[ITEP-83030] Enable self-hosted Renovate bot to track Tracker Service Conan C++ dependencies#1027
[ITEP-83030] Enable self-hosted Renovate bot to track Tracker Service Conan C++ dependencies#1027
Conversation
Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
There was a problem hiding this comment.
Pull request overview
Adds self-hosted Renovate automation intended to track Tracker Service Conan (C++) dependencies and strengthens Tracker CI with an additional secrets-scanning job.
Changes:
- Introduces a scheduled + manual Renovate workflow using a GitHub App token.
- Adds a Renovate configuration validator workflow for
.github/renovate.json5PR changes. - Extends Tracker Service CI to run a gitleaks scan and expands Dependabot scanning to Tracker paths.
Reviewed changes
Copilot reviewed 5 out of 5 changed files in this pull request and generated 7 comments.
Show a summary per file
| File | Description |
|---|---|
| .github/workflows/tracker-service.yaml | Adds a dedicated gitleaks job to scan tracker/ in the Tracker Service CI workflow. |
| .github/workflows/renovate.yml | New workflow to run self-hosted Renovate on a schedule / manual dispatch. |
| .github/workflows/renovate-config-validator.yml | New workflow to validate Renovate config changes via renovate-config-validator. |
| .github/renovate.json5 | New Renovate config targeting tracker/conanfile.txt and defining update grouping/labels. |
| .github/dependabot.yml | Adds Tracker directories to existing Dependabot update scopes. |
Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
…edge-platform/scenescape into ITEP-83030/renovate-config
…edge-platform/scenescape into ITEP-83030/renovate-config
.github/workflows/renovate.yml
Outdated
| # 1. Scheduled Run: | ||
| # Automatically runs daily (checks monthly schedule in config) | ||
| # | ||
| # 2. Manual Trigger: |
There was a problem hiding this comment.
This part of instructions just duplicates what's in a workflow. Users will use it from Actions tab so this can be removed
| labels: ["dependencies", "major-update", "tracker"], | ||
| }, | ||
| { | ||
| description: "OpenCV updates - needs careful testing", |
There was a problem hiding this comment.
Why all dependencies are listed as separate rules? Won't they be caught by first rule in the list?
Another question is, does renovate support security patches like Dependabot does? That's probably the most important event that should trigger a dependency update.
There was a problem hiding this comment.
Grouped - dcbea47
Yes, Renovate supports security updates.
There was a problem hiding this comment.
... vulnerabilityAlerts: { enabled: true, labels: ["security", "tracker"], }, osvVulnerabilityAlerts: true, ...
.github/workflows/renovate.yml
Outdated
| # - RENOVATE_APP_ID: application ID | ||
| # - RENOVATE_APP_PEM: application private key | ||
| # | ||
| # Example Usage: |
There was a problem hiding this comment.
This section provides no new information and copies code from the workflow itself. Remove it.
📝 Description
Adds self-hosted Renovate automation intended to track Tracker Service Conan (C++) dependencies.
Changes:
✨ Type of Change
Select the type of change your PR introduces:
🧪 Testing Scenarios
Describe how the changes were tested and how reviewers can test them too:
✅ Checklist
Before submitting the PR, ensure the following: