Skip to content

Automate dependency updates#43

Merged
mingxwa merged 2 commits into
ngcpp:mainfrom
mingxwa:user/mingxwa/auto-update
Jun 14, 2026
Merged

Automate dependency updates#43
mingxwa merged 2 commits into
ngcpp:mainfrom
mingxwa:user/mingxwa/auto-update

Conversation

@mingxwa

@mingxwa mingxwa commented Jun 14, 2026
edited
Loading

Copy link
Copy Markdown
Collaborator

Summary

Adds an automated, two-track weekly dependency-update system.

  • Everything with a standard dependency manager is bumped by self-hosted Renovate.
  • The C++ libraries that have no Renovate manager (CMake FetchContent pins and Meson wraps) are bumped by a companion script.

Each track opens a single grouped pull request.

Pipelines

Both run Mondays at 00:00 UTC (the cron is restricted to the canonical repo) and authenticate with a GitHub App installation token (DEPENDENCY_MANAGER_APP_ID / DEPENDENCY_MANAGER_APP_PRIVATE_KEY).

  • pipeline-bump-renovate-deps.yml:
    • Runs self-hosted Renovate (renovate.json).
    • Bumps GitHub Actions, pre-commit hooks, the mkdocs pip pins, the Bazel Central Registry modules and .bazelversion/bazelisk.
    • Refreshes MODULE.bazel.lock as a post-upgrade step.
    • Groups them into one PR on auto/bump-renovate-deps.
  • pipeline-bump-cpp-deps.yml: runs tools/bump_cmake_meson_deps.py and opens or updates a PR on auto/bump-cpp-deps for the libraries Renovate has no manager for.

tools/bump_cmake_meson_deps.py

  • For each CMake registry entry, queries the repo's latest GitHub release and rewrites the URL and recomputed sha256.
  • Refreshes each Meson wrap via meson wrap update.
  • Any lookup, download, or subprocess failure is a hard error.

CMake dependency registry

FetchContent pins are extracted from the CMakeLists files into JSON registries (cmake/dependencies.json, tools/report_generator/dependencies.json) and loaded by a shared helper (cmake/read_dependencies.cmake) that exposes PROXY_<NAME>_URL / PROXY_<NAME>_SHA256. This gives the bump script a single, machine-editable source of truth.

Notes

  • subprojects/fmt.wrap is switched from the third-party wrapdb (fmt 12.1.0) to the official mesonbuild wrapdb (fmt 12.0.0) so meson wrap update can manage it. This is a one-time downgrade of the Meson build's fmt. The CMake side stays at 12.1.0 until the official wrapdb catches up.
  • A GitHub App has been created for auth. Secrets has been set properly. See the generated PRs from my local runs for reference:

No functional changes.

@mingxwa mingxwa merged commit 2f6dcf8 into ngcpp:main Jun 14, 2026
16 checks passed
@mingxwa mingxwa deleted the user/mingxwa/auto-update branch June 14, 2026 23:49
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@tian-lt-personal tian-lt-personal tian-lt-personal approved these changes

@guominrui guominrui Awaiting requested review from guominrui

Assignees

No one assigned

Labels

pending-review

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@mingxwa @tian-lt-personal