-
Notifications
You must be signed in to change notification settings - Fork 37
[ITEP-83030] Enable self-hosted Renovate bot to track Tracker Service Conan C++ dependencies #1027
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. Weβll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Draft
dmytroye
wants to merge
43
commits into
main
Choose a base branch
from
ITEP-83030/renovate-config
base: main
Could not load branches
Branch not found: {{ refName }}
Loading
Could not load tags
Nothing to show
Loading
Are you sure you want to change the base?
Some commits from the old base branch may be removed from the timeline,
and old review comments may become outdated.
+150
β0
Draft
Changes from all commits
Commits
Show all changes
43 commits
Select commit
Hold shift + click to select a range
c586820
Dependabot Tracker dependencies
dmytroye ed3331b
Update tracker-service.yaml
dmytroye 19836c9
Update GitLeaks part
dmytroye bdcf575
Merge remote-tracking branch 'origin/main' into ITEP-83030/ci-trackerβ¦
dmytroye ec10543
Coverity C++: For push events to main, compare commit to its parent
dmytroye f47c3f7
Merge branch 'main' into ITEP-83030/ci-tracker-service
dmytroye f0698bc
Zizmor alert workaround
dmytroye b2361d8
Update .github/workflows/tracker-service.yaml
dmytroye 44d28b9
Change Bandit run names
dmytroye b47ea62
Merge branch 'main' into ITEP-83030/ci-tracker-service
dmytroye 4c768cb
Merge branch 'main' into ITEP-83030/ci-tracker-service
dmytroye 5b75b15
revert Coverity changes
dmytroye bda7812
Merge branch 'main' into ITEP-83030/ci-tracker-service
dmytroye 4d9b220
Remove duplicating workflows
dmytroye c090302
Merge branch 'main' into ITEP-83030/ci-tracker-service
dmytroye d34e4da
Merge branch 'main' into ITEP-83030/ci-tracker-service
scenescapecicd 87887f1
Configure Removate bot
dmytroye 5398c7b
Add renovate self-hosted workflows
dmytroye 1d833f8
Consistent workflow names
dmytroye 2ca9ddd
Add license
dmytroye a03c09a
Merge branch 'main' into ITEP-83030/renovate-config
dmytroye 464a7ac
Apply suggestions from code review
dmytroye bba1242
Remove Dependabot updates from this PR
dmytroye ba3b330
Merge branch 'ITEP-83030/renovate-config' of https://github.com/open-β¦
dmytroye beb0e30
Remove tracker-service.yaml updates from this PR
dmytroye ffc9a98
typo fix
dmytroye d6329b4
Prettier-write
dmytroye dcf44d8
Enable only Conan package manager
dmytroye 04afb86
Adjust Renovate workflow comments to be consisten with the Renovate cβ¦
dmytroye 4685410
Prettier
dmytroye 5f2b248
Merge branch 'main' into ITEP-83030/renovate-config
dmytroye 61df841
bump version for .json validation
dmytroye 1a478d5
Merge branch 'ITEP-83030/renovate-config' of https://github.com/open-β¦
dmytroye b9070f1
Merge branch 'main' into ITEP-83030/renovate-config
dmytroye 63a9f31
Merge branch 'main' into ITEP-83030/renovate-config
scenescapecicd 7b4f15a
Merge branch 'main' into ITEP-83030/renovate-config
dmytroye aa4c3f1
Remove instructions from removate yamls
dmytroye dcbea47
Group packages updates + enable osv alerts
dmytroye 6fa6142
Merge branch 'main' into ITEP-83030/renovate-config
dmytroye abb7a89
Add ltalarcz to reviewers
dmytroye 682d011
Merge branch 'main' into ITEP-83030/renovate-config
dmytroye 7e45298
Merge branch 'main' into ITEP-83030/renovate-config
dmytroye 0c06bf7
Merge remote-tracking branch 'origin/main' into ITEP-83030/renovate-cβ¦
dmytroye File filter
Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,64 @@ | ||
| // SPDX-FileCopyrightText: (C) 2026 Intel Corporation | ||
| // # SPDX-License-Identifier: Apache-2.0 | ||
|
|
||
| { | ||
| $schema: "https://docs.renovatebot.com/renovate-schema.json", | ||
| extends: ["config:base"], | ||
| description: "Renovate configuration for Tracker Service Conan C++ dependencies", | ||
| enabledManagers: ["conan"], | ||
| labels: ["dependencies", "renovate", "tracker"], | ||
| schedule: ["before 10am on the first day of the month"], | ||
| timezone: "UTC", | ||
| reviewers: ["saratpoluri", "dmytroye", "tdorauintc", "ltalarcz"], | ||
| packageRules: [ | ||
| { | ||
| description: "Conan dependencies - group patch updates (including security fixes)", | ||
| matchManagers: ["conan"], | ||
| matchUpdateTypes: ["patch"], | ||
| groupName: "tracker conan patch updates", | ||
| schedule: ["at any time"], | ||
| prPriority: 15, | ||
| automerge: false, | ||
| }, | ||
| { | ||
| description: "Conan dependencies - group minor updates", | ||
| matchManagers: ["conan"], | ||
| matchUpdateTypes: ["minor"], | ||
| groupName: "tracker conan minor updates", | ||
| }, | ||
| { | ||
| description: "Conan dependencies - handle major updates individually", | ||
| matchManagers: ["conan"], | ||
| matchUpdateTypes: ["major"], | ||
| groupName: null, | ||
| labels: ["dependencies", "major-update", "tracker"], | ||
| }, | ||
| { | ||
| description: "OpenCV updates - needs careful testing", | ||
| matchPackageNames: ["opencv"], | ||
| matchManagers: ["conan"], | ||
| labels: ["dependencies", "opencv", "needs-testing", "tracker"], | ||
| prPriority: 10, | ||
| commitMessagePrefix: "Tracker:", | ||
| commitMessageTopic: "OpenCV", | ||
| }, | ||
| ], | ||
| conan: { | ||
| enabled: true, | ||
| fileMatch: ["tracker/conanfile.txt$"], | ||
| }, | ||
| prConcurrentLimit: 5, | ||
| prHourlyLimit: 2, | ||
| commitMessagePrefix: "Tracker Conan:", | ||
| semanticCommits: "enabled", | ||
| platformAutomerge: false, | ||
| rebaseWhen: "behind-base-branch", | ||
| separateMajorMinor: true, | ||
| separateMinorPatch: false, | ||
| rangeStrategy: "pin", | ||
| vulnerabilityAlerts: { | ||
| enabled: true, | ||
| labels: ["security", "tracker"], | ||
| }, | ||
| osvVulnerabilityAlerts: true, | ||
| } | ||
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,35 @@ | ||
| --- | ||
| # SPDX-FileCopyrightText: (C) 2026 Intel Corporation | ||
| # SPDX-License-Identifier: Apache-2.0 | ||
|
|
||
| name: "[Updates] Validate Renovate configuration" | ||
|
|
||
| on: | ||
| pull_request: | ||
| paths: | ||
| - ".github/renovate.json5" | ||
|
|
||
| permissions: {} # No permissions by default | ||
|
|
||
| concurrency: | ||
| group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }} | ||
| cancel-in-progress: true | ||
|
|
||
| jobs: | ||
| validate: | ||
| runs-on: ubuntu-latest | ||
| permissions: | ||
| contents: read | ||
| steps: | ||
| - name: "Checkout configuration" | ||
| uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1 | ||
dmytroye marked this conversation as resolved.
Show resolved
Hide resolved
|
||
| with: | ||
| persist-credentials: false | ||
|
|
||
| - name: "Validate configuration" | ||
| run: | | ||
| # renovate: datasource=docker | ||
| export RENOVATE_IMAGE=renovate/renovate:43.24 | ||
| docker run --rm --entrypoint "renovate-config-validator" \ | ||
| -v "${{ github.workspace }}/.github/renovate.json5":"/renovate.json5" \ | ||
| ${RENOVATE_IMAGE} "/renovate.json5" | ||
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,51 @@ | ||
| --- | ||
| # SPDX-FileCopyrightText: (C) 2026 Intel Corporation | ||
| # SPDX-License-Identifier: Apache-2.0 | ||
|
|
||
| name: "[Updates] Renovate (Tracker Service)" | ||
| on: | ||
| schedule: | ||
| # daily | ||
| - cron: "0 2 * * *" | ||
|
|
||
| # allow to manually trigger this workflow | ||
| workflow_dispatch: | ||
| inputs: | ||
| dry-run: | ||
| description: "Run Renovate in dry-run mode (no PR)" | ||
| required: false | ||
| default: false | ||
| type: boolean | ||
|
|
||
| permissions: {} | ||
|
|
||
| jobs: | ||
| renovate: | ||
| permissions: | ||
| contents: read | ||
| runs-on: ubuntu-latest | ||
|
|
||
| steps: | ||
| - name: "Checkout code" | ||
| uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1 | ||
dmytroye marked this conversation as resolved.
Show resolved
Hide resolved
|
||
| with: | ||
| persist-credentials: false | ||
|
|
||
| - name: "Get token" | ||
| id: get-github-app-token | ||
| uses: actions/create-github-app-token@29824e69f54612133e76f7eaac726eef6c875baf # v2.2.1 | ||
| with: | ||
| app-id: ${{ secrets.RENOVATE_APP_ID }} | ||
| private-key: ${{ secrets.RENOVATE_APP_PEM }} | ||
|
|
||
| - name: "Self-hosted Renovate" | ||
| uses: renovatebot/github-action@8b7941943a108b2cc2150730963164aa8baeab8c # v44.2.2 | ||
| with: | ||
| configurationFile: .github/renovate.json5 | ||
| token: "${{ steps.get-github-app-token.outputs.token }}" | ||
| env: | ||
| LOG_LEVEL: ${{ github.event_name == 'workflow_dispatch' && 'debug' || 'info' }} | ||
| # Dry run if the event is workflow_dispatch AND the dry-run input is true | ||
| RENOVATE_DRY_RUN: ${{ (github.event_name == 'workflow_dispatch' && github.event.inputs.dry-run == 'true') && 'full' || null }} | ||
| RENOVATE_PLATFORM: github | ||
| RENOVATE_REPOSITORIES: ${{ github.repository }} | ||
Oops, something went wrong.
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Why all dependencies are listed as separate rules? Won't they be caught by first rule in the list?
Another question is, does renovate support security patches like Dependabot does? That's probably the most important event that should trigger a dependency update.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Grouped - dcbea47
Yes, Renovate supports security updates.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
... vulnerabilityAlerts: { enabled: true, labels: ["security", "tracker"], }, osvVulnerabilityAlerts: true, ...