn how PR review limits work.

Your organization has used up its prepaid credits, and credit purchases are no longer available. Enable the review add-on in the billing tab to keep reviews running — you're only billed for reviews past your plan's rate limits ($0.25/file).

⌛ How to resolve this issue?

After more reviews become available, a review can be triggered using the @coderabbitai review command as a PR comment. Alternatively, push new commits to this PR.

To avoid repeated limits, reduce automatic review volume by pausing incremental auto-reviews earlier, using label-based review opt-in, excluding WIP or generated PR titles, or requesting reviews manually when the PR is ready. If your team needs uninterrupted high-volume reviews, an organization admin can enable usage-based credits.

🚦 How do rate limits work?

CodeRabbit enforces per-developer PR review limits for each organization. Most developers receive the normal plan refill rate.

For paid Pro and Pro+ PR reviews, CodeRabbit uses adaptive limits for sustained high-volume activity. When a developer's recent PR review activity reaches the 95th percentile or higher among CodeRabbit users, the refill rate gradually slows as usage increases. The highest same-day bursts are limited more strictly.

Please see our Fair Usage Limits Policy for further information.

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: e3271c75-1468-4b82-a6df-3e9fc483054d

📥 Commits

Reviewing files that changed from the base of the PR and between 2b45591 and 7b5462e.

📒 Files selected for processing (1)

• .github/renovate.json

📝 Walkthrough

Walkthrough

The PR removes the existing .github/dependabot.yml configuration and replaces it with .github/renovate.json. The new Renovate config extends config:recommended, applies a weekly schedule, sets minimumReleaseAge to 24 hours, groups non-major updates, groups all GitHub Actions updates into a single PR, and disables major-version bumps for @types/node.

Changes

Dependabot → Renovate Migration

Layer / File(s)	Summary
Renovate config replacing Dependabot .github/renovate.json, .github/dependabot.yml	Removes the Dependabot YAML (npm weekly schedule, GitHub Actions weekly schedule, @types/node major ignore rule) and adds a Renovate JSON config with equivalent weekly scheduling, semantic commit defaults, 24-hour minimumReleaseAge, GitHub Actions group rule, and a package rule disabling @types/node major updates.

Estimated code review effort

🎯 1 (Trivial) | ⏱️ ~3 minutes

Possibly related PRs

• pilat/markfluence#1: Originally introduced the .github/dependabot.yml for npm and GitHub Actions updates that this PR removes in favor of Renovate.

Poem

🐇 Hop hop, the rabbit hops along,
Dependabot's gone, but fear not the song!
Renovate arrives with its JSON in tow,
Weekly schedules and groups all aglow.
Same rules, new tool — the deps still flow! 🌱

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title 'ci: migrate from Dependabot to Renovate' accurately reflects the main change - replacing Dependabot configuration with Renovate configuration as the primary objective.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch ci/migrate-to-renovate

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In @.github/renovate.json:
- Around line 1-24: The `minimumReleaseAge` property in the renovate
configuration is currently set to `"24 hours"`, but Renovate's documented format
convention requires human-readable duration strings like `"1 day"`, `"3 days"`,
etc. Change the `minimumReleaseAge` value from `"24 hours"` to `"1 day"` to
match Renovate's expected format.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 4c0d918c-7c58-4cb7-a41d-384b239dc0ee

📥 Commits

Reviewing files that changed from the base of the PR and between f222711 and 2b45591.

📒 Files selected for processing (2)

• .github/dependabot.yml
• .github/renovate.json

💤 Files with no reviewable changes (1)

• .github/dependabot.yml