admin/homelab-manifests
1
0
Fork 0
Code Issues 1 Pull Requests Actions Packages Projects Releases Wiki Activity

renovate: expand to Tier 1 allowlist + 3-day stability delay #7

Merged
admin merged 1 commits from feat/renovate-tier1-expansion into main 2026-05-27 22:01:21 +02:00
Conversation 0 Commits 1 Files Changed 1
+48 -4
admin commented 2026-05-27 22:01:07 +02:00
Owner
Copy Link
Copy Source

Expands the Renovate pilot from 4 apps to a 16-app Tier 1 allowlist (low-risk leaf apps, no DBs / schema migrations) and adds a 3-day stability gate.

Behavior changes

  • minimumReleaseAge: "3 days" on the automerge rule — a minor/patch PR isn't opened until the tag has been published upstream for 3 days. Chosen over branch protection (which would disable automerge entirely).
  • packageRules keeps the same 4-rule shape: default-deny → enable Tier 1 → automerge minor/patch → major requires dashboard approval.

Tier 1 (17 image refs / 16 apps)

opengist, uptime-kuma, gokapi, cal.com (existing 4) + audiobookshelf, crafty-4, code-server, homepage, headlamp, node-exporter, romm, reloader, privatebin, wanderer-db, wanderer-web, kube-state-metrics, termix.

Image-string corrections vs. plan (verified against the manifests)

Renovate matches the exact image as written, so these needed the ghcr.io/ prefix added:

  • gethomepage/homepageghcr.io/gethomepage/homepage
  • stakater/reloaderghcr.io/stakater/reloader
  • lukegus/termixghcr.io/lukegus/termix

Caveats

  • kube-state-metrics has no image in this repo (only a Prometheus scrape target) — the entry is a harmless no-op until ksm is deployed via a manifest here.
  • termix uses a non-semver tag (release-1.11.0); watching whether Renovate categorizes its updates as minor/patch.

Also created the renovate Gitea label (id=1) so future PRs/the dashboard get tagged.

🤖 Generated with Claude Code

Expands the Renovate pilot from 4 apps to a **16-app Tier 1 allowlist** (low-risk leaf apps, no DBs / schema migrations) and adds a **3-day stability gate**. ### Behavior changes - **`minimumReleaseAge: "3 days"`** on the automerge rule — a minor/patch PR isn't opened until the tag has been published upstream for 3 days. Chosen over branch protection (which would disable automerge entirely). - packageRules keeps the same 4-rule shape: default-deny → enable Tier 1 → automerge minor/patch → major requires dashboard approval. ### Tier 1 (17 image refs / 16 apps) opengist, uptime-kuma, gokapi, cal.com *(existing 4)* + audiobookshelf, crafty-4, code-server, homepage, headlamp, node-exporter, romm, reloader, privatebin, wanderer-db, wanderer-web, kube-state-metrics, termix. ### Image-string corrections vs. plan (verified against the manifests) Renovate matches the **exact** image as written, so these needed the `ghcr.io/` prefix added: - `gethomepage/homepage` → **`ghcr.io/gethomepage/homepage`** - `stakater/reloader` → **`ghcr.io/stakater/reloader`** - `lukegus/termix` → **`ghcr.io/lukegus/termix`** ### Caveats - **kube-state-metrics** has no image in this repo (only a Prometheus scrape target) — the entry is a harmless no-op until ksm is deployed via a manifest here. - **termix** uses a non-semver tag (`release-1.11.0`); watching whether Renovate categorizes its updates as minor/patch. Also created the `renovate` Gitea label (id=1) so future PRs/the dashboard get tagged. 🤖 Generated with [Claude Code](https://claude.com/claude-code)
admin added 1 commit 2026-05-27 22:01:08 +02:00
renovate: expand to Tier 1 allowlist + 3-day stability delay 454cce9691 
Grows the Renovate pilot from 4 apps to a 16-app Tier 1 allowlist of
low-risk leaf apps (no DBs / schema migrations). packageRules keeps the
same 4-rule shape (default-deny, enable, automerge-minor/patch,
major-dashboard-approval) with the expanded package list in all three
Tier 1 rules.

Behavior changes:
- minimumReleaseAge "3 days" on the automerge rule: Renovate won't open
  a minor/patch PR until the tag has been published upstream for 3 days
  (stability gate; chosen over branch protection, which would disable
  automerge entirely).

Image-string corrections vs. the planned list (Renovate matches the
exact image as written in the manifest; verified against the YAML):
- homepage  -> ghcr.io/gethomepage/homepage   (had no registry)
- reloader  -> ghcr.io/stakater/reloader      (had no registry)
- termix    -> ghcr.io/lukegus/termix         (had no registry)

Notes:
- registry.k8s.io/kube-state-metrics/kube-state-metrics is kept in the
  list but currently matches nothing: ksm has no image in this repo
  (only a Prometheus scrape target), so it's a harmless no-op until ksm
  is ever deployed via a manifest here.
- ghcr.io/lukegus/termix uses a non-semver tag (release-1.11.0); watch
  whether Renovate categorizes its updates as minor/patch.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
admin merged commit 8edb986a54 into main 2026-05-27 22:01:21 +02:00
Sign in to join this conversation.
Reviewers
No Reviewers
Labels
Clear labels
renovate
Opened by Renovate Bot
No Label
Milestone
No items
No Milestone
Projects
Clear projects
No project
Assignees
Clear assignees
admin (authentik Default Admin)
No Assignees
1 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: admin/homelab-manifests#7
Delete Branch "feat/renovate-tier1-expansion"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?