nsheaps/renovate-setup
plugins/renovate/skills/renovate-setup/SKILL.md
Use this skill when setting up or debugging Renovate auto-merge, configuring Renovate in a repo, or diagnosing why Renovate PRs are not auto-merging.
$ install --global
skillsauthnpx skillsauth add nsheaps/ai-mktpl renovate-setupInstall this skill globally with one command. Works with Claude Code, Cursor, and Windsurf.
Security Scan Results
3 of 9 scanners reported clean
Some scanners were skipped, did not run, or reported a non-clean status. Review each row below.
3
Scanners Passed
9
Scanners in report
Clean
TrivyContainer and dependency vulnerability scanner
95%
Clean
SemgrepStatic code analysis for vulnerabilities
95%
Clean
mcp-scan (Snyk)Model Context Protocol security validation
95%
Skipped
Snyk (dep)Open source security scanning
50%
Skipped
Socket.devSupply chain security analysis
50%
Skipped
VirusTotalMulti-engine malware detection
50%
Skipped
CrowdStrikeAdvanced threat intelligence
50%
Skipped
OSV-ScannerOpen Source Vulnerability database check
50%
Skipped
OWASP Dep-Check
50%
Last scanned: Apr 27, 2026, 10:52 AM53.1s1 file scanned
SKILL.md
- name:
- renovate-setup
- description:
- >
Renovate Setup & Auto-Merge Debugging
Renovate is a dependency update bot. This skill covers enabling auto-merge on repos and debugging when Renovate PRs get stuck.
Enabling Auto-Merge on a Repo
Two steps are required: the repo setting AND the declarative settings file.
1. Enable via GitHub API
gh repo edit nsheaps/<repo> --enable-auto-merge --delete-branch-on-merge
Run separately for each repo. This sets the GitHub repo-level flag.
2. Update .github/settings.yaml
If the repo uses a declarative settings workflow (most nsheaps repos do), add
allow_auto_merge: true to the repository: block:
repository:
allow_auto_merge: true
delete_branch_on_merge: true
# ... other settings
Commit this to main. Without this, the settings workflow may reset the flag.
Renovate Config: extends Pattern
Renovate configs in nsheaps repos should extend from nsheaps/renovate-config.
The correct file name changed from default.json to default.json5:
// renovate.json5
{
$schema: "https://docs.renovatebot.com/renovate-schema.json",
extends: [
"github>nsheaps/renovate-config", // uses default.json5 automatically
],
}
Check nsheaps/renovate-config for what the shared config contains (automerge
settings, schedule, package rules, etc.).
Auto-Merge Debugging Checklist
When a Renovate PR is stuck and not auto-merging:
-
Repo setting enabled?
gh api repos/nsheaps/<repo> --jq '.allow_auto_merge' # should return: true -
PR has auto-merge queued?
gh pr view <N> --repo nsheaps/<repo> --json autoMergeRequest # autoMergeRequest should be non-nullIf null, enable it:
gh pr merge <N> --repo nsheaps/<repo> --auto --squash -
Branch protection / rulesets blocking?
gh api repos/nsheaps/<repo>/rules/branches/mainCommon blockers:
pull_requestrule requiringrequired_approving_review_count: 1→ approve the PR- Required status checks that aren't running → check CI config
-
Required status checks failing?
gh pr view <N> --repo nsheaps/<repo> --json statusCheckRollupEmpty
statusCheckRollup+ BLOCKED usually means a required check is configured but no CI run has happened (missing workflow trigger or CI never ran). -
Approve if review required:
gh pr review <N> --repo nsheaps/<repo> --approve --body "Approving Renovate dependency update."
Lint Gotcha: Mixed-Language bin/ Directories
If a repo has both shell scripts and TypeScript/JavaScript files in bin/,
the bash lint CI job will fail on the non-shell files. Fix: add extension
checks to skip non-shell files:
- name: Lint shell scripts
run: |
for script in bin/*; do
[ -d "$script" ] && continue
[ -f "$script" ] || continue
# Skip non-shell files
case "$script" in
*.ts|*.js|*.py|*.rb|*.go) continue ;;
esac
echo "Checking $script..."
bash -n "$script"
done
This is relevant to renovate because Renovate PRs updating dependencies may trigger CI runs that hit this lint bug and prevent auto-merge.
References
- nsheaps/renovate-config — shared Renovate config
- Renovate docs: automerge
- GitHub: enabling auto-merge
Related Skills
nsheaps/github-app-session-env
tools
VerifiedTrustedCommunity
Manually reproduce what the github-app plugin's SessionStart hook does to make a GitHub App installation token usable in the current session — materialize the PEM, generate the token, isolate GH_CONFIG_DIR, write the runtime env file, and wire CLAUDE_ENV_FILE so every Bash call sees GH_TOKEN/GITHUB_TOKEN. Use when the hook did not run, the token is missing from the environment, or a shell/teammate needs the token wired up by hand. <example>GH_TOKEN isn't set even though github-app is configured</example> <example>the github-app SessionStart hook didn't run, set up the token manually</example> <example>wire the github app token into CLAUDE_ENV_FILE</example> <example>gh keeps falling back to the wrong account, isolate GH_CONFIG_DIR</example>
3SKILL.mdUpdated Jun 9, 2026
nsheaps/github-app-git-identity
tools
VerifiedTrustedCommunity
Manually configure the GitHub App bot git identity the way the github-app plugin's SessionStart hook does — resolve the app slug and bot user ID, build the <slug>[bot] name and noreply email, set GIT_AUTHOR_*/GIT_COMMITTER_* env vars, and write an isolated GIT_CONFIG_GLOBAL with the gh auth git-credential helper. Use when commits are attributed to the wrong account, "Author identity unknown" appears, or git identity must be set up by hand. <example>my commits are showing up as the handler, not the bot</example> <example>git says Author identity unknown after the github-app hook ran</example> <example>configure the github app bot git identity manually</example> <example>set up the gh credential helper for git push</example>
3SKILL.mdUpdated Jun 9, 2026
nsheaps/spec-management
tools
VerifiedTrustedCommunity
Manages spec files for requirements capture and validation
3SKILL.mdUpdated Jun 7, 2026
nsheaps/plugins/bash-command-rejection/skills/bash-chaining-alternatives
tools
VerifiedTrustedCommunity
# Bash Chaining Alternatives This skill teaches you how to work around the bash command chaining restriction enforced by this plugin. ## Why Chaining is Blocked The `bash-command-rejection` plugin blocks these operators: | Operator | Name | Why Blocked | | -------- | ---------- | ----------------------------------------------------------------------------------- | | `&&` | AND chain | Runs cmd2 only if cmd1 su
3SKILL.mdUpdated Jun 7, 2026