Dependency update strategy: migrate from Dependabot to Renovate

[oboehmer]

Goal

Define a dependency update strategy for nac-test that:

1. Security updates always bump pyproject.toml lower bound + update uv.lock
2. Non-security updates only update uv.lock, leaving pyproject.toml alone (to avoid minimum-version conflicts when nac-test is integrated into other environments)
3. pyats + genie are upgraded in lockstep (single PR, same version)
4. Core framework dependencies (Track Latest tier) always stay current
5. GitHub Actions SHA-pinned references are kept up to date

Proposed change: Migrate from Dependabot to Renovate

Requirement	Dependabot	Renovate
Security updates bump pyproject.toml + uv.lock	Bumps pyproject.toml but no native uv.lock support (CI workaround needed)	Native uv.lock support, vulnerabilityAlerts.rangeStrategy: "bump"
Non-security updates are lockfile-only	Cannot differentiate security vs non-security behavior	Global rangeStrategy: "update-lockfile"
pyats + genie lockstep	groups puts in one PR but does not enforce version alignment	groupName + uv resolver ensures compatible versions
Track Latest tier for core deps	No per-package update strategy	Per-package rangeStrategy: "bump" via packageRules
GitHub Actions SHA pins	Supported (github-actions ecosystem)	Supported (github-actions manager) — updates SHA + version comment
uv.lock native support	No	Yes

With Renovate covering both Python dependencies and GitHub Actions, dependabot.yml can be removed entirely. Dependabot security alerts (repo settings) remain enabled — Renovate reads those via API.

Acceptance criteria

• Renovate GitHub App installed and configured on netascode/nac-test
• .github/dependabot.yml removed (Renovate covers both Python deps and GitHub Actions)
• Dependabot security alerts remain enabled in repo settings
• uv lock CI workaround removed from test.yml
• Three-tier update model working as described in the implementation comment below

[oboehmer]

Implementation Plan: Three-Tier Dependency Update Model + GitHub Actions

Dependency Update Tiers

Tier	Behavior	Applies to
Track Latest	Always bump pyproject.toml lower bound + update uv.lock	pyats, genie, robotframework, robotframework-pabot (list may be expanded over time)
Security	Bump pyproject.toml + update uv.lock (only on CVE/advisory)	All other deps
Routine	Only update uv.lock, leave pyproject.toml alone	All other deps (non-security)
GitHub Actions	Update SHA pin + version comment	All workflow files

Rationale for Track Latest: These are core framework dependencies where nac-test should stay current. Drifting behind leads to painful catch-up upgrades. Staying on latest catches breaking changes early. The list of Track Latest packages can be expanded as needed — these are the initial candidates.

Rationale for Routine (lockfile-only): In pyproject.toml, the strategy is to define a lower bound (>=x.y). Since nac-test is integrated into other environments, always bumping the minimum version risks dependency conflicts with other packages. Lockfile-only updates keep CI testing against latest without tightening the lower bound.

Note: pyats + genie are grouped into a single PR (lockstep requirement). All other Track Latest packages get separate PRs. GitHub Actions updates are grouped into a single PR.

How Renovate Handles Security on GitHub

Renovate does not replace GitHub's vulnerability detection — it reads GitHub Dependabot security alerts via the API. The setup is:

• Keep Dependabot alerts enabled (repo Settings > Security) — provides the vulnerability data from GitHub Advisory Database, covers transitive deps
• Keep Dependency graph enabled — required for alerts
• Remove .github/dependabot.yml entirely — Renovate replaces both Python version updates and GitHub Actions updates

Additionally, Renovate's osvVulnerabilityAlerts (OSV.dev-based, experimental) adds a second layer of vulnerability detection for direct dependencies, including malicious-package detection.

Planned renovate.json

{
  "$schema": "https://docs.renovatebot.com/renovate-schema.json",
  "extends": ["config:recommended"],

  "rangeStrategy": "update-lockfile",
  "minimumReleaseAge": "3 days",

  "osvVulnerabilityAlerts": true,
  "vulnerabilityAlerts": {
    "enabled": true,
    "labels": ["security"],
    "rangeStrategy": "bump",
    "prCreation": "immediate"
  },

  "packageRules": [
    {
      "description": "pyats + genie: always track latest, upgrade in lockstep",
      "groupName": "pyats-genie",
      "matchPackageNames": ["pyats", "genie"],
      "matchManagers": ["pep621"],
      "rangeStrategy": "bump"
    },
    {
      "description": "robotframework: always track latest",
      "matchPackageNames": ["robotframework"],
      "matchManagers": ["pep621"],
      "rangeStrategy": "bump"
    },
    {
      "description": "robotframework-pabot: always track latest",
      "matchPackageNames": ["robotframework-pabot"],
      "matchManagers": ["pep621"],
      "rangeStrategy": "bump"
    },
    {
      "description": "GitHub Actions: group all updates into one PR",
      "groupName": "github-actions",
      "matchManagers": ["github-actions"]
    }
  ]
}

Example Scenarios

Scenario	What happens
pyats 26.4 released	One PR bumps pyproject.toml for both pyats and genie to >=26.4, updates uv.lock
robotframework 7.4 released	PR bumps pyproject.toml (>=7.3.2 to >=7.4), updates uv.lock
robotframework-pabot 6.0 released	Separate PR — needs review due to <6 upper bound in current spec
ruamel.yaml 0.19.0 released	Only uv.lock updated (still within >=0.18.15). pyproject.toml untouched
CVE in Jinja2	vulnerabilityAlerts fires immediately (skips 3-day delay), bumps pyproject.toml, updates uv.lock. Labeled security
httpx 0.30.0 released	PR updates pyproject.toml because version is outside current ~=0.28 range — expected behavior
actions/checkout v7 released	One PR updates SHA + comment in all workflow files (grouped with other Actions updates)

Migration Steps

1. Install Renovate GitHub App on netascode/nac-test
2. Renovate auto-creates an onboarding PR with default config
3. Customize with the renovate.json above and merge
4. Remove .github/dependabot.yml entirely
5. Remove uv lock CI workaround from .github/workflows/test.yml (lines 81-92)
6. Close any open Dependabot version-update PRs