Configure Renovate to Manage SHA-Pinned Dependencies for Multiple Packages in a Monorepo

[pankajmouriyakong]

How are you running Renovate?

A Mend.io-hosted app

If you're self-hosting Renovate, tell us which platform (GitHub, GitLab, etc) and which version of Renovate.

No response

Please tell us more about your question or problem

Body:

### Description

I'm managing a GitHub monorepo, which contains multiple sub-projects/packages managed with Lerna and pnpm. Each sub-package is released independently, and downstream applications pin their dependencies to the specific commit SHAs of these releases.

### Current Setup

Monorepo Structure:

• Repository: ghaccount/shared-security
• Managed with Lerna and pnpm
• Multiple sub-packages. Note each sub-package contains its own package.json file.
  • security-actions-semgrep
  • security-actions-sign-docker-image
  • code-check-action-rust-lint
• Directory Structure
  • security-actions->semgrep
  • security-actions->sign-docker-image
  • security-actions->sca
  • code-check-action->rust-lint
• Each sub-package is released with its own tag and corresponding commit SHA. An example of package.json is

{
  "name": "security-actions-semgrep",
  "version": "2.0.0",
  "description": "This action uses Semgrep CI command to scan all supported platforms on a specified scan path",
  "main": "index.js",
  "repository": {
    "type": "git",
    "url": "https://github.com/ghaccount/shared-security",
    "directory": "security-actions/semgrep"
  },
  "private": false,
  "author": "ghaccount, Inc.",
  "license": "UNLICENSED"
}

Downstream Application GH Workflow Example:

steps:
  - uses: actions/checkout@v4
  - uses: ghaccount/shared-security/security-actions/semgrep@4fe74ae4aeeaad36d0ad768e1079beba00000000
    with:
      additional_config: '--config p/rust'

### Renovate Configuration Attempt

I've attempted to configure Renovate to handle SHA-pinned dependencies for each sub-package using a custom (regex) manager. Here's the current renovate.json:

{
  "$schema": "https://docs.renovatebot.com/renovate-schema.json",
  "customManagers": [{
    "customType": "regex",
    "fileMatch": ["\\.github\/.*\\.ya?ml$"],
    "matchStrings": ["uses:\\s(?<packageName>ghaccount\\\/shared-security)\\\/.*@(?<depName>.*)_(?<currentValue>[0-9\\.]*)"],
    "datasourceTemplate": "github-tags",
    "extractVersionTemplate": "{{depName}}_(?<version>[0-9\\.]*)$"
  }],
  "packageRules": [
    {
      "matchPackagePatterns": ["^@octokit\/"],
      "updateTypes": ["major"],
      "enabled": false
    }
  ]
}

Another version of the Renovate config file to adjust specifically for SHAs.

{
    "$schema": "https://docs.renovatebot.com/renovate-schema.json",
    "customManagers": [{
      "customType": "regex",
      "fileMatch": ["\\.github\/.*\\.ya?ml$"],
      "matchStrings": ["uses:\\s+(?<depName>ghaccount\\/shared-security\\/security-actions\\/sign-docker-image\\/[^@]+)@(?<currentValue>[a-f0-9]{7,40})"],
      "extractVersionTemplate": "{{depName}}_(?<version>[a-f0-9]{7,40})$",
      "datasourceTemplate": "github-tags"
    }],
    "packageRules": [
      {
        "matchDatasources": ["github-releases"],
        "matchPackageNames": ["security-actions/semgrep"]
      },
      {
        "matchDatasources": ["github-releases"],
        "matchPackageNames": ["security-actions/sign-docker-image"]
      }
    ]
  }

### Issues Encountered

Incorrect SHA Updates: Even after configuring Renovate to track SHAs using the github-tags datasource, Renovate raises PRs that update to the latest commit SHA of the repository, not the commit SHA corresponding to the specific sub-package release.

Existing release of a package
Security-actions-semgrep_2.0.0 SHA 4fe74ae4ae
Security-actions-semgrep_2.1.0 SHA 36e74a5000
Security-actions-sign-docker-image_3.0.0 SHA 66674ae443

Downstream application pinned SHA
`- uses: ghaccount/shared-security/security-actions/semgrep@4fe74ae4ae…. #2.0.0
`
`
- uses: ghaccount/shared-security/security-actions/sign-docker-image@66674ae443…. #3.0.0
`

Now if a new release is made for semgrep, lets say a minor release 2.2.0.
Security-actions-semgrep_2.2.0 SHA 8ge37ghe0

Renovate goes ahead and raises a PR for all the downstream packages which are being used with the latest release of semgrep SHA digest that is 8ge37ghe0. Meaning a PR is raised for sign-docker-image@8ge37ghe0 as well.

### Desired Behavior
Package-Level Updates: Renovate should only raise PRs for a specific sub-package when a new release/tag is created for that sub-package.

SHA Pinning: Downstream applications should continue to pin to the exact commit SHA corresponding to the latest release of each specific sub-package, not to the latest commit of the entire monorepo.

### What I've Tried

1. Using customManagers: I attempted to use customManagers regex.
2. Simplifying the Regex: Tried different regex patterns to accurately capture packageName and currentValue, but Renovate either raises errors or updates to incorrect SHAs.

### Request for Assistance

1. Proper Configuration: Guidance on configuring Renovate to handle multiple SHA-pinned dependencies within a single monorepo, ensuring updates are scoped to individual sub-packages.
2. Supported Features: Confirmation on whether Renovate currently supports replacing SHAs based on specific tag releases within a monorepo setup.
3. Alternative Approaches: Recommendations for alternative strategies if the desired behavior isn't directly supported (e.g., using separate Renovate configurations, different datasources, etc.).

### Additional Information

• Renovate Version: 39.107.0
• Monorepo Tooling: Lerna with pnpm
• Release Strategy: Each sub-package is released independently with its own Git tag and commit SHA.

### Example Tagging

When releasing security-actions-semgrep_5.2.0, a Git tag like security-actions-semgrep_5.2.0 is created, pointing to commit 4fe74ae4aeeaad36d0ad768e1079beba00000000.

### Summary

I aim to have Renovate intelligently manage SHA-pinned dependencies for each sub-package within my monorepo, ensuring that only relevant PRs are raised when specific sub-packages are updated. Current configurations causes Renovate to misbehave. Assistance in achieving this setup would be greatly appreciated.

Logs (if relevant)

Logs

Replace this text with your logs, between the starting and ending triple backticks

[pankajmouriyakong]

We were able to figure out the config.

"customManagers": [
    {
      "description": "",
      "customType": "regex",
      "fileMatch": [
        "(^|/)(workflow-templates|\\.(?:github|gitea|forgejo)/(?:workflows|actions))/.+\\.ya?ml$",
        "(^|/)action\\.ya?ml$"
      ],
      "matchStrings": [
        "(?<packageName>EXAMPLE_ORG\\/EXAMPLE_REPO_NAME\\/(?<depName>[^\\s@]+))@(?:(?<currentDigest>[^\\s]+) # )?v(?<currentValue>[^\\s]+)"
      ],
      "datasourceTemplate": "github-tags",
      "extractVersionTemplate": "^(?:@{{{depName}}}@|v)(?<version>[0-9\\.]+)$",
      "autoReplaceStringTemplate": "{{{packageName}}}@{{#if newDigest}}{{{newDigest}}} # {{/if}}v{{{newVersion}}}",
      "versioningTemplate": "semver"
    }
  ],
    "packageRules": [
    {
      "description": "Manage EXAMPLE_ORG/EXAMPLE_REPO_NAME updates using the custom manager, so disable the default GitHub Actions manager for these",
      "matchPackageNames": ["EXAMPLE_ORG/EXAMPLE_REPO_NAME"],
      "matchManagers": ["github-actions"],
      "enabled": false
    }
  ]
  

Closing this discussion here.