renovate: Disable major/minor k8s upgrades on stable branches#44489
Merged
renovate: Disable major/minor k8s upgrades on stable branches#44489
Conversation
PR #44389 introduced the `"matchBaseBranches": ["main"]` constraint to the `"disable major/minor k8s updates"` rule. The intent was to scope that rule to main since stable branches would have their own logic, but the new `"k8s.io patch updates stable"` rule only covers patch/digest — it never disables major/minor on stable. So major/minor k8s update fell through with nothing blocking them on v1.17/v1.18/v1.19. That's how we got #44481 attempting to bump those from `v0.32.0` to `v0.35.1` on 1.17 and #44476 from `v0.33.3` to `v0.35.1` on 1.18. This PR removes the `matchBaseBranches: ["main"]` from the disable rule so it applies t all branches. The `"k8s.io patch updates stable"` rule (which explicitly enables patch+digest on stable) will still take precedence for those update types, giving the correct behavior: * All branches: major/minor k8s updates disabled * Stable branches only: patch/digest k8s updates enabled Signed-off-by: Hadrien Patte <[email protected]>
maintainer-s-little-helper
bot
added
the
dont-merge/needs-release-note-label
Member
Author
|
/test |
HadrienPatte
added
the
release-note/misc
maintainer-s-little-helper
bot
removed
the
dont-merge/needs-release-note-label
aanm
approved these changes
Feb 23, 2026
Member
aanm
left a comment
aanm
left a comment
There was a problem hiding this comment.
oh, how did I mess this up! Thanks for the fix!
Member
|
@HadrienPatte and now back to square 1 because renovate does not update the patch versions of the k8s libraries on stable branches. 😢 |
HadrienPatte
added a commit
that referenced
this pull request
Feb 23, 2026
The `"k8s.io patch updates stable"` rule was missing `separateMinorPatch: true`. With the global `separateMinorPatch: false`, Renovate produces a single PR targeting the latest version when a newer minor is available. That PR is classified as "minor", so `matchUpdateTypes: ["patch"]` never matches, `enabled: true` never fires, and the `"k8s major/minor updates disabled"` rule blocks it — no patch PR is ever created. Add `separateMajorMinor: true` and `separateMinorPatch: true` to the rule, matching the pattern already used for lvh-images and external docker images on stable branches. This forces a separate "patch"-typed PR (staying within the current minor series) which the rule can correctly enable, while the "minor"-typed PR remains blocked as intended. Followup to #44489 Signed-off-by: Hadrien Patte <[email protected]>
HadrienPatte
added a commit
that referenced
this pull request
Feb 23, 2026
The `"k8s.io patch updates stable"` rule was missing `separateMinorPatch: true`. With the global `separateMinorPatch: false`, Renovate produces a single PR targeting the latest version when a newer minor is available. That PR is classified as "minor", so `matchUpdateTypes: ["patch"]` never matches, `enabled: true` never fires, and the `"k8s major/minor updates disabled"` rule blocks it — no patch PR is ever created. Add `separateMajorMinor: true` and `separateMinorPatch: true` to the rule, matching the pattern already used for lvh-images and external docker images on stable branches. This forces a separate "patch"-typed PR (staying within the current minor series) which the rule can correctly enable, while the "minor"-typed PR remains blocked as intended. Followup to #44489 Signed-off-by: Hadrien Patte <[email protected]>
Member
Author
|
HadrienPatte
added a commit
that referenced
this pull request
Feb 23, 2026
The `"k8s.io patch updates stable"` rule was missing `separateMinorPatch: true`. With the global `separateMinorPatch: false`, Renovate produces a single PR targeting the latest version when a newer minor is available. That PR is classified as "minor", so `matchUpdateTypes: ["patch"]` never matches, `enabled: true` never fires, and the `"k8s major/minor updates disabled"` rule blocks it — no patch PR is ever created. Add `separateMajorMinor: true` and `separateMinorPatch: true` to the rule, matching the pattern already used for lvh-images and external docker images on stable branches. This forces a separate "patch"-typed PR (staying within the current minor series) which the rule can correctly enable, while the "minor"-typed PR remains blocked as intended. Followup to #44489 Signed-off-by: Hadrien Patte <[email protected]>
github-merge-queue bot
pushed a commit
that referenced
this pull request
Feb 23, 2026
The `"k8s.io patch updates stable"` rule was missing `separateMinorPatch: true`. With the global `separateMinorPatch: false`, Renovate produces a single PR targeting the latest version when a newer minor is available. That PR is classified as "minor", so `matchUpdateTypes: ["patch"]` never matches, `enabled: true` never fires, and the `"k8s major/minor updates disabled"` rule blocks it — no patch PR is ever created. Add `separateMajorMinor: true` and `separateMinorPatch: true` to the rule, matching the pattern already used for lvh-images and external docker images on stable branches. This forces a separate "patch"-typed PR (staying within the current minor series) which the rule can correctly enable, while the "minor"-typed PR remains blocked as intended. Followup to #44489 Signed-off-by: Hadrien Patte <[email protected]>
fzu-huang
pushed a commit
to fzu-huang/cilium
that referenced
this pull request
Feb 25, 2026
The `"k8s.io patch updates stable"` rule was missing `separateMinorPatch: true`. With the global `separateMinorPatch: false`, Renovate produces a single PR targeting the latest version when a newer minor is available. That PR is classified as "minor", so `matchUpdateTypes: ["patch"]` never matches, `enabled: true` never fires, and the `"k8s major/minor updates disabled"` rule blocks it — no patch PR is ever created. Add `separateMajorMinor: true` and `separateMinorPatch: true` to the rule, matching the pattern already used for lvh-images and external docker images on stable branches. This forces a separate "patch"-typed PR (staying within the current minor series) which the rule can correctly enable, while the "minor"-typed PR remains blocked as intended. Followup to cilium#44489 Signed-off-by: Hadrien Patte <[email protected]>
javiercardona-work
pushed a commit
to javiercardona-work/cilium
that referenced
this pull request
Mar 18, 2026
The `"k8s.io patch updates stable"` rule was missing `separateMinorPatch: true`. With the global `separateMinorPatch: false`, Renovate produces a single PR targeting the latest version when a newer minor is available. That PR is classified as "minor", so `matchUpdateTypes: ["patch"]` never matches, `enabled: true` never fires, and the `"k8s major/minor updates disabled"` rule blocks it — no patch PR is ever created. Add `separateMajorMinor: true` and `separateMinorPatch: true` to the rule, matching the pattern already used for lvh-images and external docker images on stable branches. This forces a separate "patch"-typed PR (staying within the current minor series) which the rule can correctly enable, while the "minor"-typed PR remains blocked as intended. Followup to cilium#44489 Signed-off-by: Hadrien Patte <[email protected]>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
PR #44389 introduced the
"matchBaseBranches": ["main"]constraint to the"disable major/minor k8s updates"rule. The intent was to scope that rule to main since stable branches would have their own logic, but the new"k8s.io patch updates stable"rule only covers patch/digest — it never disables major/minor on stable. So major/minor k8s update fell through with nothing blocking them on v1.17/v1.18/v1.19.That's how we got #44481 attempting to bump those from
v0.32.0tov0.35.1on 1.17 and #44476 fromv0.33.3tov0.35.1on 1.18.This PR removes the
matchBaseBranches: ["main"]from the disable rule so it applies to all branches. The"k8s.io patch updates stable"rule (which explicitly enables patch+digest on stable) will still take precedence for those update types, giving the correct behavior: