chore(Renovate): improve security posture of setup and other general improvements

[secustor]

Hey, I just made a Pull Request!

These are some basic changes to your Renovate configuration, which I would recommend.
If you have questions or are not agreeing, to these changes, I can provide some input here.
It may be of interest that Renovate has currently 107 updates pending on this repository, so there is quite a backlog.

Changes:

• add schema tag to give intellisense to all IDEs which support jsonschema
• use config:best-practices instead of config:base which includes in turn config:recommended
  • enables DependencyDashboard
  • enables configMigration, which enables auto migration for not backwards compatible changes
  • pin Docker images and Github actions to digests for security purposes
  • tough the recommended pinning of dev dependencies is for now ignored
  • add community provided monorepo, grouping and replacement rules
• increase PR limit to allow processing of more PRs by Collaborators/Maintainers in parallel.
  Consider the input in this guide. I'm happy to help you to improve your workflow here.

✔️ Checklist

• A changeset describing the change and affected packages. (more info)
• Added or updated documentation
• Tests for new functionality and regression tests for bug fixes
• Screenshots attached (for UI changes)
• All your commits have a Signed-off-by line in the message. (more info)

[github-actions]

Uffizzi Cluster pr-22479 was deleted.

[freben]

Hi! Thanks. I'll bring it up with the other maintainers. In the mean time, seems the config file isn't prettier formatted - try yarn prettier --write <file>.

[awanlin]

This is just more curiosity on my part but why do you recommend enabling the dependency dashboard? If you have some documentation on this I'm fine with you just pointing me that way 👍

Some background, I help support the Backstage Demo site (https://github.com/backstage/demo) and often help people on the Backstage Discord server. I'm slowly working on a tutorial with some guidance on using Renovate with Backstage.

[secustor]

The dashboard is our main way to communicate with users. We show there ignored ( manually closed ) updates, rate limited ones ( because the concurrency limit has been reached ) and error. From there you can also can force a recreation of PRs.
https://docs.renovatebot.com/key-concepts/dashboard/

Looking forward to it! I'm working on a blog regarding Backstage and Renovate too.

See renovatebot/renovate#2958 as an example.

[awanlin]

Thanks for the links! Do you have insights on using the Dependency Dashboard (which is basically a public issue) versus using the this - https://developer.mend.io/github/backstage/backstage - which does the same things but isn't public as best as I can tell. Also, for larger projects how do you handle that the issue can get lost in all the other issues? Do you just recommend pinning it?

[secustor]

The developer portal is as far as I know also public, an exception are the logs of Renovate runs. Be aware that I have no insight how it functions in the background as this is part of Mends setup and not of the OSS project. Therefore could be that the portal does not show everything from the issue or vice versa.

Yes, we recommend pinning the issue, but it is also possible to give it a better searchable name or specific labels for better discovery.
https://docs.renovatebot.com/configuration-options/#dependencydashboardtitle
https://docs.renovatebot.com/configuration-options/#dependencydashboardlabels

[awanlin]

Thanks again for the reply, appreciate it! 🚀

[Rugvip]

Thank you, I think it looks good! 👍

Happy about trying out the dashboard, we can always disable it if it doesn't work out.

Same thing with the increased concurrency limit. I think it makes sense because we often hit the point of too many blocked PRs to let more straight-forward bumps through.