From c5868209cf81bf652be8e395ab1c14d9260a20d2 Mon Sep 17 00:00:00 2001 From: "Yermolenko, Dmytro" Date: Fri, 13 Feb 2026 14:07:22 +0100 Subject: [PATCH 01/25] Dependabot Tracker dependencies --- .github/dependabot.yml | 3 +++ 1 file changed, 3 insertions(+) diff --git a/.github/dependabot.yml b/.github/dependabot.yml index 41adb07b2..5f59faea6 100644 --- a/.github/dependabot.yml +++ b/.github/dependabot.yml @@ -47,6 +47,7 @@ updates: - "/cluster_analytics" - "/controller/src/robot_vision" - "/mapping" + - "/tracker" schedule: interval: "monthly" commit-message: @@ -64,6 +65,7 @@ updates: - "/tests/compose/dlstreamer" - "/tests/perf_tests/compose" - "/tools/ppl_runner" + - "/tracker/test/service" schedule: interval: "monthly" commit-message: @@ -87,6 +89,7 @@ updates: - "/cluster_analytics" - "/mapping" - "/mapping/tests" + - "/tracker/test/service" schedule: interval: "monthly" commit-message: From ed3331b57d3ad1cd98a5eb8c63c08793cf630735 Mon Sep 17 00:00:00 2001 From: "Yermolenko, Dmytro" Date: Fri, 13 Feb 2026 14:40:31 +0100 Subject: [PATCH 02/25] Update tracker-service.yaml --- .github/workflows/tracker-service.yaml | 79 ++++++++++++++++++++++++++ 1 file changed, 79 insertions(+) diff --git a/.github/workflows/tracker-service.yaml b/.github/workflows/tracker-service.yaml index cf8aea0bf..f314c1991 100644 --- a/.github/workflows/tracker-service.yaml +++ b/.github/workflows/tracker-service.yaml @@ -79,6 +79,85 @@ jobs: - name: "Lint Python files" run: make -C tracker lint-python + license-check: + name: "REUSE License Compliance" + runs-on: ubuntu-latest + permissions: + contents: read + steps: + - name: "Checkout code" + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + with: + persist-credentials: false + + - name: "REUSE Compliance Check" + uses: fsfe/reuse-action@676e2d560c9a403aa252096d99fcab3e1132b0f5 # v6.0.0 + + gitleaks-scan: + name: "Secrets Scanning" + runs-on: ubuntu-latest + permissions: + contents: read + steps: + - name: "Checkout code" + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + with: + persist-credentials: false + + - name: "Install gitleaks" + uses: open-edge-platform/orch-ci/.github/actions/bootstrap@8b0ae64836f0395b21ff9dd7d9438284e8e8beda + with: + bootstrap_tools: "gitleaks" + + - name: "Clone CI repo" + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + with: + repository: open-edge-platform/orch-ci + path: ci + persist-credentials: false + + - name: "Scan for secrets in tracker directory" + run: | + gitleaks dir tracker/ -v -c ci/.gitleaks.toml --baseline-path ci/gitleaks_baselines/gitleaks.json -r gitleaks.json + + - name: "Upload Gitleaks Report" + if: always() + uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f # v6.0.0 + with: + name: gitleaks-report + path: gitleaks.json + + bandit-scan: + name: "Python Security Scan" + runs-on: ubuntu-latest + permissions: + contents: read + steps: + - name: "Checkout code" + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + with: + persist-credentials: false + + - name: "Run Bandit scan on tracker Python code" + if: github.event_name == 'pull_request' + uses: open-edge-platform/orch-ci/.github/actions/security/bandit@8b0ae64836f0395b21ff9dd7d9438284e8e8beda + with: + scan-scope: "changed" + severity-level: "HIGH" + output-format: "txt" + config_file: ".github/resources/bandit.config" + fail-on-findings: "true" + + - name: "Run Bandit scan on tracker Python code" + if: github.event_name == 'workflow_dispatch' || github.event_name == 'push' + uses: open-edge-platform/orch-ci/.github/actions/security/bandit@8b0ae64836f0395b21ff9dd7d9438284e8e8beda + with: + scan-scope: "all" + severity-level: "HIGH" + output-format: "txt" + config_file: ".github/resources/bandit.config" + fail-on-findings: "true" + trivy-scan: name: "Trivy security scan (optional)" runs-on: ubuntu-latest From 19836c9e254923c5e75c5db362f93c4a05101355 Mon Sep 17 00:00:00 2001 From: "Yermolenko, Dmytro" Date: Fri, 13 Feb 2026 15:00:47 +0100 Subject: [PATCH 03/25] Update GitLeaks part --- .github/workflows/tracker-service.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/tracker-service.yaml b/.github/workflows/tracker-service.yaml index f314c1991..040085f1c 100644 --- a/.github/workflows/tracker-service.yaml +++ b/.github/workflows/tracker-service.yaml @@ -118,7 +118,7 @@ jobs: - name: "Scan for secrets in tracker directory" run: | - gitleaks dir tracker/ -v -c ci/.gitleaks.toml --baseline-path ci/gitleaks_baselines/gitleaks.json -r gitleaks.json + gitleaks dir tracker/ -v -c ci/.gitleaks.toml -r gitleaks.json - name: "Upload Gitleaks Report" if: always() From ec10543fe6500e993ce4423c2da89ba7dadb15e8 Mon Sep 17 00:00:00 2001 From: "Yermolenko, Dmytro" Date: Fri, 13 Feb 2026 15:36:55 +0100 Subject: [PATCH 04/25] Coverity C++: For push events to main, compare commit to its parent --- .github/workflows/coverity.yml | 56 +++++++++++++++++++++------------- 1 file changed, 34 insertions(+), 22 deletions(-) diff --git a/.github/workflows/coverity.yml b/.github/workflows/coverity.yml index 4fb598b55..4a51035f6 100644 --- a/.github/workflows/coverity.yml +++ b/.github/workflows/coverity.yml @@ -46,35 +46,47 @@ jobs: echo "Manual dispatch: always run analysis." echo "run-analysis=true" >> $GITHUB_OUTPUT exit 0 + fi + + if [ -z "$GITHUB_SHA" ]; then + echo "Error: GITHUB_SHA is not set or empty." + exit 1 + fi + + # For push events to main, compare commit to its parent + if [ "${{ github.event_name }}" == "push" ] && [ "${{ github.ref }}" == "refs/heads/main" ]; then + echo "Push to main: comparing $GITHUB_SHA to its parent" + changed_files=$(git diff --name-only $GITHUB_SHA^..$GITHUB_SHA -- '*.h' '*.hpp' '*.c' '*.cpp') else + # For other events (merge_group, etc), compare to main branch if [ "$(git rev-parse --abbrev-ref HEAD)" != "main" ]; then git fetch origin main:main echo "Fetched main branch" fi - if [ -z "$GITHUB_SHA" ]; then - echo "Error: GITHUB_SHA is not set or empty." - exit 1 - fi - changed_files=$(git diff --name-only main...$GITHUB_SHA -- '*.h' '*.hpp' '*.c' '*.cpp') - if [ $? -ne 0 ]; then - echo "Error: git diff command failed." - exit 1 - fi - echo "Performed git diff" - if [ -z "$changed_files" ]; then - echo "No relevant changed files detected." - echo "run-analysis=false" >> $GITHUB_OUTPUT - exit 0 - else - run_analysis=true - fi - echo "Changed files:" - echo "$changed_files" - echo "Run analysis:" - echo "$run_analysis" - echo "run-analysis=$run_analysis" >> $GITHUB_OUTPUT + changed_files=$(git diff --name-only main...$GITHUB_SHA -- '*.h' '*.hpp' '*.c' '*.cpp') + fi + + if [ $? -ne 0 ]; then + echo "Error: git diff command failed." + exit 1 fi + echo "Performed git diff" + + if [ -z "$changed_files" ]; then + echo "No relevant changed files detected." + echo "run-analysis=false" >> $GITHUB_OUTPUT + exit 0 + else + run_analysis=true + fi + + echo "Changed files:" + echo "$changed_files" + echo "Run analysis:" + echo "$run_analysis" + echo "run-analysis=$run_analysis" >> $GITHUB_OUTPUT + coverity-scan: name: "Coverity Scan" needs: detect-languages From f0698bc20027c4d0cff0b0f9cbd1475202756d69 Mon Sep 17 00:00:00 2001 From: "Yermolenko, Dmytro" Date: Fri, 13 Feb 2026 15:52:08 +0100 Subject: [PATCH 05/25] Zizmor alert workaround --- .github/workflows/coverity.yml | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/.github/workflows/coverity.yml b/.github/workflows/coverity.yml index 4a51035f6..d5e1e871d 100644 --- a/.github/workflows/coverity.yml +++ b/.github/workflows/coverity.yml @@ -41,8 +41,11 @@ jobs: - name: "Detect changed languages" id: detect-langs + env: + EVENT_NAME: ${{ github.event_name }} + REF_NAME: ${{ github.ref }} run: | - if [ "${{ github.event_name }}" == "workflow_dispatch" ]; then + if [ "$EVENT_NAME" == "workflow_dispatch" ]; then echo "Manual dispatch: always run analysis." echo "run-analysis=true" >> $GITHUB_OUTPUT exit 0 @@ -54,7 +57,7 @@ jobs: fi # For push events to main, compare commit to its parent - if [ "${{ github.event_name }}" == "push" ] && [ "${{ github.ref }}" == "refs/heads/main" ]; then + if [ "$EVENT_NAME" == "push" ] && [ "$REF_NAME" == "refs/heads/main" ]; then echo "Push to main: comparing $GITHUB_SHA to its parent" changed_files=$(git diff --name-only $GITHUB_SHA^..$GITHUB_SHA -- '*.h' '*.hpp' '*.c' '*.cpp') else From b2361d88818e4629fa5d3a2cde987067cccf26e7 Mon Sep 17 00:00:00 2001 From: Dmytro Yermolenko Date: Fri, 13 Feb 2026 15:53:12 +0100 Subject: [PATCH 06/25] Update .github/workflows/tracker-service.yaml Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com> --- .github/workflows/tracker-service.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/tracker-service.yaml b/.github/workflows/tracker-service.yaml index 040085f1c..f314c1991 100644 --- a/.github/workflows/tracker-service.yaml +++ b/.github/workflows/tracker-service.yaml @@ -118,7 +118,7 @@ jobs: - name: "Scan for secrets in tracker directory" run: | - gitleaks dir tracker/ -v -c ci/.gitleaks.toml -r gitleaks.json + gitleaks dir tracker/ -v -c ci/.gitleaks.toml --baseline-path ci/gitleaks_baselines/gitleaks.json -r gitleaks.json - name: "Upload Gitleaks Report" if: always() From 44d28b97e012b5feb3aa4f4501b36a57b2323d64 Mon Sep 17 00:00:00 2001 From: "Yermolenko, Dmytro" Date: Fri, 13 Feb 2026 16:01:26 +0100 Subject: [PATCH 07/25] Change Bandit run names --- .github/workflows/tracker-service.yaml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/tracker-service.yaml b/.github/workflows/tracker-service.yaml index f314c1991..863332416 100644 --- a/.github/workflows/tracker-service.yaml +++ b/.github/workflows/tracker-service.yaml @@ -138,7 +138,7 @@ jobs: with: persist-credentials: false - - name: "Run Bandit scan on tracker Python code" + - name: "Run Bandit scan on Tracker Python code (CHANGED)" if: github.event_name == 'pull_request' uses: open-edge-platform/orch-ci/.github/actions/security/bandit@8b0ae64836f0395b21ff9dd7d9438284e8e8beda with: @@ -148,7 +148,7 @@ jobs: config_file: ".github/resources/bandit.config" fail-on-findings: "true" - - name: "Run Bandit scan on tracker Python code" + - name: "Run Bandit scan on Tracker Python code (ALL)" if: github.event_name == 'workflow_dispatch' || github.event_name == 'push' uses: open-edge-platform/orch-ci/.github/actions/security/bandit@8b0ae64836f0395b21ff9dd7d9438284e8e8beda with: From 5b75b15f7194ffc636d7bf9e554758aec885d907 Mon Sep 17 00:00:00 2001 From: "Yermolenko, Dmytro" Date: Mon, 16 Feb 2026 11:29:06 +0100 Subject: [PATCH 08/25] revert Coverity changes --- .github/workflows/coverity.yml | 61 +++++++++++++--------------------- 1 file changed, 23 insertions(+), 38 deletions(-) diff --git a/.github/workflows/coverity.yml b/.github/workflows/coverity.yml index d5e1e871d..4fb598b55 100644 --- a/.github/workflows/coverity.yml +++ b/.github/workflows/coverity.yml @@ -41,55 +41,40 @@ jobs: - name: "Detect changed languages" id: detect-langs - env: - EVENT_NAME: ${{ github.event_name }} - REF_NAME: ${{ github.ref }} run: | - if [ "$EVENT_NAME" == "workflow_dispatch" ]; then + if [ "${{ github.event_name }}" == "workflow_dispatch" ]; then echo "Manual dispatch: always run analysis." echo "run-analysis=true" >> $GITHUB_OUTPUT exit 0 - fi - - if [ -z "$GITHUB_SHA" ]; then - echo "Error: GITHUB_SHA is not set or empty." - exit 1 - fi - - # For push events to main, compare commit to its parent - if [ "$EVENT_NAME" == "push" ] && [ "$REF_NAME" == "refs/heads/main" ]; then - echo "Push to main: comparing $GITHUB_SHA to its parent" - changed_files=$(git diff --name-only $GITHUB_SHA^..$GITHUB_SHA -- '*.h' '*.hpp' '*.c' '*.cpp') else - # For other events (merge_group, etc), compare to main branch if [ "$(git rev-parse --abbrev-ref HEAD)" != "main" ]; then git fetch origin main:main echo "Fetched main branch" fi - changed_files=$(git diff --name-only main...$GITHUB_SHA -- '*.h' '*.hpp' '*.c' '*.cpp') - fi - - if [ $? -ne 0 ]; then - echo "Error: git diff command failed." - exit 1 - fi - - echo "Performed git diff" - - if [ -z "$changed_files" ]; then - echo "No relevant changed files detected." - echo "run-analysis=false" >> $GITHUB_OUTPUT - exit 0 - else - run_analysis=true + if [ -z "$GITHUB_SHA" ]; then + echo "Error: GITHUB_SHA is not set or empty." + exit 1 + fi + changed_files=$(git diff --name-only main...$GITHUB_SHA -- '*.h' '*.hpp' '*.c' '*.cpp') + if [ $? -ne 0 ]; then + echo "Error: git diff command failed." + exit 1 + fi + echo "Performed git diff" + if [ -z "$changed_files" ]; then + echo "No relevant changed files detected." + echo "run-analysis=false" >> $GITHUB_OUTPUT + exit 0 + else + run_analysis=true + fi + echo "Changed files:" + echo "$changed_files" + echo "Run analysis:" + echo "$run_analysis" + echo "run-analysis=$run_analysis" >> $GITHUB_OUTPUT fi - echo "Changed files:" - echo "$changed_files" - echo "Run analysis:" - echo "$run_analysis" - echo "run-analysis=$run_analysis" >> $GITHUB_OUTPUT - coverity-scan: name: "Coverity Scan" needs: detect-languages From 4d9b22007db2235a8c6263fdfa2f9ea3e7765db5 Mon Sep 17 00:00:00 2001 From: "Yermolenko, Dmytro" Date: Mon, 16 Feb 2026 16:24:19 +0100 Subject: [PATCH 09/25] Remove duplicating workflows --- .github/workflows/tracker-service.yaml | 45 -------------------------- 1 file changed, 45 deletions(-) diff --git a/.github/workflows/tracker-service.yaml b/.github/workflows/tracker-service.yaml index 863332416..d5bd6f519 100644 --- a/.github/workflows/tracker-service.yaml +++ b/.github/workflows/tracker-service.yaml @@ -79,20 +79,6 @@ jobs: - name: "Lint Python files" run: make -C tracker lint-python - license-check: - name: "REUSE License Compliance" - runs-on: ubuntu-latest - permissions: - contents: read - steps: - - name: "Checkout code" - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 - with: - persist-credentials: false - - - name: "REUSE Compliance Check" - uses: fsfe/reuse-action@676e2d560c9a403aa252096d99fcab3e1132b0f5 # v6.0.0 - gitleaks-scan: name: "Secrets Scanning" runs-on: ubuntu-latest @@ -127,37 +113,6 @@ jobs: name: gitleaks-report path: gitleaks.json - bandit-scan: - name: "Python Security Scan" - runs-on: ubuntu-latest - permissions: - contents: read - steps: - - name: "Checkout code" - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 - with: - persist-credentials: false - - - name: "Run Bandit scan on Tracker Python code (CHANGED)" - if: github.event_name == 'pull_request' - uses: open-edge-platform/orch-ci/.github/actions/security/bandit@8b0ae64836f0395b21ff9dd7d9438284e8e8beda - with: - scan-scope: "changed" - severity-level: "HIGH" - output-format: "txt" - config_file: ".github/resources/bandit.config" - fail-on-findings: "true" - - - name: "Run Bandit scan on Tracker Python code (ALL)" - if: github.event_name == 'workflow_dispatch' || github.event_name == 'push' - uses: open-edge-platform/orch-ci/.github/actions/security/bandit@8b0ae64836f0395b21ff9dd7d9438284e8e8beda - with: - scan-scope: "all" - severity-level: "HIGH" - output-format: "txt" - config_file: ".github/resources/bandit.config" - fail-on-findings: "true" - trivy-scan: name: "Trivy security scan (optional)" runs-on: ubuntu-latest From 87887f1d352b66b54e34ab9fe6a64fdf1f79a2c5 Mon Sep 17 00:00:00 2001 From: "Yermolenko, Dmytro" Date: Tue, 17 Feb 2026 13:55:21 +0100 Subject: [PATCH 10/25] Configure Removate bot --- .github/renovate.json | 221 ++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 221 insertions(+) create mode 100644 .github/renovate.json diff --git a/.github/renovate.json b/.github/renovate.json new file mode 100644 index 000000000..a40d218d6 --- /dev/null +++ b/.github/renovate.json @@ -0,0 +1,221 @@ +{ + "$schema": "https://docs.renovatebot.com/renovate-schema.json", + "extends": [ + "config:base" + ], + "description": "Renovate configuration for Tracker Service Conan C++ dependencies", + "labels": [ + "dependencies", + "renovate", + "tracker" + ], + "schedule": [ + "before 10am on the first day of the month" + ], + "timezone": "UTC", + "reviewers": [ + "saratpoluri", + "dmytroye", + "tdorauintc" + ], + "packageRules": [ + { + "description": "Conan dependencies - group patch updates", + "matchManagers": [ + "conan" + ], + "matchUpdateTypes": [ + "patch" + ], + "groupName": "tracker conan patch updates", + "automerge": false + }, + { + "description": "Conan dependencies - group minor updates", + "matchManagers": [ + "conan" + ], + "matchUpdateTypes": [ + "minor" + ], + "groupName": "tracker conan minor updates" + }, + { + "description": "Conan dependencies - handle major updates individually", + "matchManagers": [ + "conan" + ], + "matchUpdateTypes": [ + "major" + ], + "groupName": null, + "labels": [ + "dependencies", + "major-update", + "tracker" + ] + }, + { + "description": "OpenCV updates - needs careful testing", + "matchPackageNames": [ + "opencv" + ], + "matchManagers": [ + "conan" + ], + "labels": [ + "dependencies", + "opencv", + "needs-testing", + "tracker" + ], + "prPriority": 10, + "commitMessagePrefix": "Tracker:", + "commitMessageTopic": "OpenCV" + }, + { + "description": "Testing libraries - GTest", + "matchPackageNames": [ + "gtest" + ], + "matchManagers": [ + "conan" + ], + "labels": [ + "dependencies", + "testing", + "tracker" + ], + "commitMessagePrefix": "Tracker:", + "commitMessageTopic": "GTest" + }, + { + "description": "Logging libraries - Quill", + "matchPackageNames": [ + "quill" + ], + "matchManagers": [ + "conan" + ], + "labels": [ + "dependencies", + "logging", + "tracker" + ], + "commitMessagePrefix": "Tracker:", + "commitMessageTopic": "Quill" + }, + { + "description": "MQTT libraries - Paho MQTT", + "matchPackageNames": [ + "paho-mqtt-cpp" + ], + "matchManagers": [ + "conan" + ], + "labels": [ + "dependencies", + "mqtt", + "tracker" + ], + "commitMessagePrefix": "Tracker:", + "commitMessageTopic": "Paho MQTT" + }, + { + "description": "CLI libraries - CLI11", + "matchPackageNames": [ + "cli11" + ], + "matchManagers": [ + "conan" + ], + "labels": [ + "dependencies", + "cli", + "tracker" + ], + "commitMessagePrefix": "Tracker:", + "commitMessageTopic": "CLI11" + }, + { + "description": "HTTP libraries - cpp-httplib", + "matchPackageNames": [ + "cpp-httplib" + ], + "matchManagers": [ + "conan" + ], + "labels": [ + "dependencies", + "http", + "tracker" + ], + "commitMessagePrefix": "Tracker:", + "commitMessageTopic": "cpp-httplib" + }, + { + "description": "JSON libraries - RapidJSON", + "matchPackageNames": [ + "rapidjson" + ], + "matchManagers": [ + "conan" + ], + "labels": [ + "dependencies", + "json", + "tracker" + ], + "commitMessagePrefix": "Tracker:", + "commitMessageTopic": "RapidJSON" + }, + { + "description": "Math libraries - Eigen", + "matchPackageNames": [ + "eigen" + ], + "matchManagers": [ + "conan" + ], + "labels": [ + "dependencies", + "math", + "tracker" + ], + "commitMessagePrefix": "Tracker:", + "commitMessageTopic": "Eigen" + }, + { + "description": "Disable managers already handled by Dependabot", + "matchManagers": [ + "github-actions", + "dockerfile", + "helm-values", + "helmfile" + ], + "enabled": false + } + ], + "conan": { + "enabled": true, + "fileMatch": [ + "tracker/conanfile.txt$" + ] + }, + "prConcurrentLimit": 5, + "prHourlyLimit": 2, + "commitMessagePrefix": "Tracker Conan:", + "semanticCommits": "enabled", + "platformAutomerge": false, + "rebaseWhen": "behind-base-branch", + "separateMajorMinor": true, + "separateMinorPatch": false, + "rangeStrategy": "pin", + "vulnerabilityAlerts": { + "enabled": true, + "labels": [ + "security", + "tracker" + ] + } +} From 5398c7b6d01bf53d954fe5f6850aab963dfb516a Mon Sep 17 00:00:00 2001 From: "Yermolenko, Dmytro" Date: Tue, 17 Feb 2026 15:23:31 +0100 Subject: [PATCH 11/25] Add renovate self-hosted workflows --- .github/{renovate.json => renovate.json5} | 0 .../workflows/renovate-config-validator.yml | 47 ++++++++++ .github/workflows/renovate.yml | 88 +++++++++++++++++++ 3 files changed, 135 insertions(+) rename .github/{renovate.json => renovate.json5} (100%) create mode 100644 .github/workflows/renovate-config-validator.yml create mode 100644 .github/workflows/renovate.yml diff --git a/.github/renovate.json b/.github/renovate.json5 similarity index 100% rename from .github/renovate.json rename to .github/renovate.json5 diff --git a/.github/workflows/renovate-config-validator.yml b/.github/workflows/renovate-config-validator.yml new file mode 100644 index 000000000..b5b330966 --- /dev/null +++ b/.github/workflows/renovate-config-validator.yml @@ -0,0 +1,47 @@ +--- +# SPDX-FileCopyrightText: (C) 2026 Intel Corporation +# SPDX-License-Identifier: Apache-2.0 + +# Renovate configuration validator +# +# This workflow validates changes proposed into Renovate configuration file +# (.github/renovate.json5) and prevents non-valid configuration to be used by Renovate. +# +# Required Secrets: +# - None +# +# Automatically triggered on: +# - Pull requests to .github/renovate.json5. +# + +name: Validate Renovate configuration + +on: + pull_request: + paths: + - ".github/renovate.json5" + +permissions: {} # No permissions by default + +concurrency: + group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }} + cancel-in-progress: true + +jobs: + validate: + runs-on: ubuntu-latest + permissions: + contents: read + steps: + - name: Checkout configuration + uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1 + with: + persist-credentials: false + + - name: Validate configuration + run: | + # renovate: datasource=docker + export RENOVATE_IMAGE=ghcr.io/renovatebot/renovate:40.11 + docker run --rm --entrypoint "renovate-config-validator" \ + -v "${{ github.workspace }}/.github/renovate.json5":"/renovate.json5" \ + ${RENOVATE_IMAGE} "/renovate.json5" diff --git a/.github/workflows/renovate.yml b/.github/workflows/renovate.yml new file mode 100644 index 000000000..b989673fc --- /dev/null +++ b/.github/workflows/renovate.yml @@ -0,0 +1,88 @@ +--- +# SPDX-FileCopyrightText: (C) 2026 Intel Corporation +# SPDX-License-Identifier: Apache-2.0 + +# Dependencies Management Workflow +# +# This workflow automates the dependence management based on self-hosed Renovate +# ensure the project's dependencies remains up-to-date and security fixes are delivered regularly. +# +# Key Features: +# - Automated PR creation into pyproject.toml and uv.lock regeneration +# - Dry-run for debug purposes +# - Dependency dashboard (is available in GitHub issues) maintenance +# +# Process Stages: +# +# 1. Dependencies Management: +# - Runs on a daily schedule. +# - Identifies dependencies that may be updated based on .github/renovate.json5 configuration. +# - Opens corresponding PRs with respect to schedule defined in Renovate config file. +# - Updates Renovate Dependency dashboard that is available in GitHub issues. +# +# Required Secrets: +# - RENOVATE_APP_ID: application ID +# - RENOVATE_APP_PEM: application private key +# +# Example Usage: +# 1. Scheduled Run: +# Automatically runs, daily +# +# 2. Manual Trigger: +# workflow_dispatch: +# inputs: +# dry-run: +# description: "Run Renovate in dry-run mode (no PR)" +# required: false +# default: false +# type: boolean +# +# Note: Renovate maintains and updates Dependency dashboard that is available in GitHub issues. + +name: Renovate +on: + schedule: + # daily + - cron: "0 2 * * *" + + # allow to manually trigger this workflow + workflow_dispatch: + inputs: + dry-run: + description: "Run Renovate in dry-run mode (no PR)" + required: false + default: false + type: boolean + +permissions: {} + +jobs: + renovate: + permissions: + contents: read + runs-on: ubuntu-latest + + steps: + - name: Checkout + uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1 + with: + persist-credentials: false + + - name: Get token + id: get-github-app-token + uses: actions/create-github-app-token@29824e69f54612133e76f7eaac726eef6c875baf # v2.2.1 + with: + app-id: ${{ secrets.RENOVATE_APP_ID }} + private-key: ${{ secrets.RENOVATE_APP_PEM }} + + - name: Self-hosted Renovate + uses: renovatebot/github-action@8b7941943a108b2cc2150730963164aa8baeab8c # v44.2.2 + with: + configurationFile: .github/renovate.json5 + token: "${{ steps.get-github-app-token.outputs.token }}" + env: + LOG_LEVEL: ${{ github.event_name == 'workflow_dispatch' && 'debug' || 'info' }} + # Dry run if the event is workflow_dispatch AND the dry-run input is true + RENOVATE_DRY_RUN: ${{ (github.event_name == 'workflow_dispatch' && github.event.inputs.dry-run == 'true') && 'full' || null }} + RENOVATE_PLATFORM: github + RENOVATE_REPOSITORIES: ${{ github.repository }} From 1d833f899462cba78f23b07ac54c1b77f68e3cde Mon Sep 17 00:00:00 2001 From: "Yermolenko, Dmytro" Date: Tue, 17 Feb 2026 15:30:27 +0100 Subject: [PATCH 12/25] Consistent workflow names --- .github/workflows/renovate-config-validator.yml | 6 +++--- .github/workflows/renovate.yml | 8 ++++---- 2 files changed, 7 insertions(+), 7 deletions(-) diff --git a/.github/workflows/renovate-config-validator.yml b/.github/workflows/renovate-config-validator.yml index b5b330966..caab43f51 100644 --- a/.github/workflows/renovate-config-validator.yml +++ b/.github/workflows/renovate-config-validator.yml @@ -14,7 +14,7 @@ # - Pull requests to .github/renovate.json5. # -name: Validate Renovate configuration +name: "[Updates] Validate Renovate configuration" on: pull_request: @@ -33,12 +33,12 @@ jobs: permissions: contents: read steps: - - name: Checkout configuration + - name: "Checkout configuration" uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1 with: persist-credentials: false - - name: Validate configuration + - name: "Validate configuration" run: | # renovate: datasource=docker export RENOVATE_IMAGE=ghcr.io/renovatebot/renovate:40.11 diff --git a/.github/workflows/renovate.yml b/.github/workflows/renovate.yml index b989673fc..742f18c32 100644 --- a/.github/workflows/renovate.yml +++ b/.github/workflows/renovate.yml @@ -39,7 +39,7 @@ # # Note: Renovate maintains and updates Dependency dashboard that is available in GitHub issues. -name: Renovate +name: "[Updates] Renovate (Tracker Service)" on: schedule: # daily @@ -63,19 +63,19 @@ jobs: runs-on: ubuntu-latest steps: - - name: Checkout + - name: "Checkout code" uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1 with: persist-credentials: false - - name: Get token + - name: "Get token" id: get-github-app-token uses: actions/create-github-app-token@29824e69f54612133e76f7eaac726eef6c875baf # v2.2.1 with: app-id: ${{ secrets.RENOVATE_APP_ID }} private-key: ${{ secrets.RENOVATE_APP_PEM }} - - name: Self-hosted Renovate + - name: "Self-hosted Renovate" uses: renovatebot/github-action@8b7941943a108b2cc2150730963164aa8baeab8c # v44.2.2 with: configurationFile: .github/renovate.json5 From 2ca9ddd7dc46db7f705bd2162a61d518249614b6 Mon Sep 17 00:00:00 2001 From: "Yermolenko, Dmytro" Date: Tue, 17 Feb 2026 15:36:02 +0100 Subject: [PATCH 13/25] Add license --- .github/renovate.json5 | 3 +++ 1 file changed, 3 insertions(+) diff --git a/.github/renovate.json5 b/.github/renovate.json5 index a40d218d6..3ad155623 100644 --- a/.github/renovate.json5 +++ b/.github/renovate.json5 @@ -1,3 +1,6 @@ +// SPDX-FileCopyrightText: (C) 2026 Intel Corporation +// # SPDX-License-Identifier: Apache-2.0 + { "$schema": "https://docs.renovatebot.com/renovate-schema.json", "extends": [ From 464a7aca178a852c79b91d7286c7a4a1e05fa520 Mon Sep 17 00:00:00 2001 From: Dmytro Yermolenko Date: Tue, 17 Feb 2026 15:40:06 +0100 Subject: [PATCH 14/25] Apply suggestions from code review Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com> --- .github/workflows/renovate-config-validator.yml | 2 +- .github/workflows/renovate.yml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/renovate-config-validator.yml b/.github/workflows/renovate-config-validator.yml index caab43f51..98692fd79 100644 --- a/.github/workflows/renovate-config-validator.yml +++ b/.github/workflows/renovate-config-validator.yml @@ -5,7 +5,7 @@ # Renovate configuration validator # # This workflow validates changes proposed into Renovate configuration file -# (.github/renovate.json5) and prevents non-valid configuration to be used by Renovate. +# (.github/renovate.json5) and prevents invalid configuration to be used by Renovate. # # Required Secrets: # - None diff --git a/.github/workflows/renovate.yml b/.github/workflows/renovate.yml index 742f18c32..5f557d549 100644 --- a/.github/workflows/renovate.yml +++ b/.github/workflows/renovate.yml @@ -4,7 +4,7 @@ # Dependencies Management Workflow # -# This workflow automates the dependence management based on self-hosed Renovate +# This workflow automates the dependence management based on self-hosted Renovate # ensure the project's dependencies remains up-to-date and security fixes are delivered regularly. # # Key Features: From bba1242e7a5846f7865283575f9365bf8ed41dfa Mon Sep 17 00:00:00 2001 From: "Yermolenko, Dmytro" Date: Tue, 17 Feb 2026 15:41:21 +0100 Subject: [PATCH 15/25] Remove Dependabot updates from this PR --- .github/dependabot.yml | 3 --- 1 file changed, 3 deletions(-) diff --git a/.github/dependabot.yml b/.github/dependabot.yml index 5f59faea6..41adb07b2 100644 --- a/.github/dependabot.yml +++ b/.github/dependabot.yml @@ -47,7 +47,6 @@ updates: - "/cluster_analytics" - "/controller/src/robot_vision" - "/mapping" - - "/tracker" schedule: interval: "monthly" commit-message: @@ -65,7 +64,6 @@ updates: - "/tests/compose/dlstreamer" - "/tests/perf_tests/compose" - "/tools/ppl_runner" - - "/tracker/test/service" schedule: interval: "monthly" commit-message: @@ -89,7 +87,6 @@ updates: - "/cluster_analytics" - "/mapping" - "/mapping/tests" - - "/tracker/test/service" schedule: interval: "monthly" commit-message: From beb0e30a8c373334d5ec295da9672f53ed1ac225 Mon Sep 17 00:00:00 2001 From: "Yermolenko, Dmytro" Date: Tue, 17 Feb 2026 15:42:41 +0100 Subject: [PATCH 16/25] Remove tracker-service.yaml updates from this PR --- .github/workflows/tracker-service.yaml | 34 -------------------------- 1 file changed, 34 deletions(-) diff --git a/.github/workflows/tracker-service.yaml b/.github/workflows/tracker-service.yaml index d5bd6f519..cf8aea0bf 100644 --- a/.github/workflows/tracker-service.yaml +++ b/.github/workflows/tracker-service.yaml @@ -79,40 +79,6 @@ jobs: - name: "Lint Python files" run: make -C tracker lint-python - gitleaks-scan: - name: "Secrets Scanning" - runs-on: ubuntu-latest - permissions: - contents: read - steps: - - name: "Checkout code" - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 - with: - persist-credentials: false - - - name: "Install gitleaks" - uses: open-edge-platform/orch-ci/.github/actions/bootstrap@8b0ae64836f0395b21ff9dd7d9438284e8e8beda - with: - bootstrap_tools: "gitleaks" - - - name: "Clone CI repo" - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 - with: - repository: open-edge-platform/orch-ci - path: ci - persist-credentials: false - - - name: "Scan for secrets in tracker directory" - run: | - gitleaks dir tracker/ -v -c ci/.gitleaks.toml --baseline-path ci/gitleaks_baselines/gitleaks.json -r gitleaks.json - - - name: "Upload Gitleaks Report" - if: always() - uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f # v6.0.0 - with: - name: gitleaks-report - path: gitleaks.json - trivy-scan: name: "Trivy security scan (optional)" runs-on: ubuntu-latest From ffc9a98543692ff0a158dbea490e658de882eff0 Mon Sep 17 00:00:00 2001 From: "Yermolenko, Dmytro" Date: Tue, 17 Feb 2026 15:44:32 +0100 Subject: [PATCH 17/25] typo fix --- .github/workflows/renovate.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/renovate.yml b/.github/workflows/renovate.yml index 5f557d549..24810dad7 100644 --- a/.github/workflows/renovate.yml +++ b/.github/workflows/renovate.yml @@ -4,7 +4,7 @@ # Dependencies Management Workflow # -# This workflow automates the dependence management based on self-hosted Renovate +# This workflow automates the dependency management based on self-hosted Renovate # ensure the project's dependencies remains up-to-date and security fixes are delivered regularly. # # Key Features: From d6329b4f9474e446cc23b06719fc2db5376fa9e2 Mon Sep 17 00:00:00 2001 From: "Yermolenko, Dmytro" Date: Tue, 17 Feb 2026 15:50:26 +0100 Subject: [PATCH 18/25] Prettier-write --- .github/renovate.json5 | 282 ++++++++++++++--------------------------- 1 file changed, 92 insertions(+), 190 deletions(-) diff --git a/.github/renovate.json5 b/.github/renovate.json5 index 3ad155623..c8736ea5b 100644 --- a/.github/renovate.json5 +++ b/.github/renovate.json5 @@ -2,223 +2,125 @@ // # SPDX-License-Identifier: Apache-2.0 { - "$schema": "https://docs.renovatebot.com/renovate-schema.json", - "extends": [ - "config:base" - ], - "description": "Renovate configuration for Tracker Service Conan C++ dependencies", - "labels": [ - "dependencies", - "renovate", - "tracker" - ], - "schedule": [ - "before 10am on the first day of the month" - ], - "timezone": "UTC", - "reviewers": [ - "saratpoluri", - "dmytroye", - "tdorauintc" - ], - "packageRules": [ + $schema: "https://docs.renovatebot.com/renovate-schema.json", + extends: ["config:base"], + description: "Renovate configuration for Tracker Service Conan C++ dependencies", + labels: ["dependencies", "renovate", "tracker"], + schedule: ["before 10am on the first day of the month"], + timezone: "UTC", + reviewers: ["saratpoluri", "dmytroye", "tdorauintc"], + packageRules: [ { - "description": "Conan dependencies - group patch updates", - "matchManagers": [ - "conan" - ], - "matchUpdateTypes": [ - "patch" - ], - "groupName": "tracker conan patch updates", - "automerge": false + description: "Conan dependencies - group patch updates", + matchManagers: ["conan"], + matchUpdateTypes: ["patch"], + groupName: "tracker conan patch updates", + automerge: false, }, { - "description": "Conan dependencies - group minor updates", - "matchManagers": [ - "conan" - ], - "matchUpdateTypes": [ - "minor" - ], - "groupName": "tracker conan minor updates" + description: "Conan dependencies - group minor updates", + matchManagers: ["conan"], + matchUpdateTypes: ["minor"], + groupName: "tracker conan minor updates", }, { - "description": "Conan dependencies - handle major updates individually", - "matchManagers": [ - "conan" - ], - "matchUpdateTypes": [ - "major" - ], - "groupName": null, - "labels": [ - "dependencies", - "major-update", - "tracker" - ] + description: "Conan dependencies - handle major updates individually", + matchManagers: ["conan"], + matchUpdateTypes: ["major"], + groupName: null, + labels: ["dependencies", "major-update", "tracker"], }, { - "description": "OpenCV updates - needs careful testing", - "matchPackageNames": [ - "opencv" - ], - "matchManagers": [ - "conan" - ], - "labels": [ - "dependencies", - "opencv", - "needs-testing", - "tracker" - ], - "prPriority": 10, - "commitMessagePrefix": "Tracker:", - "commitMessageTopic": "OpenCV" + description: "OpenCV updates - needs careful testing", + matchPackageNames: ["opencv"], + matchManagers: ["conan"], + labels: ["dependencies", "opencv", "needs-testing", "tracker"], + prPriority: 10, + commitMessagePrefix: "Tracker:", + commitMessageTopic: "OpenCV", }, { - "description": "Testing libraries - GTest", - "matchPackageNames": [ - "gtest" - ], - "matchManagers": [ - "conan" - ], - "labels": [ - "dependencies", - "testing", - "tracker" - ], - "commitMessagePrefix": "Tracker:", - "commitMessageTopic": "GTest" + description: "Testing libraries - GTest", + matchPackageNames: ["gtest"], + matchManagers: ["conan"], + labels: ["dependencies", "testing", "tracker"], + commitMessagePrefix: "Tracker:", + commitMessageTopic: "GTest", }, { - "description": "Logging libraries - Quill", - "matchPackageNames": [ - "quill" - ], - "matchManagers": [ - "conan" - ], - "labels": [ - "dependencies", - "logging", - "tracker" - ], - "commitMessagePrefix": "Tracker:", - "commitMessageTopic": "Quill" + description: "Logging libraries - Quill", + matchPackageNames: ["quill"], + matchManagers: ["conan"], + labels: ["dependencies", "logging", "tracker"], + commitMessagePrefix: "Tracker:", + commitMessageTopic: "Quill", }, { - "description": "MQTT libraries - Paho MQTT", - "matchPackageNames": [ - "paho-mqtt-cpp" - ], - "matchManagers": [ - "conan" - ], - "labels": [ - "dependencies", - "mqtt", - "tracker" - ], - "commitMessagePrefix": "Tracker:", - "commitMessageTopic": "Paho MQTT" + description: "MQTT libraries - Paho MQTT", + matchPackageNames: ["paho-mqtt-cpp"], + matchManagers: ["conan"], + labels: ["dependencies", "mqtt", "tracker"], + commitMessagePrefix: "Tracker:", + commitMessageTopic: "Paho MQTT", }, { - "description": "CLI libraries - CLI11", - "matchPackageNames": [ - "cli11" - ], - "matchManagers": [ - "conan" - ], - "labels": [ - "dependencies", - "cli", - "tracker" - ], - "commitMessagePrefix": "Tracker:", - "commitMessageTopic": "CLI11" + description: "CLI libraries - CLI11", + matchPackageNames: ["cli11"], + matchManagers: ["conan"], + labels: ["dependencies", "cli", "tracker"], + commitMessagePrefix: "Tracker:", + commitMessageTopic: "CLI11", }, { - "description": "HTTP libraries - cpp-httplib", - "matchPackageNames": [ - "cpp-httplib" - ], - "matchManagers": [ - "conan" - ], - "labels": [ - "dependencies", - "http", - "tracker" - ], - "commitMessagePrefix": "Tracker:", - "commitMessageTopic": "cpp-httplib" + description: "HTTP libraries - cpp-httplib", + matchPackageNames: ["cpp-httplib"], + matchManagers: ["conan"], + labels: ["dependencies", "http", "tracker"], + commitMessagePrefix: "Tracker:", + commitMessageTopic: "cpp-httplib", }, { - "description": "JSON libraries - RapidJSON", - "matchPackageNames": [ - "rapidjson" - ], - "matchManagers": [ - "conan" - ], - "labels": [ - "dependencies", - "json", - "tracker" - ], - "commitMessagePrefix": "Tracker:", - "commitMessageTopic": "RapidJSON" + description: "JSON libraries - RapidJSON", + matchPackageNames: ["rapidjson"], + matchManagers: ["conan"], + labels: ["dependencies", "json", "tracker"], + commitMessagePrefix: "Tracker:", + commitMessageTopic: "RapidJSON", }, { - "description": "Math libraries - Eigen", - "matchPackageNames": [ - "eigen" - ], - "matchManagers": [ - "conan" - ], - "labels": [ - "dependencies", - "math", - "tracker" - ], - "commitMessagePrefix": "Tracker:", - "commitMessageTopic": "Eigen" + description: "Math libraries - Eigen", + matchPackageNames: ["eigen"], + matchManagers: ["conan"], + labels: ["dependencies", "math", "tracker"], + commitMessagePrefix: "Tracker:", + commitMessageTopic: "Eigen", }, { - "description": "Disable managers already handled by Dependabot", - "matchManagers": [ + description: "Disable managers already handled by Dependabot", + matchManagers: [ "github-actions", "dockerfile", "helm-values", - "helmfile" + "helmfile", ], - "enabled": false - } + enabled: false, + }, ], - "conan": { - "enabled": true, - "fileMatch": [ - "tracker/conanfile.txt$" - ] + conan: { + enabled: true, + fileMatch: ["tracker/conanfile.txt$"], + }, + prConcurrentLimit: 5, + prHourlyLimit: 2, + commitMessagePrefix: "Tracker Conan:", + semanticCommits: "enabled", + platformAutomerge: false, + rebaseWhen: "behind-base-branch", + separateMajorMinor: true, + separateMinorPatch: false, + rangeStrategy: "pin", + vulnerabilityAlerts: { + enabled: true, + labels: ["security", "tracker"], }, - "prConcurrentLimit": 5, - "prHourlyLimit": 2, - "commitMessagePrefix": "Tracker Conan:", - "semanticCommits": "enabled", - "platformAutomerge": false, - "rebaseWhen": "behind-base-branch", - "separateMajorMinor": true, - "separateMinorPatch": false, - "rangeStrategy": "pin", - "vulnerabilityAlerts": { - "enabled": true, - "labels": [ - "security", - "tracker" - ] - } } From dcf44d836072d9e2254983f7cf77b0d72c7dbed5 Mon Sep 17 00:00:00 2001 From: "Yermolenko, Dmytro" Date: Tue, 17 Feb 2026 15:58:08 +0100 Subject: [PATCH 19/25] Enable only Conan package manager --- .github/renovate.json5 | 11 +---------- 1 file changed, 1 insertion(+), 10 deletions(-) diff --git a/.github/renovate.json5 b/.github/renovate.json5 index c8736ea5b..6e70dc449 100644 --- a/.github/renovate.json5 +++ b/.github/renovate.json5 @@ -5,6 +5,7 @@ $schema: "https://docs.renovatebot.com/renovate-schema.json", extends: ["config:base"], description: "Renovate configuration for Tracker Service Conan C++ dependencies", + enabledManagers: ["conan"], labels: ["dependencies", "renovate", "tracker"], schedule: ["before 10am on the first day of the month"], timezone: "UTC", @@ -95,16 +96,6 @@ commitMessagePrefix: "Tracker:", commitMessageTopic: "Eigen", }, - { - description: "Disable managers already handled by Dependabot", - matchManagers: [ - "github-actions", - "dockerfile", - "helm-values", - "helmfile", - ], - enabled: false, - }, ], conan: { enabled: true, From 04afb86979c7de89a3298a6bd0bdd5d7dfbb38a2 Mon Sep 17 00:00:00 2001 From: "Yermolenko, Dmytro" Date: Tue, 17 Feb 2026 16:00:11 +0100 Subject: [PATCH 20/25] Adjust Renovate workflow comments to be consisten with the Renovate config file --- .github/workflows/renovate.yml | 26 ++++++++++++++++---------- 1 file changed, 16 insertions(+), 10 deletions(-) diff --git a/.github/workflows/renovate.yml b/.github/workflows/renovate.yml index 24810dad7..9a68d9575 100644 --- a/.github/workflows/renovate.yml +++ b/.github/workflows/renovate.yml @@ -4,21 +4,27 @@ # Dependencies Management Workflow # -# This workflow automates the dependency management based on self-hosted Renovate -# ensure the project's dependencies remains up-to-date and security fixes are delivered regularly. +# This workflow automates the dependency management for Tracker Service C++ dependencies +# using self-hosted Renovate to ensure dependencies remain up-to-date and security +# fixes are delivered regularly. # # Key Features: -# - Automated PR creation into pyproject.toml and uv.lock regeneration -# - Dry-run for debug purposes -# - Dependency dashboard (is available in GitHub issues) maintenance +# - Automated PR creation for Conan dependencies in tracker/conanfile.txt +# - Dry-run mode for debug purposes +# - Dependency dashboard maintenance (available in GitHub issues) +# +# Managed Dependencies: +# - Conan C++ packages: quill, cli11, cpp-httplib, rapidjson, gtest, opencv, eigen, paho-mqtt-cpp +# - Configuration: .github/renovate.json5 +# - Target file: tracker/conanfile.txt # # Process Stages: # # 1. Dependencies Management: -# - Runs on a daily schedule. -# - Identifies dependencies that may be updated based on .github/renovate.json5 configuration. -# - Opens corresponding PRs with respect to schedule defined in Renovate config file. -# - Updates Renovate Dependency dashboard that is available in GitHub issues. +# - Runs on a daily schedule +# - Identifies Conan dependencies that can be updated based on .github/renovate.json5 configuration +# - Opens corresponding PRs with respect to schedule defined in Renovate config (monthly) +# - Updates Renovate Dependency dashboard available in GitHub issues # # Required Secrets: # - RENOVATE_APP_ID: application ID @@ -26,7 +32,7 @@ # # Example Usage: # 1. Scheduled Run: -# Automatically runs, daily +# Automatically runs daily (checks monthly schedule in config) # # 2. Manual Trigger: # workflow_dispatch: From 4685410f36e86021e8d184beae089fdada8b2c6a Mon Sep 17 00:00:00 2001 From: "Yermolenko, Dmytro" Date: Tue, 17 Feb 2026 16:03:16 +0100 Subject: [PATCH 21/25] Prettier --- .github/workflows/renovate.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/renovate.yml b/.github/workflows/renovate.yml index 9a68d9575..065a6a7e2 100644 --- a/.github/workflows/renovate.yml +++ b/.github/workflows/renovate.yml @@ -5,7 +5,7 @@ # Dependencies Management Workflow # # This workflow automates the dependency management for Tracker Service C++ dependencies -# using self-hosted Renovate to ensure dependencies remain up-to-date and security +# using self-hosted Renovate to ensure dependencies remain up-to-date and security # fixes are delivered regularly. # # Key Features: From 61df84165e15dbdbb519feca0f179c5214df6aa9 Mon Sep 17 00:00:00 2001 From: "Yermolenko, Dmytro" Date: Tue, 17 Feb 2026 19:26:09 +0100 Subject: [PATCH 22/25] bump version for .json validation --- .github/workflows/renovate-config-validator.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/renovate-config-validator.yml b/.github/workflows/renovate-config-validator.yml index 98692fd79..0563206ca 100644 --- a/.github/workflows/renovate-config-validator.yml +++ b/.github/workflows/renovate-config-validator.yml @@ -41,7 +41,7 @@ jobs: - name: "Validate configuration" run: | # renovate: datasource=docker - export RENOVATE_IMAGE=ghcr.io/renovatebot/renovate:40.11 + export RENOVATE_IMAGE=ghcr.io/renovatebot/renovate:43.24 docker run --rm --entrypoint "renovate-config-validator" \ -v "${{ github.workspace }}/.github/renovate.json5":"/renovate.json5" \ ${RENOVATE_IMAGE} "/renovate.json5" From aa4c3f114188078460387ee74092a8086e743b49 Mon Sep 17 00:00:00 2001 From: "Yermolenko, Dmytro" Date: Wed, 18 Feb 2026 10:27:54 +0100 Subject: [PATCH 23/25] Remove instructions from removate yamls --- .../workflows/renovate-config-validator.yml | 14 +----- .github/workflows/renovate.yml | 43 ------------------- 2 files changed, 1 insertion(+), 56 deletions(-) diff --git a/.github/workflows/renovate-config-validator.yml b/.github/workflows/renovate-config-validator.yml index 0563206ca..eb9ab7fd4 100644 --- a/.github/workflows/renovate-config-validator.yml +++ b/.github/workflows/renovate-config-validator.yml @@ -2,18 +2,6 @@ # SPDX-FileCopyrightText: (C) 2026 Intel Corporation # SPDX-License-Identifier: Apache-2.0 -# Renovate configuration validator -# -# This workflow validates changes proposed into Renovate configuration file -# (.github/renovate.json5) and prevents invalid configuration to be used by Renovate. -# -# Required Secrets: -# - None -# -# Automatically triggered on: -# - Pull requests to .github/renovate.json5. -# - name: "[Updates] Validate Renovate configuration" on: @@ -41,7 +29,7 @@ jobs: - name: "Validate configuration" run: | # renovate: datasource=docker - export RENOVATE_IMAGE=ghcr.io/renovatebot/renovate:43.24 + export RENOVATE_IMAGE=renovate/renovate:43.24 docker run --rm --entrypoint "renovate-config-validator" \ -v "${{ github.workspace }}/.github/renovate.json5":"/renovate.json5" \ ${RENOVATE_IMAGE} "/renovate.json5" diff --git a/.github/workflows/renovate.yml b/.github/workflows/renovate.yml index 065a6a7e2..f8a69460f 100644 --- a/.github/workflows/renovate.yml +++ b/.github/workflows/renovate.yml @@ -2,49 +2,6 @@ # SPDX-FileCopyrightText: (C) 2026 Intel Corporation # SPDX-License-Identifier: Apache-2.0 -# Dependencies Management Workflow -# -# This workflow automates the dependency management for Tracker Service C++ dependencies -# using self-hosted Renovate to ensure dependencies remain up-to-date and security -# fixes are delivered regularly. -# -# Key Features: -# - Automated PR creation for Conan dependencies in tracker/conanfile.txt -# - Dry-run mode for debug purposes -# - Dependency dashboard maintenance (available in GitHub issues) -# -# Managed Dependencies: -# - Conan C++ packages: quill, cli11, cpp-httplib, rapidjson, gtest, opencv, eigen, paho-mqtt-cpp -# - Configuration: .github/renovate.json5 -# - Target file: tracker/conanfile.txt -# -# Process Stages: -# -# 1. Dependencies Management: -# - Runs on a daily schedule -# - Identifies Conan dependencies that can be updated based on .github/renovate.json5 configuration -# - Opens corresponding PRs with respect to schedule defined in Renovate config (monthly) -# - Updates Renovate Dependency dashboard available in GitHub issues -# -# Required Secrets: -# - RENOVATE_APP_ID: application ID -# - RENOVATE_APP_PEM: application private key -# -# Example Usage: -# 1. Scheduled Run: -# Automatically runs daily (checks monthly schedule in config) -# -# 2. Manual Trigger: -# workflow_dispatch: -# inputs: -# dry-run: -# description: "Run Renovate in dry-run mode (no PR)" -# required: false -# default: false -# type: boolean -# -# Note: Renovate maintains and updates Dependency dashboard that is available in GitHub issues. - name: "[Updates] Renovate (Tracker Service)" on: schedule: From dcbea47b1ba3213f99644cea39de1fe40abad8c8 Mon Sep 17 00:00:00 2001 From: "Yermolenko, Dmytro" Date: Wed, 18 Feb 2026 10:38:23 +0100 Subject: [PATCH 24/25] Group packages updates + enable osv alerts --- .github/renovate.json5 | 61 +++--------------------------------------- 1 file changed, 4 insertions(+), 57 deletions(-) diff --git a/.github/renovate.json5 b/.github/renovate.json5 index 6e70dc449..ef04fb77a 100644 --- a/.github/renovate.json5 +++ b/.github/renovate.json5 @@ -12,10 +12,12 @@ reviewers: ["saratpoluri", "dmytroye", "tdorauintc"], packageRules: [ { - description: "Conan dependencies - group patch updates", + description: "Conan dependencies - group patch updates (including security fixes)", matchManagers: ["conan"], matchUpdateTypes: ["patch"], groupName: "tracker conan patch updates", + schedule: ["at any time"], + prPriority: 15, automerge: false, }, { @@ -40,62 +42,6 @@ commitMessagePrefix: "Tracker:", commitMessageTopic: "OpenCV", }, - { - description: "Testing libraries - GTest", - matchPackageNames: ["gtest"], - matchManagers: ["conan"], - labels: ["dependencies", "testing", "tracker"], - commitMessagePrefix: "Tracker:", - commitMessageTopic: "GTest", - }, - { - description: "Logging libraries - Quill", - matchPackageNames: ["quill"], - matchManagers: ["conan"], - labels: ["dependencies", "logging", "tracker"], - commitMessagePrefix: "Tracker:", - commitMessageTopic: "Quill", - }, - { - description: "MQTT libraries - Paho MQTT", - matchPackageNames: ["paho-mqtt-cpp"], - matchManagers: ["conan"], - labels: ["dependencies", "mqtt", "tracker"], - commitMessagePrefix: "Tracker:", - commitMessageTopic: "Paho MQTT", - }, - { - description: "CLI libraries - CLI11", - matchPackageNames: ["cli11"], - matchManagers: ["conan"], - labels: ["dependencies", "cli", "tracker"], - commitMessagePrefix: "Tracker:", - commitMessageTopic: "CLI11", - }, - { - description: "HTTP libraries - cpp-httplib", - matchPackageNames: ["cpp-httplib"], - matchManagers: ["conan"], - labels: ["dependencies", "http", "tracker"], - commitMessagePrefix: "Tracker:", - commitMessageTopic: "cpp-httplib", - }, - { - description: "JSON libraries - RapidJSON", - matchPackageNames: ["rapidjson"], - matchManagers: ["conan"], - labels: ["dependencies", "json", "tracker"], - commitMessagePrefix: "Tracker:", - commitMessageTopic: "RapidJSON", - }, - { - description: "Math libraries - Eigen", - matchPackageNames: ["eigen"], - matchManagers: ["conan"], - labels: ["dependencies", "math", "tracker"], - commitMessagePrefix: "Tracker:", - commitMessageTopic: "Eigen", - }, ], conan: { enabled: true, @@ -114,4 +60,5 @@ enabled: true, labels: ["security", "tracker"], }, + osvVulnerabilityAlerts: true, } From abb7a89c9c3b815ed4af10571272947c249550d4 Mon Sep 17 00:00:00 2001 From: "Yermolenko, Dmytro" Date: Wed, 18 Feb 2026 10:45:33 +0100 Subject: [PATCH 25/25] Add ltalarcz to reviewers --- .github/renovate.json5 | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/renovate.json5 b/.github/renovate.json5 index ef04fb77a..6ffe37c8d 100644 --- a/.github/renovate.json5 +++ b/.github/renovate.json5 @@ -9,7 +9,7 @@ labels: ["dependencies", "renovate", "tracker"], schedule: ["before 10am on the first day of the month"], timezone: "UTC", - reviewers: ["saratpoluri", "dmytroye", "tdorauintc"], + reviewers: ["saratpoluri", "dmytroye", "tdorauintc", "ltalarcz"], packageRules: [ { description: "Conan dependencies - group patch updates (including security fixes)",