ci: tighten Renovate config#579
Closed
Vombato wants to merge 10 commits into
Closed
Conversation
Replace the onboarding `renovate.json` (which only extended `config:recommended`) with an explicit configuration that matches how this project wants to manage dependency updates: - Monthly schedule (first day of the month, Europe/Rome). - `minimumReleaseAge: 7 days` so a freshly released version has to sit on npm/Docker Hub for a week before Renovate considers it. Defends against pwned-release supply-chain attacks. - Routine minor/patch/digest/pin updates are batched into a single monthly PR titled "Update non-major dependencies". - `lockFileMaintenance` runs monthly to pick up transitive patches inside existing ranges, in its own labelled PR. - Major bumps are individual PRs, with the framework anchors (`next`, `react`, `react-dom`, `@chakra-ui/react`) and the docker `node` base image explicitly blocked from major bumps — those require a migration and never bump automatically. - Vulnerability alerts override the schedule and the 7-day soak so CVE fixes flow immediately. OSV-backed advisories are enabled to broaden the feed beyond GHSA. - Auto-merge intentionally not enabled: the CI here runs unit tests only (no e2e), which is insufficient to catch UI/SDK regressions introduced by transitive bumps. The deploy-preview gate is left intact for Renovate-authored PRs. Because the CI does not exercise UI/SDK code paths, the preview env is the only place a reviewer can verify a dependency bump did not break the app. Renovate PRs fall through to the `preview-approval` environment (author association is NONE), so they pause for a single-click reviewer opt-in instead of deploying automatically. Dependabot PRs continue to skip the gate entirely because they cannot access the AWS secret and the workflow would always fail.
53c0258 to
8e57af1
Compare
There was a problem hiding this comment.
Pull request overview
This PR replaces the minimal “recommended” Renovate onboarding config with an explicit policy aimed at reducing dependency PR noise (monthly batching + concurrency limit), delaying non-urgent updates (minimumReleaseAge), and treating vulnerability-driven updates differently, while clarifying preview-environment behavior for Renovate PRs in CI.
Changes:
- Define explicit Renovate scheduling, grouping, labels, and concurrency limits.
- Disable major updates for selected framework “anchors” and the Docker
nodebase image. - Update preview workflow comments to reflect that Renovate PRs can deploy previews via the existing approval gate.
Reviewed changes
Copilot reviewed 3 out of 3 changed files in this pull request and generated 1 comment.
| File | Description |
|---|---|
| renovate.json | Adds explicit Renovate scheduling, grouping rules, vulnerability handling, and disables major bumps for selected packages/images. |
| .github/workflows/deploy-preview.yml | Comment update describing why Dependabot is skipped and how Renovate PRs use the approval gate. |
| .github/workflows/destroy-preview.yml | Comment update clarifying destroy behavior for Renovate vs Dependabot PRs. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
PR Docker Image PublishedRun locallydocker run --rm -p 3000:3000 ghcr.io/vechain/block-explorer:pr.579.ce437bb |
The previous single `gate` job used a dynamic `environment.name` expression to route maintainer PRs to `preview-auto` and everyone else to `preview-approval`. GitHub Actions silently routed every PR to `preview-approval` regardless of `author_association`, leaving maintainer PRs stuck waiting for a reviewer. Replace the expression with two explicit jobs (`gate-auto` and `gate-approval`) plus a `gate` merge job. The merge job depends on both upstream gates and succeeds when either of them succeeded. Downstream jobs keep their `needs: [gate]` reference unchanged. Behaviour by author: - Dependabot: both upstream gates skipped by `if:`, merge gate also skipped, preview workflow does not deploy. - OWNER/MEMBER/COLLABORATOR: `gate-auto` runs against `preview-auto` (no protection rules), `gate-approval` skipped, merge gate runs, preview deploys without human review. - Everyone else (Renovate, external contributors, fork PRs): `gate-auto` skipped, `gate-approval` runs against `preview-approval` (required reviewers), workflow pauses for a single reviewer click, then merge gate runs and the preview deploys.
`contains(fromJson('["OWNER","MEMBER","COLLABORATOR"]'), author_association)`
was evaluating to false for a confirmed MEMBER PR, routing the run to
the approval-required environment. Replace with a plain OR chain that
the GitHub Actions expression engine handles reliably, and add a
short-lived `gate-debug` job that prints the values the workflow
actually sees so we can confirm the gating logic before removing the
diagnostic step.
Renovate's `minimumReleaseAge` expects a duration string like `"0 days"` / `"0 hours"`. A bare `"0"` is not a valid duration and silently falls back to the inherited global `minimumReleaseAge: "7 days"`, which would block urgent CVE PRs for a week — the opposite of what the override is meant to do. Switch the `vulnerabilityAlerts.minimumReleaseAge` override to `"0 days"` so security advisories bypass the soak window as intended.
Two changes: 1. Add a head-repo guard to `gate-auto`. A fork PR no longer auto-deploys even when the author is OWNER/MEMBER/COLLABORATOR. Maintainers have write access and have no reason to open a PR from a fork, so we treat any fork PR as untrusted and route it through `gate-approval` for the single-click reviewer opt-in. The corresponding clause is mirrored in `gate-approval.if`, which now also catches fork PRs from maintainers. 2. Remove the temporary `gate-debug` job. The OR-chain on `author_association` was confirmed to work as expected on the previous run, so the diagnostic step is no longer needed.
Comment on lines
29
to
35
| # Only run if the PR was actually deployed (in-repo PR, not Dependabot). | ||
| # Dependabot PRs are skipped by deploy-preview, so no preview exists to destroy. | ||
| # Dependabot PRs are skipped by deploy-preview, so no preview exists to | ||
| # destroy. Renovate PRs can deploy a preview when a reviewer approves, | ||
| # so destroy runs for them too. | ||
| if: >- | ||
| github.event.pull_request.head.repo.full_name == github.repository && | ||
| github.event.pull_request.user.login != 'dependabot[bot]' |
gate-auto keeps being skipped for a confirmed MEMBER PR even after the OR-chain rewrite and the head-repo guard, while the REST API reports `author_association: MEMBER`. Re-add a short-lived `gate-debug` job that prints the values the workflow runtime actually sees so we can pinpoint the divergence and revert the diagnostic in a follow-up commit.
…ation
The webhook payload returned `author_association: CONTRIBUTOR` for a
confirmed org member, while the REST API returned `MEMBER`. The two
fields are computed differently and routing on the webhook value sent
every internal PR through the approval-required gate.
Replace the `author_association` check with a dedicated `classify`
job that queries `repos/{owner}/{repo}/collaborators/{user}`. The
collaborators API recognises org members with write access through
team permissions, so it is authoritative for the "trusted enough to
auto-deploy a preview" decision. Fork PRs still short-circuit to the
approval path before the API call.
Also drop the diagnostic job re-added in the previous commit.
Two related fixes after observing the previous run skip every downstream job even after `gate` succeeded: 1. Replace the collaborators-API check with a simpler decision. The default GITHUB_TOKEN cannot reliably resolve org-team-based collaborator membership on org-owned repositories, so the API returned 404 for a confirmed org member and routed every internal PR through the approval gate. Push access to an in-repo branch is already enforced by GitHub, so an in-repo PR author is by definition trusted to deploy a preview. Fork PRs and Renovate PRs are the only paths that still require approval. 2. Add explicit `if: needs.gate.result == 'success'` to every job downstream of `gate`. When `gate-auto` is skipped (which it always will be on the approval path, and vice versa), GitHub Actions cascades the skip through `gate` to every dependent job that lacks an explicit `if:`, regardless of whether `gate` itself ran. The explicit `if:` opts each downstream job out of the cascade.
Previous attempt added `if: needs.gate.result == 'success'` to every downstream job to break the cascade-skip when one of `gate`'s upstreams was skipped, but the implicit `success()` check still fired because GitHub Actions applies it on top of a custom `if:` when any direct or transitive need was skipped. Mirror the prefix used on the `gate` merge job itself (`!cancelled() && !failure() && ...`) on every downstream job. With this prefix the implicit `success()` is bypassed and the job runs based purely on the explicit conditions.
Block explorer – Preview
Preview environment destroyed after PR was closed |
Contributor
Author
|
Superseded by #584 (squashed clean commit). |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Replace the onboarding
renovate.jsonwith an explicit config: monthly batched bumps,minimumReleaseAge: 7 days, CVE-driven PRs immediate (with OSV feed), framework anchors (next,react,react-dom,@chakra-ui/react, dockernode) excluded from major bumps, and auto-merge intentionally disabled because the current CI is unit-tests-only.Renovate PRs continue to go through
deploy-preview.yml. Because Renovate'sauthor_associationisNONE, the gate routes them to thepreview-approvalenvironment, so they pause for a single-click reviewer opt-in. This keeps the preview env available as the regression-catch layer for dependency bumps without auto-deploying every batch. Dependabot PRs continue to skip the gate entirely (no AWS secret access).