Skip to content

Consider auto-merge for low-risk Renovate patch/minor devDependency updates where CI passes #3016

Description

@fullsend-ai-retro

What happened

PR #3009 (#3009) was opened by Renovate at 04:37 UTC and sat for ~3 hours until a human approved at 07:45 UTC. The approval was silent (no review body, no inline comments). The PR changed only package.json and package-lock.json. CI (site preview, codecov) passed within 5 minutes of opening. The human review added latency without adding substantive value for this particular change.

What could go better

For dependency updates where only package.json and lockfile change and CI passes, the ~3 hour wait for human approval is pure latency. This is common for Renovate PRs — the human reviewer's role is effectively to verify CI passed, which branch protection already enforces. Note: PR #3009 itself is a poor candidate for auto-merge due to its multi-minor version jump, but many Renovate PRs are simple patch bumps that would qualify. Confidence: low. This is a policy/process change that requires team buy-in. The observation is based on a single PR and may not reflect the team's preferences or risk tolerance.

Proposed change

Configure Renovate's automerge for patch-level updates of devDependencies when all CI checks pass. This uses Renovate's built-in automerge feature with branch protection ensuring CI must pass before merge. Scope conservatively: only devDependencies, only patch bumps, only when the PR touches exclusively package.json and lockfile. Minor and major bumps, runtime dependencies, and any PR touching source files should continue requiring human review. This is a Renovate config change (renovate.json or similar) combined with appropriate branch protection rules.

Validation criteria

Track auto-merged dependency PRs over 30 days. Success: reduction in median time-to-merge for qualifying dependency PRs from hours to minutes, with zero reverts caused by auto-merged updates. Rollback trigger: any auto-merged PR that causes a CI failure on main or requires a revert should prompt disabling auto-merge for that dependency and reassessing scope.


Generated by retro agent from #3009

Metadata

Metadata

Assignees

No one assigned

    Labels

    blockedBlocked by another issue or external dependencycomponent/ciCI pipelines and checksdependenciesPull requests that update a dependency filepriority/lowNice to have, address when convenientready-for-triageRetro-filed issue awaiting triage agenttype/choreMaintenance and housekeeping tasks

    Type

    No type

    Fields

    No fields configured for issues without a type.

    Projects

    Status
    Todo

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions