Skip to content

ci: tighten Renovate config#579

Closed
Vombato wants to merge 10 commits into
mainfrom
ci/renovate-config
Closed

ci: tighten Renovate config#579
Vombato wants to merge 10 commits into
mainfrom
ci/renovate-config

Conversation

@Vombato

@Vombato Vombato commented May 25, 2026

Copy link
Copy Markdown
Contributor

Summary

Replace the onboarding renovate.json with an explicit config: monthly batched bumps, minimumReleaseAge: 7 days, CVE-driven PRs immediate (with OSV feed), framework anchors (next, react, react-dom, @chakra-ui/react, docker node) excluded from major bumps, and auto-merge intentionally disabled because the current CI is unit-tests-only.

Renovate PRs continue to go through deploy-preview.yml. Because Renovate's author_association is NONE, the gate routes them to the preview-approval environment, so they pause for a single-click reviewer opt-in. This keeps the preview env available as the regression-catch layer for dependency bumps without auto-deploying every batch. Dependabot PRs continue to skip the gate entirely (no AWS secret access).

@Vombato Vombato added the increment:patch PR adds backwards compatible bug fixes / patches label May 25, 2026
Replace the onboarding `renovate.json` (which only extended
`config:recommended`) with an explicit configuration that matches how
this project wants to manage dependency updates:

- Monthly schedule (first day of the month, Europe/Rome).
- `minimumReleaseAge: 7 days` so a freshly released version has to
  sit on npm/Docker Hub for a week before Renovate considers it.
  Defends against pwned-release supply-chain attacks.
- Routine minor/patch/digest/pin updates are batched into a single
  monthly PR titled "Update non-major dependencies".
- `lockFileMaintenance` runs monthly to pick up transitive patches
  inside existing ranges, in its own labelled PR.
- Major bumps are individual PRs, with the framework anchors
  (`next`, `react`, `react-dom`, `@chakra-ui/react`) and the docker
  `node` base image explicitly blocked from major bumps — those
  require a migration and never bump automatically.
- Vulnerability alerts override the schedule and the 7-day soak so
  CVE fixes flow immediately. OSV-backed advisories are enabled to
  broaden the feed beyond GHSA.
- Auto-merge intentionally not enabled: the CI here runs unit tests
  only (no e2e), which is insufficient to catch UI/SDK regressions
  introduced by transitive bumps.

The deploy-preview gate is left intact for Renovate-authored PRs.
Because the CI does not exercise UI/SDK code paths, the preview env
is the only place a reviewer can verify a dependency bump did not
break the app. Renovate PRs fall through to the `preview-approval`
environment (author association is NONE), so they pause for a
single-click reviewer opt-in instead of deploying automatically.
Dependabot PRs continue to skip the gate entirely because they
cannot access the AWS secret and the workflow would always fail.
@Vombato Vombato force-pushed the ci/renovate-config branch from 53c0258 to 8e57af1 Compare May 25, 2026 09:33
@Vombato Vombato changed the title ci: tighten Renovate config and skip preview deploys for it ci: tighten Renovate config May 25, 2026
@Vombato Vombato requested review from Copilot and davidecarpini May 25, 2026 09:34

Copilot AI left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR replaces the minimal “recommended” Renovate onboarding config with an explicit policy aimed at reducing dependency PR noise (monthly batching + concurrency limit), delaying non-urgent updates (minimumReleaseAge), and treating vulnerability-driven updates differently, while clarifying preview-environment behavior for Renovate PRs in CI.

Changes:

  • Define explicit Renovate scheduling, grouping, labels, and concurrency limits.
  • Disable major updates for selected framework “anchors” and the Docker node base image.
  • Update preview workflow comments to reflect that Renovate PRs can deploy previews via the existing approval gate.

Reviewed changes

Copilot reviewed 3 out of 3 changed files in this pull request and generated 1 comment.

File Description
renovate.json Adds explicit Renovate scheduling, grouping rules, vulnerability handling, and disables major bumps for selected packages/images.
.github/workflows/deploy-preview.yml Comment update describing why Dependabot is skipped and how Renovate PRs use the approval gate.
.github/workflows/destroy-preview.yml Comment update clarifying destroy behavior for Renovate vs Dependabot PRs.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

Comment thread renovate.json
@Vombato Vombato requested review from daithihearn and removed request for daithihearn and davidecarpini May 25, 2026 09:36
@github-actions

github-actions Bot commented May 25, 2026

Copy link
Copy Markdown

PR Docker Image Published

docker pull ghcr.io/vechain/block-explorer:pr.579.ce437bb
Run locally
docker run --rm -p 3000:3000 ghcr.io/vechain/block-explorer:pr.579.ce437bb

The previous single `gate` job used a dynamic `environment.name`
expression to route maintainer PRs to `preview-auto` and everyone
else to `preview-approval`. GitHub Actions silently routed every PR
to `preview-approval` regardless of `author_association`, leaving
maintainer PRs stuck waiting for a reviewer.

Replace the expression with two explicit jobs (`gate-auto` and
`gate-approval`) plus a `gate` merge job. The merge job depends on
both upstream gates and succeeds when either of them succeeded.
Downstream jobs keep their `needs: [gate]` reference unchanged.

Behaviour by author:
- Dependabot: both upstream gates skipped by `if:`, merge gate also
  skipped, preview workflow does not deploy.
- OWNER/MEMBER/COLLABORATOR: `gate-auto` runs against `preview-auto`
  (no protection rules), `gate-approval` skipped, merge gate runs,
  preview deploys without human review.
- Everyone else (Renovate, external contributors, fork PRs):
  `gate-auto` skipped, `gate-approval` runs against `preview-approval`
  (required reviewers), workflow pauses for a single reviewer click,
  then merge gate runs and the preview deploys.
@Vombato Vombato temporarily deployed to preview-approval May 25, 2026 09:54 — with GitHub Actions Inactive
`contains(fromJson('["OWNER","MEMBER","COLLABORATOR"]'), author_association)`
was evaluating to false for a confirmed MEMBER PR, routing the run to
the approval-required environment. Replace with a plain OR chain that
the GitHub Actions expression engine handles reliably, and add a
short-lived `gate-debug` job that prints the values the workflow
actually sees so we can confirm the gating logic before removing the
diagnostic step.
@Vombato Vombato temporarily deployed to preview-approval May 25, 2026 10:23 — with GitHub Actions Inactive
Renovate's `minimumReleaseAge` expects a duration string like
`"0 days"` / `"0 hours"`. A bare `"0"` is not a valid duration and
silently falls back to the inherited global `minimumReleaseAge: "7
days"`, which would block urgent CVE PRs for a week — the opposite
of what the override is meant to do.

Switch the `vulnerabilityAlerts.minimumReleaseAge` override to
`"0 days"` so security advisories bypass the soak window as
intended.
Two changes:

1. Add a head-repo guard to `gate-auto`. A fork PR no longer auto-deploys
   even when the author is OWNER/MEMBER/COLLABORATOR. Maintainers have
   write access and have no reason to open a PR from a fork, so we treat
   any fork PR as untrusted and route it through `gate-approval` for the
   single-click reviewer opt-in. The corresponding clause is mirrored in
   `gate-approval.if`, which now also catches fork PRs from maintainers.

2. Remove the temporary `gate-debug` job. The OR-chain on
   `author_association` was confirmed to work as expected on the previous
   run, so the diagnostic step is no longer needed.

Copilot AI left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Copilot reviewed 3 out of 3 changed files in this pull request and generated 2 comments.

Comment thread .github/workflows/deploy-preview.yml Outdated
Comment on lines 29 to 35
# Only run if the PR was actually deployed (in-repo PR, not Dependabot).
# Dependabot PRs are skipped by deploy-preview, so no preview exists to destroy.
# Dependabot PRs are skipped by deploy-preview, so no preview exists to
# destroy. Renovate PRs can deploy a preview when a reviewer approves,
# so destroy runs for them too.
if: >-
github.event.pull_request.head.repo.full_name == github.repository &&
github.event.pull_request.user.login != 'dependabot[bot]'
gate-auto keeps being skipped for a confirmed MEMBER PR even after
the OR-chain rewrite and the head-repo guard, while the REST API
reports `author_association: MEMBER`. Re-add a short-lived
`gate-debug` job that prints the values the workflow runtime
actually sees so we can pinpoint the divergence and revert the
diagnostic in a follow-up commit.
@Vombato Vombato temporarily deployed to preview-approval May 25, 2026 11:39 — with GitHub Actions Inactive
…ation

The webhook payload returned `author_association: CONTRIBUTOR` for a
confirmed org member, while the REST API returned `MEMBER`. The two
fields are computed differently and routing on the webhook value sent
every internal PR through the approval-required gate.

Replace the `author_association` check with a dedicated `classify`
job that queries `repos/{owner}/{repo}/collaborators/{user}`. The
collaborators API recognises org members with write access through
team permissions, so it is authoritative for the "trusted enough to
auto-deploy a preview" decision. Fork PRs still short-circuit to the
approval path before the API call.

Also drop the diagnostic job re-added in the previous commit.
@Vombato Vombato temporarily deployed to preview-approval May 25, 2026 11:43 — with GitHub Actions Inactive
Two related fixes after observing the previous run skip every
downstream job even after `gate` succeeded:

1. Replace the collaborators-API check with a simpler decision. The
   default GITHUB_TOKEN cannot reliably resolve org-team-based
   collaborator membership on org-owned repositories, so the API
   returned 404 for a confirmed org member and routed every internal
   PR through the approval gate. Push access to an in-repo branch is
   already enforced by GitHub, so an in-repo PR author is by
   definition trusted to deploy a preview. Fork PRs and Renovate PRs
   are the only paths that still require approval.

2. Add explicit `if: needs.gate.result == 'success'` to every job
   downstream of `gate`. When `gate-auto` is skipped (which it
   always will be on the approval path, and vice versa), GitHub
   Actions cascades the skip through `gate` to every dependent job
   that lacks an explicit `if:`, regardless of whether `gate` itself
   ran. The explicit `if:` opts each downstream job out of the
   cascade.
Previous attempt added `if: needs.gate.result == 'success'` to every
downstream job to break the cascade-skip when one of `gate`'s
upstreams was skipped, but the implicit `success()` check still
fired because GitHub Actions applies it on top of a custom `if:`
when any direct or transitive need was skipped.

Mirror the prefix used on the `gate` merge job itself
(`!cancelled() && !failure() && ...`) on every downstream job. With
this prefix the implicit `success()` is bypassed and the job runs
based purely on the explicit conditions.
@github-actions

github-actions Bot commented May 25, 2026

Copy link
Copy Markdown

Block explorer – Preview

Name Status Preview Updated (UTC)
block-explorer-preview 🗑️ Destroyed (ce437bb) Preview deleted 2026-05-25 12:12:10

Preview environment destroyed after PR was closed

@Vombato

Vombato commented May 25, 2026

Copy link
Copy Markdown
Contributor Author

Superseded by #584 (squashed clean commit).

@Vombato Vombato closed this May 25, 2026
@Vombato Vombato deleted the ci/renovate-config branch May 25, 2026 12:10
@Vombato Vombato deployed to preview-pr-579 May 25, 2026 12:10 — with GitHub Actions Active
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

increment:patch PR adds backwards compatible bug fixes / patches

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants