admin/homelab-manifests
1
0
Fork 0
Code Issues 1 Pull Requests Actions Packages Projects Releases Wiki Activity

renovate: revert global timestamp-optional; narrowly bypass age gate for termix

Browse Source 
Last commit's global `minimumReleaseAgeBehaviour: timestamp-optional` did
two unwanted things:

  1) Dry-run showed 0 "Would commit" branches (was 33 before). The flag
     appears to alter Renovate's filtering more broadly than expected and
     is not the right knob here.
  2) Automated security review correctly flagged the global form as
     fail-open: a missing timestamp on ANY package would bypass the
     stability gate, weakening supply-chain protection across the fleet.

Narrow fix instead:
  - Revert the global setting (back to default `timestamp-required`).
  - Add `minimumReleaseAge: "0 days"` ONLY to the termix packageRule.
    ghcr.io OCI manifests for ghcr.io/lukegus/termix don't expose a
    release timestamp Renovate can read, so the global 3-day gate would
    otherwise hold updates indefinitely (this is the same class of issue
    that's been keeping reloader/homepage/headlamp on "Pending Status
    Checks" for 8+ days). Major bumps still gated by the global major
    rule (`dependencyDashboardApproval: true`).

Other ghcr.io packages with the same issue (reloader, homepage, headlamp)
remain on the dashboard's "Pending Status Checks" list and can be
force-approved per-update via the checkbox UX. That's a slower but safer
manual-approval path that preserves the supply-chain gate's intent.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
This commit is contained in:
authentik Default Admin
2026-06-05 07:43:37 +02:00
parent 6ee7d83f66
commit 628a63da83
1 changed files with 3 additions and 3 deletions
Download Patch File Download Diff File Expand all files Collapse all files
admin-system/renovate.yaml
+3 -3
View File
@@ -46,7 +46,6 @@ data:
"dependencyDashboardTitle": "Renovate Dependency Dashboard", "dependencyDashboardTitle": "Renovate Dependency Dashboard",
"prHourlyLimit": 8, "prHourlyLimit": 8,
"prConcurrentLimit": 8, "prConcurrentLimit": 8,
"minimumReleaseAgeBehaviour": "timestamp-optional",
"enabledManagers": ["kubernetes", "helm-values"], "enabledManagers": ["kubernetes", "helm-values"],
"kubernetes": { "kubernetes": {
"managerFilePatterns": ["/.+\\.ya?ml$/"] "managerFilePatterns": ["/.+\\.ya?ml$/"]
@@ -92,9 +91,10 @@ data:
"automerge": false "automerge": false
}, },
{ {
"description": "termix: non-semver release-X.Y.Z tag (regex versioning parses the whole tag incl. prefix; loose+extractVersion silently skips because currentValue fails the loose parser before extractVersion is applied)", "description": "termix: regex versioning parses the release-X.Y.Z prefix; minimumReleaseAge:0 bypasses the stability gate because ghcr.io OCI manifests for this image don't expose a release timestamp (timestamp-required mode otherwise holds it forever). Major bumps still queue for dashboard approval via the global major rule.",
"matchPackageNames": ["ghcr.io/lukegus/termix"], "matchPackageNames": ["ghcr.io/lukegus/termix"],
"versioning": "regex:^release-(?<major>\\d+)\\.(?<minor>\\d+)\\.(?<patch>\\d+)$" "versioning": "regex:^release-(?<major>\\d+)\\.(?<minor>\\d+)\\.(?<patch>\\d+)$",
"minimumReleaseAge": "0 days"
}, },
{ {
"description": "wanderer: db + web update together in one PR", "description": "wanderer: db + web update together in one PR",