chore(renovate): switch to pep621 manager (uv-managed projects)

[williaby]

Summary

This repo manages dependencies with uv (`uv.lock` present), but `renovate.json` declared:

```json
"enabledManagers": ["poetry", "github-actions"]
```

Renovate's `enabledManagers` is replace-not-merge, so the global config does not fill in `pep621`. The `poetry` manager tries to parse `pyproject.toml`'s `[tool.poetry.dependencies]` table, but uv projects declare deps under `[project.dependencies]`. Result: Renovate silently parses zero Python deps and produces no PRs.

Changes

• `enabledManagers`: `poetry` -> `pep621`
• `packageRules[*].matchManagers`: `poetry` -> `pep621`
• Removed top-level `"poetry": { ... }` block
• Removed `"poetryMassage"` from `postUpdateOptions`

Test plan

• Renovate dashboard issue regenerates with Python dependency PRs after merge
• No regression in GitHub Actions dependency PRs

Summary by CodeRabbit

• Chores
  • Updated internal dependency management automation configuration to improve accuracy of dependency tracking and lock file generation during routine maintenance cycles.

[coderabbitai]

Warning

Review limit reached

@williaby, we couldn't start this review because you've reached your PR review rate limit.

More reviews will be available in 52 minutes and 11 seconds. Learn how PR review limits work.

Your organization has run out of usage credits. Purchase more in the billing tab.

⌛ How to resolve this issue?

After more reviews become available, a review can be triggered using the @coderabbitai review command as a PR comment. Alternatively, push new commits to this PR.

We recommend that you space out your commits to avoid hitting the rate limit.

🚦 How do rate limits work?

CodeRabbit enforces hourly rate limits for each developer per organization.

Our paid plans include higher PR review limits than trial, open-source, and free plans. In all cases, reviews become available again over time. During sustained high-volume PR review activity, CodeRabbit may temporarily slow when the next review becomes available.

Please see our Fair Usage Limits Policy for further information.

ℹ️ Review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: ASSERTIVE

Plan: Pro

Run ID: 41367075-4d3a-4835-b7a2-a62dccdfa3dc

📥 Commits

Reviewing files that changed from the base of the PR and between 4bec141 and 4f3d2ce.

📒 Files selected for processing (1)

• CHANGELOG.md

Walkthrough

This PR updates Renovate configuration to use pep621 dependency management instead of poetry, migrating post-update strategy to uvUpdatePreciseVersion for uv lock file support. PackageRules are reorganized to match pep621 field targets, GitHub Actions auto-merge scope expands to include pin updates, and enabledManagers switches to pep621 with regex added. CHANGELOG documents these fixes.

Changes

Renovate pep621 Migration

Layer / File(s)	Summary
Manager switch and post-update configuration renovate.json	enabledManagers changed from poetry to pep621 with regex added; postUpdateOptions switched from poetryMassage to uvUpdatePreciseVersion; removed top-level python and poetry enablement blocks.
Python package rules reorganization renovate.json	packageRules restructured to target pep621 dependency sections; added dedicated rule for project.optional-dependencies extras; GitHub Actions auto-merge expanded to include pin update type.
Preserved custom managers for workflow files renovate.json	CustomManagers regex configuration for GitHub Actions workflow version extraction retained unchanged.
Changelog documentation CHANGELOG.md	[Unreleased] Fixed section added documenting the Renovate configuration migration: manager switch, pep621 field matching, regex enablement, extras grouping, auto-merge expansion, and uvUpdatePreciseVersion option.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~10 minutes

Poem

🐰 From verse to dep lock,
The prose now speaks of pep621,
Poetry fades as uv takes the stage—
Extras grouped, auto-merges staged,
Renovate hops to a new page! 🌿

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title accurately and concisely describes the main change: switching Renovate's dependency manager from poetry to pep621 for uv-managed projects, which directly addresses the core issue that Renovate was parsing zero Python dependencies.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch chore/renovate-switch-to-uv-manager

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[github-actions]

⚠️ Deprecation Warning: The deny-licenses option is deprecated for possible removal in the next major release. For more information, see issue 997.

Dependency Review

✅ No vulnerabilities or license issues or OpenSSF Scorecard issues found.

Scanned Files

None

[Copilot]

Pull request overview

This PR updates Renovate configuration to use the uv manager for Python dependency discovery, aligning automation with the repo’s pyproject.toml/uv.lock dependency setup.

Changes:

• Replaces Poetry manager references with uv.
• Removes Poetry-specific Renovate configuration and post-update option.
• Keeps GitHub Actions dependency management enabled.

Comments suppressed due to low confidence (1)

renovate.json:33

• After switching this rule to the uv manager, matchDepTypes: ["dependencies"] no longer matches the dep type emitted for PEP 621 runtime dependencies in this repo ([project].dependencies, reported by Renovate's uv extraction as project.dependencies). As written, the Python dependency grouping/schedule rule will not apply; update the dep type match to the uv dep type used for [project.dependencies].

                "uv"
            ],
            "matchDepTypes": [
                "dependencies"
            ],

[williaby]

Amended to use pep621 instead of uv. Validated locally with renovate-config-validator (Renovate 42.92.14, matching homelab-infra). See feedback_renovate_uv_manager_trap.md for context.

[williaby]

Added fix(renovate): correct matchDepTypes for pep621 (see TOOL-014). Validator still clean.

[williaby]

PR Review: chore(renovate): switch to pep621 manager

Agents: CLAUDE.md compliance, Bug Scan, Security, PR Description validation
CI Note: All 8 failing checks are pre-existing dependency vulnerabilities (PYSEC-2026-161 starlette, PYSEC-2026-139 torch) unrelated to this diff. The fix/starlette-torch-vulnerabilities branch resolves them -- merge that first.

---

Critical (must fix before merge)

[Bug] enabledManagers omits "regex" -- the entire customManagers CI version-pin regex block is silently disabled. Add "regex" to enabledManagers.

[Bug] renovate.json -- project.optional-dependencies depType is not covered by any packageRule. Seven extras (ml, audio, monitoring, jobs, caching, supply-chain, dev) contain the bulk of dependencies and will generate individual ungrouped PRs, overwhelming prConcurrentLimit: 5. Add "project.optional-dependencies" to a packageRule group.

[Standards] CHANGELOG.md not updated for two fix(renovate): commits on this branch. CLAUDE.md requires CHANGELOG entries for fix: commits -- add entries under [Unreleased].

---

Important (should fix)

[Docs] PR description ## Changes says "poetry" -> "uv" for both enabledManagers and matchManagers. The actual diff value is "pep621" (not "uv"). Update the description to match the title.

[Bug] lockFileMaintenance is configured but postUpdateOptions is empty (correct to drop poetryMassage). Consider adding "uvUpdatePreciseVersion" for uv-managed lock-file maintenance.

[Security] transitiveRemediation: true is unreliable with the pep621 manager for indirect deps. CI pip-audit is the correct compensating control -- no code change needed, but worth noting in docs/known-vulnerabilities.md.

---

SonarQube: 0 issues, 0 hotspots (JSON-only change).

🤖 Generated with Claude Code

[williaby]

/pr-fix summary

Four issues found during review have been resolved in commit 4bec141:

Critical (fixed)

Missing "regex" in enabledManagers -- The enabledManagers whitelist silently disables every manager not listed. Without "regex", the customManagers regex rule that tracks pinned CI tool versions in workflow files produced zero matches. Added "regex" to the list.

Missing project.optional-dependencies packageRule -- The pyproject.toml [project.optional-dependencies] section declares seven extras (api, preprocessing, dev, docs, test, jupyter, all). Without a matching packageRule, Renovate would have generated one ungrouped PR per package. Added a packageRule to group them as "Python extras dependencies" on the weekend schedule.

Important (fixed)

postUpdateOptions was a no-op -- The config had "postUpdateOptions": [{"python": {"enabled": true}}], which is not a recognized Renovate option for the pep621 manager. Replaced with ["uvUpdatePreciseVersion"] so that lockFileMaintenance correctly regenerates uv.lock with precise pinned versions.

Suggested (fixed)

"pin" missing from github-actions matchUpdateTypes -- The automerge rule for GitHub Actions covered minor and patch but not pin (the update type Renovate uses when pinning actions to commit SHA digests, which pinDigests: true generates). Added "pin" so those PRs are also automerged instead of requiring manual approval.

Not fixed (human review required)

• transitiveRemediation gap with pep621: transitiveRemediation: true has limited support for the pep621 manager; indirect dep updates rely on lock-file maintenance rather than direct patching. Compensating control: CI runs pip-audit on every push.
• Pre-1.0 packages miss prPriority escalation: pydub (0.25.1), python-multipart (0.0.27), and ffmpeg-python (0.2.0) are pre-1.0 semver so they are excluded from the matchCurrentVersion: "!/^0/" critical escalation rule. This is a deliberate design decision given those packages' versioning conventions.

Pre-existing CI failures

The security CI jobs are failing on PYSEC-2026-161 (starlette) and PYSEC-2026-139 (torch) -- vulnerabilities published after the branch was cut in December 2025. These are resolved on the local branch fix/starlette-torch-vulnerabilities (commit bbb6ee8) and should be merged to main before or alongside this PR.

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@CHANGELOG.md`:
- Around line 15-20: Several changelog bullets (e.g., the lines starting with
"fix(renovate): switch Renovate manager from poetry to pep621 for uv-managed
project", "fix(renovate): add \"regex\" to enabledManagers; omitting it silently
disabled customManagers and broke CI version-pin regex tracking",
"fix(renovate): add \"pin\" to github-actions matchUpdateTypes so SHA digest-pin
PRs are also auto-merged", and similar long entries) exceed the 120-character
Markdown line length; hard-wrap each long bullet so no line is over 120
characters by breaking after sensible punctuation or clause boundaries and
indenting continuation lines to align with the bullet, ensuring each
"fix(renovate): ..." bullet is wrapped into multiple lines under the same list
item.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: ASSERTIVE

Plan: Pro

Run ID: b3669719-6255-456e-8b1b-9d02bc4faba4

📥 Commits

Reviewing files that changed from the base of the PR and between 1b1a036 and 4bec141.

📒 Files selected for processing (2)

• CHANGELOG.md
• renovate.json

[coderabbitai]

⚠️ Potential issue | 🟡 Minor | ⚡ Quick win

Wrap long changelog bullets to stay within 120 characters.

Several added bullet lines exceed the Markdown 120-character limit (e.g., Line 15, Line 17, Line 18, Line 20).
Please hard-wrap these entries onto continuation lines.

Suggested formatting

-- fix(renovate): switch Renovate manager from poetry to pep621 for uv-managed project; poetry manager was silently producing zero dependency PRs
+- fix(renovate): switch Renovate manager from poetry to pep621 for uv-managed project;
+  poetry manager was silently producing zero dependency PRs

As per coding guidelines, "**/*.md: Use 120-character line length for Markdown documentation files".

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@CHANGELOG.md` around lines 15 - 20, Several changelog bullets (e.g., the
lines starting with "fix(renovate): switch Renovate manager from poetry to
pep621 for uv-managed project", "fix(renovate): add \"regex\" to
enabledManagers; omitting it silently disabled customManagers and broke CI
version-pin regex tracking", "fix(renovate): add \"pin\" to github-actions
matchUpdateTypes so SHA digest-pin PRs are also auto-merged", and similar long
entries) exceed the 120-character Markdown line length; hard-wrap each long
bullet so no line is over 120 characters by breaking after sensible punctuation
or clause boundaries and indenting continuation lines to align with the bullet,
ensuring each "fix(renovate): ..." bullet is wrapped into multiple lines under
the same list item.

[sonarqubecloud]

Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud