ci: tighten Renovate config and gate preview deploys#584
Merged
Conversation
Renovate (`renovate.json`)
Replace the onboarding `{"extends": ["config:recommended"]}` with an
explicit configuration:
- Monthly schedule (first day of the month, Europe/Rome).
- `minimumReleaseAge: 7 days` so a freshly released version has to
sit on npm / Docker Hub for a week before Renovate considers it.
Defends against pwned-release supply-chain attacks.
- Minor / patch / digest / pin updates are batched into a single
monthly PR titled "Update non-major dependencies".
- `lockFileMaintenance` runs monthly to pick up transitive patches
within existing ranges, in its own labelled PR.
- Major bumps are individual PRs and are explicitly disabled for the
framework anchors (`next`, `react`, `react-dom`, `@chakra-ui/react`)
and the docker `node` base image — those need a migration plan.
- `vulnerabilityAlerts` overrides both the schedule and the soak
window (`minimumReleaseAge: "0 days"`) so CVE fixes flow
immediately; the OSV feed is enabled to broaden GHSA coverage.
- Auto-merge intentionally disabled — current CI is unit tests only,
not enough to catch UI/SDK regressions from a transitive bump.
Preview deploy gate (`deploy-preview.yml`)
Add a `classify` job that decides routing without relying on
`github.event.pull_request.author_association` (the webhook payload
returns CONTRIBUTOR for confirmed org members) and without calling
the collaborators API (the default GITHUB_TOKEN cannot resolve
team-based collaborator membership on org-owned repos). The
decision uses the only signals that are reliable from a
`pull_request` event:
- Fork PR (head.repo != github.repository) -> approval.
- Renovate PR -> approval (opt-in for dep bumps).
- Everything else -> auto (push access to an in-repo branch is
already enforced by GitHub).
Two follow-up jobs implement the routing: `gate-auto` uses a
no-rules `preview-auto` environment, `gate-approval` uses
`preview-approval` (required reviewers). A merge `gate` job depends
on both and succeeds when either ran successfully.
Every downstream job is prefixed with
`!cancelled() && !failure() && needs.gate.result == 'success'`. The
prefix is required to opt out of GitHub Actions' implicit
`success()` check, which otherwise cascades the "skipped" status of
the unused gate to every dependent job even when the merge `gate`
ran successfully.
Dependabot PRs are filtered at `classify.if` so the whole chain
short-circuits — no AWS secrets are available, no preview is
useful, and the workflow does not consume runner minutes.
Destroy preview (`destroy-preview.yml`)
Mirror the dependabot/fork filtering and document that Renovate
and unapproved-gate PRs still flow through; the workspace-select
step then exits cleanly when no preview exists.
Block explorer – Preview
Preview environment destroyed after PR was closed |
There was a problem hiding this comment.
Pull request overview
This PR replaces the default Renovate onboarding config with an explicit, monthly-batched dependency update policy and introduces a two-track preview deployment gate that auto-approves maintainer PRs while requiring reviewer approval for Renovate and non-maintainer contexts.
Changes:
- Adds an explicit
renovate.jsonconfig (monthly schedule, minimum release age, grouped non-major updates, special handling for vulnerability PRs, and major-bump exclusions for selected anchors). - Refactors
deploy-preview.ymlto route PRs through either an auto-approved environment or a reviewer-gated environment before deploying. - Aligns
destroy-preview.ymlgating commentary/conditions with the updated preview deployment behavior.
Reviewed changes
Copilot reviewed 3 out of 3 changed files in this pull request and generated 3 comments.
| File | Description |
|---|---|
| renovate.json | Defines Renovate scheduling/grouping rules, release-age gating, and vulnerability PR handling. |
| .github/workflows/deploy-preview.yml | Adds PR classification + dual gating environments before running preview build/deploy jobs. |
| .github/workflows/destroy-preview.yml | Updates destroy job gating rationale to reflect which PR categories can produce previews. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
PR Docker Image PublishedRun locallydocker run --rm -p 3000:3000 ghcr.io/vechain/block-explorer:pr.584.7a8073b |
- Drop the global `increment:patch` label from `renovate.json` and assign the increment label per update type via packageRules: minor/patch/digest/pin -> `increment:patch`, major -> `increment:major`. Avoids labelling major dependency bumps as patch releases. `addLabels` is used inside `lockFileMaintenance` and `vulnerabilityAlerts` so they pick up the per-update-type labels too without re-listing `dependencies`. - Skip fork PRs in the preview-deploy `classify` job. `pull_request` does not pass secrets to fork-authored runs, so routing them to `preview-approval` could never recover AWS access and the AWS step would always fail after approval. Skipping forks matches the Dependabot pattern. - Rewrite the stale `classify` comment that still described a collaborators-API check (removed in a prior iteration) and now documents the actual reasoning: in-repo branch == trusted via push access, Renovate == reviewer opt-in, Dependabot/forks == skipped.
daithihearn
approved these changes
May 26, 2026
Vombato
disabled auto-merge
May 26, 2026 13:17
Vombato
enabled auto-merge (squash)
May 26, 2026 13:17
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Replace the onboarding
renovate.jsonwith an explicit configuration (monthly batched bumps,minimumReleaseAge: 7 days, CVE PRs immediate, framework anchors and the dockernodeimage excluded from major bumps, no auto-merge) and add a preview-deploy gate indeploy-preview.ymlthat routes maintainer PRs to a no-rulespreview-autoenvironment and routes Renovate PRs and fork PRs to a reviewer-gatedpreview-approvalenvironment.destroy-preview.ymlis updated to match.