feat(ci): add self-hosted renovate alongside dependabot#1
Merged
Conversation
Introduces a self-hosted Renovate runner that shadows dependabot during a soft-launch phase. Renovate replaces and extends dependabot's coverage by also tracking the tool versions pinned in .settings.yaml (the project's single source of truth) — something dependabot cannot do. Coverage delta over dependabot: gomod, github-actions, dockerfile, and terraform are all preserved (with the kubernetes/golang-x/opencontainers gomod groups carried forward verbatim). New: npm (site/), helm-values (partial), the .settings.yaml tool set via a custom regex manager (28 annotated entries), and an automated chainsaw-checksum refresh hook. Key design decisions: - Self-hosted via renovatebot/github-action with the built-in GITHUB_TOKEN. The repo's /ok reviewer-comment policy re-fires CI on bot PRs, sidestepping GitHub's "GITHUB_TOKEN cannot trigger workflows" limitation. No PAT or App needed. - The `configurationFile:` action input is intentionally NOT passed: passing it would load .github/renovate.json5 as both the global config AND the auto-discovered repo config, doubling every customManager and duplicating PRs. - .settings.yaml entries are grouped by top-level YAML section via `depType=<section>` annotations + matchDepTypes packageRules. Branches read cleanly: `renovate/build-tools`, `renovate/test-images`, `renovate/major-site`, etc. - nvkind (pinned by main-branch SHA) gets a dedicated git-refs digest customManager with a distinct `# renovate-digest:` annotation prefix so the broad regex doesn't double-extract it. - Auto-merge is positive-listed (build/lint/security tooling, plus github-actions/gomod/npm patches). Cluster-impacting pins (helm, kubectl, kind, kwok, chainsaw, karpenter, gpu-operator, kindest/node, CUDA, Go toolchain, node, hugo, nvkind) require human review on every bump, even patches. - Schedule is `before 6am every weekday` since self-hosted Renovate cannot consume GitHub vulnerability alerts (Mend-only); weekday cadence narrows the CVE-to-PR window. - Both image references (Makefile validator + workflow runner) are digest-pinned to `sha256:00185c0d...` for supply-chain consistency with the project's GitHub Actions pinning policy. Verified end-to-end: - make lint-renovate validates against ghcr.io/renovatebot/renovate:43 cleanly. - merge-gate.yaml gains a path-filtered verify-renovate job that runs the same validator only when .github/renovate.json5 changes. - Local docker dry-run with the live config produces 6 distinct PR branches (down from 10 ungrouped) covering vue/vite/mermaid/esbuild bundled in renovate/site, kindest/node + cuda bundled in renovate/test-images, and 3 majors split into renovate/major-* for isolated review. - The chainsaw post-upgrade hook is wired and idempotent: rerun against the currently-pinned v0.2.14 produces zero diff. Soft-launch plan in .github/RENOVATE.md (Phases A-E). dependabot.yml and dependabot-auto-merge.yaml remain in place until Phase D confirms Renovate is healthy; Phase E is a follow-up PR removing them.
This was referenced May 4, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Introduces a self-hosted Renovate runner that shadows Dependabot during a soft-launch phase, extending dependency coverage to
.settings.yaml(the project's single source of truth for tool versions) which Dependabot cannot track.Motivation / Context
Dependabot covers
gomod,github-actions, Dockerfile-onlydocker, andterraform. It cannot manage the 28 tool versions pinned in.settings.yaml, which currently drift via hand-bumps. Renovate's customManager handles them via# renovate:annotations and bundles updates per top-level YAML section. Renovate also addsnpm(site/),helm-values, and an automated chainsaw-checksum refresh hook.This PR is a practice run on the fork (
njhensley/aicr) before proposing the same change upstream. Dependabot stays in place; cutover is a follow-up.Fixes: N/A
Related: N/A
Type of Change
Component(s) Affected
Implementation Notes
Key design decisions:
renovatebot/github-actionwith the built-inGITHUB_TOKEN. The repo's/okreviewer-comment policy re-fires CI on bot PRs, sidestepping GitHub's "GITHUB_TOKEN cannot trigger workflows" limitation. No PAT/App needed.configurationFile:action input is intentionally NOT passed. Passing it would load.github/renovate.json5as both the global config AND the auto-discovered repo config, doubling every customManager and duplicating PRs. Verified via local docker dry-run..settings.yamlentries are grouped by top-level YAML section viadepType=<section>annotations +matchDepTypespackageRules. Branch slugs read cleanly:renovate/build-tools,renovate/test-images,renovate/major-site, etc.nvkind(pinned by main-branch SHA) gets a dedicatedgit-refsdigest customManager with a distinct# renovate-digest:annotation prefix so the broad regex doesn't double-extract it.github-actions/gomod/npmpatches auto-merge. Cluster-impacting pins (helm, kubectl, kind, kwok, chainsaw, karpenter, gpu-operator, kindest/node, CUDA, Go toolchain, node, hugo, nvkind) require human review on every bump, even patches.before 6am every weekdaysince self-hosted Renovate cannot consume GitHub vulnerability alerts (Mend-only); weekday cadence narrows the CVE-to-PR window.sha256:00185c0d…) for supply-chain consistency with the project's GitHub Actions pinning policy.Testing
Local dry-run produces 6 distinct PR branches (down from 10 ungrouped):
renovate/siterenovate/major-siterenovate/test-imagesrenovate/major-test-imagesrenovate/major-docs-toolsrenovate/python-3.xmerge-gate.yamlgains a path-filteredverify-renovatejob that runsmake lint-renovateonly when.github/renovate.json5changes.Risk Assessment
Rollout notes: See
.github/RENOVATE.mdfor the phased soft-launch plan (Phases A–E). Dependabot's config and auto-merge workflow remain until Phase D confirms Renovate is healthy end-to-end on the live repo. Phase E is a follow-up PR removing them.Checklist
make lint,make lint-renovate).github/RENOVATE.mdis new and is the canonical reference).settings.yamlannotations, path-filtered CI jobs)git commit -S)