Debug-level dry-run revealed why the previous packageRule approach
(`datasource: github-releases` + `packageName: Termix-SSH/Termix` +
`versioning: regex:^release-...`) silently did nothing:
DEBUG: Dependency ghcr.io/lukegus/termix has unsupported/unversioned
value release-1.11.0 (versioning=docker)
DEBUG: Skipping ghcr.io/lukegus/termix because no currentDigest or
pinDigests
The kubernetes manager extracts the image with the default versioning
(=docker), runs an EARLY currentValue pre-check, fails on `release-1.11.0`,
falls back to digest-based updates, and gives up -- all BEFORE the
packageRule's `versioning` override has a chance to apply. Same failure
class as the earlier `extractVersion` attempt.
Renovate's documented fix for this exact case is an inline manifest
comment that applies overrides at extraction time:
# renovate: datasource=github-releases depName=Termix-SSH/Termix \
# versioning=loose extractVersion=^release-(?<version>.+)$
image: ghcr.io/lukegus/termix:release-1.11.0
With extractVersion stripping the `release-` prefix at extraction, the
loose semver parser handles the resulting `1.11.0` / `2.3.2` fine.
github-releases datasource gives Renovate real upstream timestamps so
the 3-day stability gate works normally. Removing the now-superseded
packageRule keeps the config clean (6 rules instead of 7).
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
26 items sat in dashboard "Rate-Limited" after the first default-allow
run (Sat 02:00); at 8 PRs/run + 1 run/week the backlog would take ~3
weeks to drain. Doubling to 16/16 cuts that to ~2 runs while still
leaving headroom (the dashboard "Pending Approval" majors and ghcr.io
"Pending Status Checks" don't count against this limit anyway).
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Privacy-focused, client-side PDF toolkit deployed into the office-system
namespace alongside OnlyOffice. Stateless (no DB/PVC); nginx-internal
ingress with HU geo-restriction and letsencrypt-prod TLS. Auto-synced by
the existing `office` ArgoCD Application.
Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Was Sun 04:00; now Sat 02:00 so Renovate's wave lands at the start of
the weekend instead of the end. If an auto-merged update breaks
something, Viktor has the full weekend to troubleshoot.
`0 2 * * 6` = Saturday 02:00 in Europe/Budapest (the CronJob already
sets timeZone, so this is wall-clock local).
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Replaces the security-flagged `minimumReleaseAge: 0` bypass with a
proper datasource swap.
Why: ghcr.io OCI manifests for ghcr.io/lukegus/termix don't expose a
release timestamp, so Renovate's default `timestamp-required` mode
holds updates indefinitely. The previous fix (zeroing the gate) was
flagged as a supply-chain control regression -- correctly, since it
weakens the stability protection for that package.
Cleaner fix: point Renovate's version lookup at the upstream GitHub
Releases (Termix-SSH/Termix per the OCI source label) where timestamps
ARE published. The 3-day gate then works for termix the same way it
works for other packages with intact timestamps. Renovate still
updates the same image -- the manager extracts ghcr.io/lukegus/termix
from termix.yaml and writes the new tag back; only the version-source
lookup is redirected. The ghcr.io registry hosts every release-X.Y.Z
tag (verified release-2.3.2 present), so the writeback target stays
valid.
Major bumps (1.x -> 2.x) continue to queue for dashboard approval via
the global major rule.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Last commit's global `minimumReleaseAgeBehaviour: timestamp-optional` did
two unwanted things:
1) Dry-run showed 0 "Would commit" branches (was 33 before). The flag
appears to alter Renovate's filtering more broadly than expected and
is not the right knob here.
2) Automated security review correctly flagged the global form as
fail-open: a missing timestamp on ANY package would bypass the
stability gate, weakening supply-chain protection across the fleet.
Narrow fix instead:
- Revert the global setting (back to default `timestamp-required`).
- Add `minimumReleaseAge: "0 days"` ONLY to the termix packageRule.
ghcr.io OCI manifests for ghcr.io/lukegus/termix don't expose a
release timestamp Renovate can read, so the global 3-day gate would
otherwise hold updates indefinitely (this is the same class of issue
that's been keeping reloader/homepage/headlamp on "Pending Status
Checks" for 8+ days). Major bumps still gated by the global major
rule (`dependencyDashboardApproval: true`).
Other ghcr.io packages with the same issue (reloader, homepage, headlamp)
remain on the dashboard's "Pending Status Checks" list and can be
force-approved per-update via the checkbox UX. That's a slower but safer
manual-approval path that preserves the supply-chain gate's intent.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
admin
Renovate Bot