docs: recommend Renovate instead of Greenkeeper

oeps/best-practices/oep-0067-bp-tools-and-technology.rst

@@ -167,12 +167,14 @@ Frontend Technology Selection
    Python code - see `OEP 18`_ for more information. For more information on
    package-lock files see `Package Lock`_.
 
-#. **Keep dependencies up to date by using Greenkeeper**
+#. **Keep dependencies up to date by using Renovate**
 
    **Rationale**: JavaScript dependencies are updated constantly and can be difficult
-   to maintain over time. `Greenkeeper`_ makes this easier by automatically updating
-   dependencies in a package.json file and verifying the tests still work. When
-   possible, leverage Greenkeeper to ensure JavaScript software remains up to date.
+   to maintain over time. `Renovate`_ makes this easier by automatically updating
+   dependencies in a ``package.json`` file and verifying the tests still work. When
+   possible, leverage Renovate to ensure JavaScript software remains up to date.
+   Documentation on how to configure Renovate automation on a repository is available
+   in the `Upgrade Automation How-to`_.
 
 #. **JavaScript should be bundled using Webpack**
 
@@ -322,6 +324,11 @@ Change History
 * Document created
 * `Pull request #518 <https://github.com/openedx/open-edx-proposals/pull/518>`_
 
+2024-05-23
+==========
+
+* Updated "Keep dependencies up to date" to recommend `Renovate`_ instead of Greenkeeper
+
 .. Cross-references
 .. _AMD Modules: https://github.com/amdjs/amdjs-api/wiki/AMD
 .. _Babel: https://babeljs.io/
@@ -335,7 +342,6 @@ Change History
 .. _ES2015 Modules: http://www.ecma-international.org/ecma-262/6.0/#sec-imports
 .. _ES2017: https://tc39.github.io/ecma262/
 .. _Fetch: https://developer.mozilla.org/en-US/docs/Web/API/Fetch_API
-.. _Greenkeeper: https://greenkeeper.io/
 .. _Jest: https://jestjs.io/
 .. _JSX: https://facebook.github.io/react/docs/introducing-jsx.html
 .. _oep 18: https://open-edx-proposals.readthedocs.io/en/latest/oep-0018-bp-python-dependencies.html
@@ -344,5 +350,7 @@ Change History
 .. _React at edX: https://openedx.atlassian.net/wiki/display/FEDX/React
 .. _React-Testing-Library: https://testing-library.com/docs/react-testing-library/intro
 .. _ReactRender: https://github.com/openedx/edx-platform/blob/4b38b1f750918ff83c02cff776681aabe44bd689/common/djangoapps/pipeline_mako/templates/static_content.html#L159-L167
+.. _Renovate: https://renovatebot.com/
 .. _Sass documentation: http://sass-lang.com/
+.. _Upgrade Automation How-to: https://docs.openedx.org/en/latest/developers/how-tos/enable-javascript-upgrade-automation.html
 .. _Webpack: https://webpack.github.io/

oeps/best-practices/oep-0067/decisions/frontend/0009-renovate.rst

@@ -0,0 +1,66 @@
+Use Renovate to update dependencies
+###################################
+
+Status
+******
+
+Accepted
+
+Context
+*******
+
+To ensure that the 3rd-party JavaScript packages we depend on get
+updated routinely (for security patches, bug fixes, etc.), we use
+a service to regularly create pull requests that update them.
+These pull requests notify us that the dependency has been updated
+and trigger test runs to check if the dependency can be safely
+upgraded without breaking functionality.
+
+Why we use a service like this:
+
+* Security problems are occasionally found in packages we use,
+  and we want to upgrade to versions that fix them as soon as
+  possible to avoid being targeted by attacks
+
+* It's not uncommon to spend hours debugging a problem which turns out
+  to be a bug in a package which was already fixed in a newer release
+
+* Upgrading existing dependencies in a pull request to add a feature or
+  fix a bug distracts reviewers from the actual changes that had to be made
+
+* Manually creating pull requests to upgrade dependencies (and circling
+  back to check the results) is an inefficient use of developer time given
+  that this is easily automated
+
+Decision/Consequence
+********************
+
+The Open edX community uses `Renovate <https://renovatebot.com/>`_ to
+automate updates for frontend dependencies.
+
+Rejected Alternatives
+*********************
+
+1. **Greenkeeper**
+
+   * With `Greenkeeper <https://greenkeeper.io/>`_, each package to be
+     upgraded got its own pull request on every release, which was good
+     for identifying the root cause of a test failure but resulted in a
+     pretty high volume of PRs that needed to be reviewed (especially in
+     repositories which normally don't need to be updated very often). Renovate has
+     `configuration options to set the frequency of checking for new dependency 
+     releases <https://renovatebot.com/docs/noise-reduction/#scheduling-renovate>`_,
+     and to allow related packages to be `updated in the same pull 
+     request <https://renovatebot.com/docs/noise-reduction/#package-grouping>`_. This may
+     delay notification of security patch releases or make it harder to identify the
+     exact cause of a test failure, but also makes it less likely that the PRs will be
+     simply ignored for lack of time to deal with them all.
+
+   * ``package-lock.json`` was updated with each pull request, which often caused merge
+     conflicts as different PRs changed the file in slightly incompatible ways.  Some of
+     the Renovate configuration options can make such conflicts less frequent, and when
+     auto-merging is enabled (for specific packages when tests pass), it `automatically
+     rebases <https://renovatebot.com/docs/noise-reduction/#automerging-and-scheduling>`_
+     other pending pull requests.
+
+   * Greenkeeper was `discontinued in June 2020 <https://greenkeeper.io/>`_

oeps/redirects.txt

@@ -21,3 +21,4 @@
 "best-practices/oep-0011-bp-FED-technology.rst" "archived/oep-0011-bp-FED-technology.rst"
 "best-practices/oep-0009-bp-permissions.rst" "archived/oep-0009-bp-permissions.rst"
 "architectural-decisions/oep-0065-frontend-composability.rst" "architectural-decisions/oep-0065-arch-frontend-composability.rst"
+"best-practices/oep-0011/decisions/frontend/0007-typescript.rst" "best-practices/oep-0011/decisions/frontend/0008-typescript.rst"