ci: Replace Dependabot with Renovate

[matthewelwell]

Thanks for submitting a PR! Please check the boxes below:

• I have read the Contributing Guide.
• I have added information to docs/ if required so people know about the feature.
• I have filled in the "Changes" section below.
• I have filled in the "How did you test this code" section below.

Changes

Replaces Dependabot with the Renovate GitHub App:

• Removes .github/dependabot.yml
• Adds renovate.json configured for security-only updates, with per-area reviewers and labels matching the previous Dependabot config (uv/api → back-end team, frontend npm → front-end team, docs npm → docs team)

Motivation: Dependabot stopped recognising this as a Python repo after the migration to uv, reporting "not a Python repo" on security alerts. Renovate has more robust uv support.

The Renovate GitHub App is already installed on the org, so no additional workflow is needed.

Note: Once merged, I'll need to:

• Add this repository to the renovate app here
• Disable dependabot from running on this repository here

How did you test this code?

Renovate will self-verify on merge by picking up renovate.json and running its first scan.

[vercel]

The latest updates on your projects. Learn more about Vercel for GitHub.

3 Skipped Deployments

Project	Deployment	Actions	Updated (UTC)
docs	Ignored	Preview	May 29, 2026 4:08pm
flagsmith-frontend-preview	Ignored	Preview	May 29, 2026 4:08pm
flagsmith-frontend-staging	Ignored	Preview	May 29, 2026 4:08pm

[github-actions]

Docker builds report

Image	Build Status	Security report
ghcr.io/flagsmith/flagsmith-api-test:pr-7645	Finished ✅	Skipped
ghcr.io/flagsmith/flagsmith-e2e:pr-7645	Finished ✅	Skipped
ghcr.io/flagsmith/flagsmith-frontend:pr-7645	Finished ✅	Results ✅
ghcr.io/flagsmith/flagsmith-api:pr-7645	Finished ✅	Results ✅
ghcr.io/flagsmith/flagsmith-private-cloud:pr-7645	Finished ✅	Results ✅

[gemini-code-assist]

Code Review

This pull request deletes the Dependabot configuration file, which previously managed dependency updates for the Python API (using uv) and frontend/docs (using npm). There are no review comments, and we have no feedback to provide.

[github-actions]

Playwright Test Results (oss - depot-ubuntu-latest-16)

 1 passed

Details

 1 test across 1 suite
 38.5 seconds
 cd1852f
 🔄 Run: #17113 (attempt 1)

Playwright Test Results (oss - depot-ubuntu-latest-arm-16)

 1 passed

Details

 1 test across 1 suite
 43.7 seconds
 cd1852f
 🔄 Run: #17113 (attempt 1)

Playwright Test Results (private-cloud - depot-ubuntu-latest-16)

 3 passed

Details

 3 tests across 3 suites
 30.1 seconds
 cd1852f
 🔄 Run: #17113 (attempt 1)

Playwright Test Results (private-cloud - depot-ubuntu-latest-arm-16)

 2 passed

Details

 2 tests across 2 suites
 19.3 seconds
 cd1852f
 🔄 Run: #17113 (attempt 1)

Playwright Test Results (oss - depot-ubuntu-latest-16)

 1 passed

Details

 1 test across 1 suite
 39 seconds
 ad16b58
 🔄 Run: #17114 (attempt 1)

Playwright Test Results (oss - depot-ubuntu-latest-arm-16)

 1 passed

Details

 1 test across 1 suite
 43.9 seconds
 ad16b58
 🔄 Run: #17114 (attempt 1)

Playwright Test Results (private-cloud - depot-ubuntu-latest-arm-16)

 2 passed

Details

 2 tests across 2 suites
 42 seconds
 ad16b58
 🔄 Run: #17114 (attempt 1)

Playwright Test Results (private-cloud - depot-ubuntu-latest-16)

 1 passed

Details

 1 test across 1 suite
 37.4 seconds
 ad16b58
 🔄 Run: #17114 (attempt 1)

[github-actions]

Visual Regression

19 screenshots compared. See report for details.
View full report

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 98.52%. Comparing base (482f0ff) to head (ad16b58).
⚠️ Report is 16 commits behind head on main.

Additional details and impacted files

@@           Coverage Diff            @@
##             main    #7645    +/-   ##
========================================
  Coverage   98.51%   98.52%            
========================================
  Files        1439     1441     +2     
  Lines       54690    54971   +281     
========================================
+ Hits        53880    54161   +281     
  Misses        810      810            

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

[emyller]

Lezz go!!!

(one question)

[emyller]

question: Does the lacking matchFileNames mean we need a default runtime, which includes api/**?

[khvn26]

should be covered by CODEOWNERS

[khvn26]

should be covered by CODEOWNERS

[khvn26]

should be covered by CODEOWNERS

[khvn26]

Looks like this is a better expression of what we're looking for?

Suggested change

	"extends": ["config:base"],
	"enabled": false,
	"dependencyDashboard": false,
	"osvVulnerabilityAlerts": true,
	"semanticCommits": "enabled",
	"semanticCommitType": "deps",
	"semanticCommitScope": null,
	"vulnerabilityAlerts": {
	"enabled": true
	},
	"packageRules": [
	"extends": [":disableDependencyDashboard", "security:only-security-updates", "semanticCommitType(deps)"],
	"packageRules": [

[khvn26]

nit

Suggested change

	"addLabels": ["api", "dependencies"]
	"addLabels": ["api", "dependencies"],
	"semanticCommitScope": "API"

[khvn26]

nit

Suggested change

	"addLabels": ["front-end", "dependencies"]
	"addLabels": ["front-end", "dependencies"],
	"semanticCommitScope": "Frontend"

[khvn26]

nit

Suggested change

	"addLabels": ["docs", "dependencies"]
	"addLabels": ["docs", "dependencies"],
	"semanticCommitScope": "Docs"