From 454cce96910b52367b3302e8faaffbea4753b330 Mon Sep 17 00:00:00 2001 From: kisfenyo Date: Wed, 27 May 2026 22:00:49 +0200 Subject: [PATCH] renovate: expand to Tier 1 allowlist + 3-day stability delay Grows the Renovate pilot from 4 apps to a 16-app Tier 1 allowlist of low-risk leaf apps (no DBs / schema migrations). packageRules keeps the same 4-rule shape (default-deny, enable, automerge-minor/patch, major-dashboard-approval) with the expanded package list in all three Tier 1 rules. Behavior changes: - minimumReleaseAge "3 days" on the automerge rule: Renovate won't open a minor/patch PR until the tag has been published upstream for 3 days (stability gate; chosen over branch protection, which would disable automerge entirely). Image-string corrections vs. the planned list (Renovate matches the exact image as written in the manifest; verified against the YAML): - homepage -> ghcr.io/gethomepage/homepage (had no registry) - reloader -> ghcr.io/stakater/reloader (had no registry) - termix -> ghcr.io/lukegus/termix (had no registry) Notes: - registry.k8s.io/kube-state-metrics/kube-state-metrics is kept in the list but currently matches nothing: ksm has no image in this repo (only a Prometheus scrape target), so it's a harmless no-op until ksm is ever deployed via a manifest here. - ghcr.io/lukegus/termix uses a non-semver tag (release-1.11.0); watch whether Renovate categorizes its updates as minor/patch. Co-Authored-By: Claude Opus 4.7 (1M context) --- admin-system/renovate.yaml | 52 +++++++++++++++++++++++++++++++++++--- 1 file changed, 48 insertions(+), 4 deletions(-) diff --git a/admin-system/renovate.yaml b/admin-system/renovate.yaml index ce39ffc..3934443 100644 --- a/admin-system/renovate.yaml +++ b/admin-system/renovate.yaml @@ -52,36 +52,80 @@ data: }, "packageRules": [ { + "description": "Default-deny everything", "matchPackageNames": ["*"], "enabled": false }, { + "description": "Tier 1: enable updates for low-risk leaf apps", "matchPackageNames": [ "ghcr.io/thomiceli/opengist", "louislam/uptime-kuma", "f0rc3/gokapi", - "docker.io/calcom/cal.com" + "docker.io/calcom/cal.com", + "advplyr/audiobookshelf", + "arcadiatechnology/crafty-4", + "codercom/code-server", + "ghcr.io/gethomepage/homepage", + "ghcr.io/headlamp-k8s/headlamp", + "prom/node-exporter", + "rommapp/romm", + "ghcr.io/stakater/reloader", + "privatebin/nginx-fpm-alpine", + "flomp/wanderer-db", + "flomp/wanderer-web", + "registry.k8s.io/kube-state-metrics/kube-state-metrics", + "ghcr.io/lukegus/termix" ], "enabled": true }, { + "description": "Tier 1: automerge minor/patch after 3-day stability window", "matchPackageNames": [ "ghcr.io/thomiceli/opengist", "louislam/uptime-kuma", "f0rc3/gokapi", - "docker.io/calcom/cal.com" + "docker.io/calcom/cal.com", + "advplyr/audiobookshelf", + "arcadiatechnology/crafty-4", + "codercom/code-server", + "ghcr.io/gethomepage/homepage", + "ghcr.io/headlamp-k8s/headlamp", + "prom/node-exporter", + "rommapp/romm", + "ghcr.io/stakater/reloader", + "privatebin/nginx-fpm-alpine", + "flomp/wanderer-db", + "flomp/wanderer-web", + "registry.k8s.io/kube-state-metrics/kube-state-metrics", + "ghcr.io/lukegus/termix" ], "matchUpdateTypes": ["minor", "patch"], "automerge": true, + "automergeType": "pr", "platformAutomerge": true, - "automergeType": "pr" + "minimumReleaseAge": "3 days" }, { + "description": "Tier 1: major bumps require dashboard approval (no automerge)", "matchPackageNames": [ "ghcr.io/thomiceli/opengist", "louislam/uptime-kuma", "f0rc3/gokapi", - "docker.io/calcom/cal.com" + "docker.io/calcom/cal.com", + "advplyr/audiobookshelf", + "arcadiatechnology/crafty-4", + "codercom/code-server", + "ghcr.io/gethomepage/homepage", + "ghcr.io/headlamp-k8s/headlamp", + "prom/node-exporter", + "rommapp/romm", + "ghcr.io/stakater/reloader", + "privatebin/nginx-fpm-alpine", + "flomp/wanderer-db", + "flomp/wanderer-web", + "registry.k8s.io/kube-state-metrics/kube-state-metrics", + "ghcr.io/lukegus/termix" ], "matchUpdateTypes": ["major"], "automerge": false,