Skip to content

ci: tighten Renovate config and gate preview deploys#584

Merged
Vombato merged 4 commits into
mainfrom
ci/renovate-clean
May 26, 2026
Merged

ci: tighten Renovate config and gate preview deploys#584
Vombato merged 4 commits into
mainfrom
ci/renovate-clean

Conversation

@Vombato

@Vombato Vombato commented May 25, 2026

Copy link
Copy Markdown
Contributor

Summary

Replace the onboarding renovate.json with an explicit configuration (monthly batched bumps, minimumReleaseAge: 7 days, CVE PRs immediate, framework anchors and the docker node image excluded from major bumps, no auto-merge) and add a preview-deploy gate in deploy-preview.yml that routes maintainer PRs to a no-rules preview-auto environment and routes Renovate PRs and fork PRs to a reviewer-gated preview-approval environment. destroy-preview.yml is updated to match.

Renovate (`renovate.json`)

Replace the onboarding `{"extends": ["config:recommended"]}` with an
explicit configuration:

- Monthly schedule (first day of the month, Europe/Rome).
- `minimumReleaseAge: 7 days` so a freshly released version has to
  sit on npm / Docker Hub for a week before Renovate considers it.
  Defends against pwned-release supply-chain attacks.
- Minor / patch / digest / pin updates are batched into a single
  monthly PR titled "Update non-major dependencies".
- `lockFileMaintenance` runs monthly to pick up transitive patches
  within existing ranges, in its own labelled PR.
- Major bumps are individual PRs and are explicitly disabled for the
  framework anchors (`next`, `react`, `react-dom`, `@chakra-ui/react`)
  and the docker `node` base image — those need a migration plan.
- `vulnerabilityAlerts` overrides both the schedule and the soak
  window (`minimumReleaseAge: "0 days"`) so CVE fixes flow
  immediately; the OSV feed is enabled to broaden GHSA coverage.
- Auto-merge intentionally disabled — current CI is unit tests only,
  not enough to catch UI/SDK regressions from a transitive bump.

Preview deploy gate (`deploy-preview.yml`)

Add a `classify` job that decides routing without relying on
`github.event.pull_request.author_association` (the webhook payload
returns CONTRIBUTOR for confirmed org members) and without calling
the collaborators API (the default GITHUB_TOKEN cannot resolve
team-based collaborator membership on org-owned repos). The
decision uses the only signals that are reliable from a
`pull_request` event:

- Fork PR (head.repo != github.repository) -> approval.
- Renovate PR -> approval (opt-in for dep bumps).
- Everything else -> auto (push access to an in-repo branch is
  already enforced by GitHub).

Two follow-up jobs implement the routing: `gate-auto` uses a
no-rules `preview-auto` environment, `gate-approval` uses
`preview-approval` (required reviewers). A merge `gate` job depends
on both and succeeds when either ran successfully.

Every downstream job is prefixed with
`!cancelled() && !failure() && needs.gate.result == 'success'`. The
prefix is required to opt out of GitHub Actions' implicit
`success()` check, which otherwise cascades the "skipped" status of
the unused gate to every dependent job even when the merge `gate`
ran successfully.

Dependabot PRs are filtered at `classify.if` so the whole chain
short-circuits — no AWS secrets are available, no preview is
useful, and the workflow does not consume runner minutes.

Destroy preview (`destroy-preview.yml`)

Mirror the dependabot/fork filtering and document that Renovate
and unapproved-gate PRs still flow through; the workspace-select
step then exits cleanly when no preview exists.
@Vombato Vombato added the increment:patch PR adds backwards compatible bug fixes / patches label May 25, 2026
@github-actions

github-actions Bot commented May 25, 2026

Copy link
Copy Markdown

Block explorer – Preview

Name Status Preview Updated (UTC)
block-explorer-preview 🗑️ Destroyed (7a8073b) Preview deleted 2026-05-26 13:53:35

Preview environment destroyed after PR was closed

Copilot AI left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR replaces the default Renovate onboarding config with an explicit, monthly-batched dependency update policy and introduces a two-track preview deployment gate that auto-approves maintainer PRs while requiring reviewer approval for Renovate and non-maintainer contexts.

Changes:

  • Adds an explicit renovate.json config (monthly schedule, minimum release age, grouped non-major updates, special handling for vulnerability PRs, and major-bump exclusions for selected anchors).
  • Refactors deploy-preview.yml to route PRs through either an auto-approved environment or a reviewer-gated environment before deploying.
  • Aligns destroy-preview.yml gating commentary/conditions with the updated preview deployment behavior.

Reviewed changes

Copilot reviewed 3 out of 3 changed files in this pull request and generated 3 comments.

File Description
renovate.json Defines Renovate scheduling/grouping rules, release-age gating, and vulnerability PR handling.
.github/workflows/deploy-preview.yml Adds PR classification + dual gating environments before running preview build/deploy jobs.
.github/workflows/destroy-preview.yml Updates destroy job gating rationale to reflect which PR categories can produce previews.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

Comment thread renovate.json Outdated
Comment thread .github/workflows/deploy-preview.yml Outdated
Comment thread .github/workflows/deploy-preview.yml Outdated
@Vombato
Vombato temporarily deployed to preview-pr-584 May 25, 2026 12:15 — with GitHub Actions Inactive
@github-actions

github-actions Bot commented May 25, 2026

Copy link
Copy Markdown

PR Docker Image Published

docker pull ghcr.io/vechain/block-explorer:pr.584.7a8073b
Run locally
docker run --rm -p 3000:3000 ghcr.io/vechain/block-explorer:pr.584.7a8073b

- Drop the global `increment:patch` label from `renovate.json` and
  assign the increment label per update type via packageRules:
  minor/patch/digest/pin -> `increment:patch`, major -> `increment:major`.
  Avoids labelling major dependency bumps as patch releases. `addLabels`
  is used inside `lockFileMaintenance` and `vulnerabilityAlerts` so
  they pick up the per-update-type labels too without re-listing
  `dependencies`.
- Skip fork PRs in the preview-deploy `classify` job. `pull_request`
  does not pass secrets to fork-authored runs, so routing them to
  `preview-approval` could never recover AWS access and the AWS
  step would always fail after approval. Skipping forks matches the
  Dependabot pattern.
- Rewrite the stale `classify` comment that still described a
  collaborators-API check (removed in a prior iteration) and now
  documents the actual reasoning: in-repo branch == trusted via push
  access, Renovate == reviewer opt-in, Dependabot/forks == skipped.
@Vombato
Vombato temporarily deployed to preview-pr-584 May 25, 2026 12:42 — with GitHub Actions Inactive
@Vombato
Vombato temporarily deployed to preview-pr-584 May 25, 2026 12:46 — with GitHub Actions Inactive
@Vombato
Vombato enabled auto-merge (squash) May 25, 2026 13:25
@Vombato
Vombato disabled auto-merge May 26, 2026 13:17
@Vombato
Vombato enabled auto-merge (squash) May 26, 2026 13:17
@Vombato
Vombato temporarily deployed to preview-pr-584 May 26, 2026 13:46 — with GitHub Actions Inactive
@Vombato
Vombato merged commit 9391eb0 into main May 26, 2026
12 checks passed
@Vombato
Vombato deleted the ci/renovate-clean branch May 26, 2026 13:52
@Vombato
Vombato temporarily deployed to preview-pr-584 May 26, 2026 13:52 — with GitHub Actions Inactive
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

increment:patch PR adds backwards compatible bug fixes / patches

Projects

None yet

Development

Successfully merging this pull request may close these issues.

3 participants