add renovatebot as an option

signalfx · Oct 13, 2023 · c55c9ea · c55c9ea
1 parent 3e793c1
commit c55c9ea
Showing 1 changed file with 10 additions and 0 deletions.
diff --git a/specification/repository.md b/specification/repository.md
@@ -54,11 +54,21 @@ approval is granted, GDI repositories MUST NOT cut a GA release.
 - MUST lock the versions of all build dependencies (e.g. libraries, binaries,
   scripts, docker images) or vendor them; **EXCEPTION:** tools that are
   available out-of-the-box on the CI runner
+- To help keep dependencies up to date, the repo MUST be configured with 
+[Dependabot](https://github.com/dependabot/dependabot-core) or [Renovate](https://github.com/apps/renovate).
+
+#### Dependabot:
+
 - MUST enable [Dependabot alerts](https://docs.github.com/en/code-security/dependabot/dependabot-alerts/about-dependabot-alerts)
   - MUST grant access to alerts for the approvers and maintainers teams
   - MUST enable [Dependabot security updates](https://docs.github.com/en/code-security/dependabot/dependabot-security-updates/about-dependabot-security-updates)
 - MUST configure [Dependabot version updates](https://docs.github.com/en/code-security/dependabot/dependabot-version-updates/about-dependabot-version-updates)
 
+#### Renovate:
+
+- MUST add the repo to the [list of Renovatebot repos](https://github.com/organizations/signalfx/settings/installations/41531652).
+- MUST add a [Renovate config file](https://docs.renovatebot.com/configuration-options/) to the repo.
+
 ### GitHub Actions
 
 - MUST use [GitHub