Skip to content

feat(ci): add self-hosted renovate alongside dependabot#1

Merged
njhensley merged 1 commit into
mainfrom
ci/self-hosted-renovate
May 1, 2026
Merged

feat(ci): add self-hosted renovate alongside dependabot#1
njhensley merged 1 commit into
mainfrom
ci/self-hosted-renovate

Conversation

@njhensley

Copy link
Copy Markdown
Owner

Summary

Introduces a self-hosted Renovate runner that shadows Dependabot during a soft-launch phase, extending dependency coverage to .settings.yaml (the project's single source of truth for tool versions) which Dependabot cannot track.

Motivation / Context

Dependabot covers gomod, github-actions, Dockerfile-only docker, and terraform. It cannot manage the 28 tool versions pinned in .settings.yaml, which currently drift via hand-bumps. Renovate's customManager handles them via # renovate: annotations and bundles updates per top-level YAML section. Renovate also adds npm (site/), helm-values, and an automated chainsaw-checksum refresh hook.

This PR is a practice run on the fork (njhensley/aicr) before proposing the same change upstream. Dependabot stays in place; cutover is a follow-up.

Fixes: N/A
Related: N/A

Type of Change

  • Build/CI/tooling

Component(s) Affected

  • Other: CI / dependency management

Implementation Notes

Key design decisions:

  • Self-hosted via renovatebot/github-action with the built-in GITHUB_TOKEN. The repo's /ok reviewer-comment policy re-fires CI on bot PRs, sidestepping GitHub's "GITHUB_TOKEN cannot trigger workflows" limitation. No PAT/App needed.
  • configurationFile: action input is intentionally NOT passed. Passing it would load .github/renovate.json5 as both the global config AND the auto-discovered repo config, doubling every customManager and duplicating PRs. Verified via local docker dry-run.
  • .settings.yaml entries are grouped by top-level YAML section via depType=<section> annotations + matchDepTypes packageRules. Branch slugs read cleanly: renovate/build-tools, renovate/test-images, renovate/major-site, etc.
  • nvkind (pinned by main-branch SHA) gets a dedicated git-refs digest customManager with a distinct # renovate-digest: annotation prefix so the broad regex doesn't double-extract it.
  • Auto-merge is positive-listed. Only build/lint/security tooling + github-actions/gomod/npm patches auto-merge. Cluster-impacting pins (helm, kubectl, kind, kwok, chainsaw, karpenter, gpu-operator, kindest/node, CUDA, Go toolchain, node, hugo, nvkind) require human review on every bump, even patches.
  • Schedule is before 6am every weekday since self-hosted Renovate cannot consume GitHub vulnerability alerts (Mend-only); weekday cadence narrows the CVE-to-PR window.
  • Both image references digest-pinned (Makefile validator + workflow runner, both at sha256:00185c0d…) for supply-chain consistency with the project's GitHub Actions pinning policy.

Testing

make lint-renovate                # passes against ghcr.io/renovatebot/renovate:43@sha256:00185c0d...
docker run --rm -v $PWD:/usr/src/app ... renovate/renovate:43  # local dry-run
./tools/update-chainsaw-checksums v0.2.14  # idempotent on currently-pinned version

Local dry-run produces 6 distinct PR branches (down from 10 ungrouped):

Branch Contents
renovate/site mermaid + vue + esbuild
renovate/major-site vite major
renovate/test-images kindest/node + nvcr.io/nvidia/cuda
renovate/major-test-images gpu-operator major
renovate/major-docs-tools node major
renovate/python-3.x python (Dockerfile, separate manager)

merge-gate.yaml gains a path-filtered verify-renovate job that runs make lint-renovate only when .github/renovate.json5 changes.

Risk Assessment

  • Low — Config-only change. Dependabot remains in place; Renovate is shadowed for verification.

Rollout notes: See .github/RENOVATE.md for the phased soft-launch plan (Phases A–E). Dependabot's config and auto-merge workflow remain until Phase D confirms Renovate is healthy end-to-end on the live repo. Phase E is a follow-up PR removing them.

Checklist

  • Linter passes (make lint, make lint-renovate)
  • I did not skip/disable tests to make CI green
  • I updated docs (.github/RENOVATE.md is new and is the canonical reference)
  • Changes follow existing patterns in the codebase (digest pinning, .settings.yaml annotations, path-filtered CI jobs)
  • Commits are cryptographically signed (git commit -S)
  • Tests pass locally — N/A, no Go code changes
  • I added/updated tests for new functionality — N/A, no Go code changes

Introduces a self-hosted Renovate runner that shadows dependabot during a
soft-launch phase. Renovate replaces and extends dependabot's coverage by
also tracking the tool versions pinned in .settings.yaml (the project's
single source of truth) — something dependabot cannot do.

Coverage delta over dependabot: gomod, github-actions, dockerfile, and
terraform are all preserved (with the kubernetes/golang-x/opencontainers
gomod groups carried forward verbatim). New: npm (site/), helm-values
(partial), the .settings.yaml tool set via a custom regex manager (28
annotated entries), and an automated chainsaw-checksum refresh hook.

Key design decisions:

- Self-hosted via renovatebot/github-action with the built-in
  GITHUB_TOKEN. The repo's /ok reviewer-comment policy re-fires CI on
  bot PRs, sidestepping GitHub's "GITHUB_TOKEN cannot trigger workflows"
  limitation. No PAT or App needed.
- The `configurationFile:` action input is intentionally NOT passed:
  passing it would load .github/renovate.json5 as both the global config
  AND the auto-discovered repo config, doubling every customManager and
  duplicating PRs.
- .settings.yaml entries are grouped by top-level YAML section via
  `depType=<section>` annotations + matchDepTypes packageRules.
  Branches read cleanly: `renovate/build-tools`, `renovate/test-images`,
  `renovate/major-site`, etc.
- nvkind (pinned by main-branch SHA) gets a dedicated git-refs digest
  customManager with a distinct `# renovate-digest:` annotation prefix
  so the broad regex doesn't double-extract it.
- Auto-merge is positive-listed (build/lint/security tooling, plus
  github-actions/gomod/npm patches). Cluster-impacting pins (helm,
  kubectl, kind, kwok, chainsaw, karpenter, gpu-operator, kindest/node,
  CUDA, Go toolchain, node, hugo, nvkind) require human review on every
  bump, even patches.
- Schedule is `before 6am every weekday` since self-hosted Renovate
  cannot consume GitHub vulnerability alerts (Mend-only); weekday
  cadence narrows the CVE-to-PR window.
- Both image references (Makefile validator + workflow runner) are
  digest-pinned to `sha256:00185c0d...` for supply-chain consistency
  with the project's GitHub Actions pinning policy.

Verified end-to-end:

- make lint-renovate validates against ghcr.io/renovatebot/renovate:43
  cleanly.
- merge-gate.yaml gains a path-filtered verify-renovate job that runs
  the same validator only when .github/renovate.json5 changes.
- Local docker dry-run with the live config produces 6 distinct PR
  branches (down from 10 ungrouped) covering vue/vite/mermaid/esbuild
  bundled in renovate/site, kindest/node + cuda bundled in
  renovate/test-images, and 3 majors split into renovate/major-* for
  isolated review.
- The chainsaw post-upgrade hook is wired and idempotent: rerun against
  the currently-pinned v0.2.14 produces zero diff.

Soft-launch plan in .github/RENOVATE.md (Phases A-E). dependabot.yml
and dependabot-auto-merge.yaml remain in place until Phase D confirms
Renovate is healthy; Phase E is a follow-up PR removing them.
chatgpt-codex-connector[bot]

This comment was marked as resolved.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant