Skip to content

ci: self-hosted renovate#7690

Merged
matthewelwell merged 13 commits into
mainfrom
ci/self-hosted-renovate
Jun 3, 2026
Merged

ci: self-hosted renovate#7690
matthewelwell merged 13 commits into
mainfrom
ci/self-hosted-renovate

Conversation

@matthewelwell
Copy link
Copy Markdown
Contributor

@matthewelwell matthewelwell commented Jun 2, 2026
edited
Loading

Thanks for submitting a PR! Please check the boxes below:

  • I have read the Contributing Guide.
  • I have added information to docs/ if required so people know about the feature.
  • I have filled in the "Changes" section below.
  • I have filled in the "How did you test this code" section below.

Changes

Adds a workflow to run a renovate docker container in GH actions directly in order to authenticate with CodeArtifact and generate uv.lock correctly.

Some pre-requisites:

  • Create a Github App for authentication

... and updates to complete after merge:

  • Disable Cloud Renovate from Flagsmith/flagsmith

How did you test this code?

With much much pain. Here is the evidence.

Result: a successfully generated PR by Renovate to update pytest dependency here.

matthewelwell and others added 11 commits June 2, 2026 18:04
@matthewelwell @claude
ci: Add self-hosted Renovate workflow with CodeArtifact authentication
c046a4c 
Replaces the hosted Renovate GitHub App with a self-hosted workflow so
that uv.lock can be updated correctly when private CodeArtifact packages
are involved.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
@matthewelwell @claude
ci: Fix renovatebot/github-action version to v46.1.14
c4850ce 
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
@matthewelwell @claude
ci: Configure Renovate repository and git author
a7698ea 
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
@matthewelwell @claude
ci: Use GitHub App token for Renovate authentication
89ddc60 
Replaces the GH_PRIVATE_ACCESS_TOKEN PAT with a GitHub App token so
that Renovate PRs and issues are attributed to the app bot identity
rather than a personal account.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
@matthewelwell @claude
ci: Use depot runner for Renovate workflow
821234f 
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
@matthewelwell @claude
ci: Recreate closed Renovate PRs automatically
da0ca70 
Prevents security PRs from being silently dropped when manually closed.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
@matthewelwell @claude
ci: Run Renovate via npx instead of Docker action
063bcaa 
Avoids pulling the Renovate Docker image on every run, which was adding
significant overhead. Running via npx is faster and cacheable.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
@matthewelwell
LOG_LEVEL=DEBUG
f2c08b4
@matthewelwell
revert claude hallucination
ad8c60d
@matthewelwell @claude
ci: Pass CodeArtifact credentials to Renovate via RENOVATE_HOST_RULES
a40089c 
UV_INDEX_* env vars are not forwarded to uv subprocesses inside
Renovate's container. RENOVATE_HOST_RULES is the correct mechanism —
Renovate embeds the credentials when invoking uv lock.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
@matthewelwell @claude
ci: Always rebase Renovate branches to prevent stale branch deadlock
ccfed35 
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
@matthewelwell matthewelwell requested a review from a team as a code owner June 2, 2026 18:27
@matthewelwell matthewelwell requested review from khvn26 and removed request for a team June 2, 2026 18:27
@vercel
Copy link
Copy Markdown

vercel Bot commented Jun 2, 2026
edited
Loading

The latest updates on your projects. Learn more about Vercel for GitHub.

3 Skipped Deployments
Project Deployment Actions Updated (UTC)
docs Ignored Ignored Preview Jun 3, 2026 9:40am
flagsmith-frontend-preview Ignored Ignored Preview Jun 3, 2026 9:40am
flagsmith-frontend-staging Ignored Ignored Preview Jun 3, 2026 9:40am

Request Review

@matthewelwell matthewelwell changed the title Ci/self hosted renovate ci: self-hosted renovate Jun 2, 2026
@github-actions
Copy link
Copy Markdown
Contributor

github-actions Bot commented Jun 2, 2026
edited
Loading

Docker builds report

Image Build Status Security report
ghcr.io/flagsmith/flagsmith-api-test:pr-7690 Finished ✅ Skipped
ghcr.io/flagsmith/flagsmith-e2e:pr-7690 Finished ✅ Skipped
ghcr.io/flagsmith/flagsmith-frontend:pr-7690 Finished ✅ Results
ghcr.io/flagsmith/flagsmith:pr-7690 Finished ✅ Results
ghcr.io/flagsmith/flagsmith-api:pr-7690 Finished ✅ Results
ghcr.io/flagsmith/flagsmith-private-cloud:pr-7690 Finished ✅ Results

@github-actions github-actions Bot added the ci-cd Build, test and deployment related label Jun 2, 2026
@github-actions
Copy link
Copy Markdown
Contributor

github-actions Bot commented Jun 2, 2026
edited
Loading

Playwright Test Results (oss - depot-ubuntu-latest-16)

passed  1 passed

Details

stats  1 test across 1 suite
duration  40.7 seconds
commit  ccfed35
info  🔄 Run: #17204 (attempt 1)

Playwright Test Results (oss - depot-ubuntu-latest-arm-16)

passed  1 passed

Details

stats  1 test across 1 suite
duration  42.5 seconds
commit  ccfed35
info  🔄 Run: #17204 (attempt 1)

Playwright Test Results (private-cloud - depot-ubuntu-latest-16)

passed  3 passed

Details

stats  3 tests across 3 suites
duration  33.9 seconds
commit  ccfed35
info  🔄 Run: #17204 (attempt 1)

Playwright Test Results (oss - depot-ubuntu-latest-16)

passed  1 passed

Details

stats  1 test across 1 suite
duration  41 seconds
commit  008d96d
info  🔄 Run: #17205 (attempt 1)

Playwright Test Results (oss - depot-ubuntu-latest-arm-16)

passed  1 passed

Details

stats  1 test across 1 suite
duration  45.2 seconds
commit  008d96d
info  🔄 Run: #17205 (attempt 1)

Playwright Test Results (private-cloud - depot-ubuntu-latest-arm-16)

passed  2 passed

Details

stats  2 tests across 2 suites
duration  40.5 seconds
commit  008d96d
info  🔄 Run: #17205 (attempt 1)

Playwright Test Results (private-cloud - depot-ubuntu-latest-16)

passed  1 passed

Details

stats  1 test across 1 suite
duration  43.1 seconds
commit  008d96d
info  🔄 Run: #17205 (attempt 1)

Playwright Test Results (oss - depot-ubuntu-latest-16)

passed  1 passed

Details

stats  1 test across 1 suite
duration  34.1 seconds
commit  ee19f8e
info  🔄 Run: #17219 (attempt 1)

Playwright Test Results (oss - depot-ubuntu-latest-arm-16)

passed  1 passed

Details

stats  1 test across 1 suite
duration  40.2 seconds
commit  ee19f8e
info  🔄 Run: #17219 (attempt 1)

Playwright Test Results (private-cloud - depot-ubuntu-latest-16)

passed  2 passed

Details

stats  2 tests across 2 suites
duration  54 seconds
commit  ee19f8e
info  🔄 Run: #17219 (attempt 1)

Playwright Test Results (private-cloud - depot-ubuntu-latest-arm-16)

passed  2 passed

Details

stats  2 tests across 2 suites
duration  57 seconds
commit  ee19f8e
info  🔄 Run: #17219 (attempt 1)

@github-actions
Copy link
Copy Markdown
Contributor

github-actions Bot commented Jun 2, 2026
edited
Loading

Visual Regression

19 screenshots compared. See report for details.
View full report

@codecov
Copy link
Copy Markdown

codecov Bot commented Jun 2, 2026
edited
Loading

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 98.52%. Comparing base (9cfd7ce) to head (ee19f8e).
⚠️ Report is 7 commits behind head on main.

Additional details and impacted files 
@@            Coverage Diff             @@
##             main    #7690      +/-   ##
==========================================
- Coverage   98.52%   98.52%   -0.01%     
==========================================
  Files        1444     1444              
  Lines       55090    54971     -119     
==========================================
- Hits        54280    54161     -119     
  Misses        810      810

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:
  • ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
  • 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

khvn26
khvn26 previously approved these changes Jun 3, 2026
View reviewed changes
Copy link
Copy Markdown
Member

@khvn26 khvn26 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM — I expect RENOVATE_APP_ID and RENOVATE_APP_PRIVATE_KEY to be set to our flagsmith-engineering app, though.

@github-actions github-actions Bot added ci-cd Build, test and deployment related and removed ci-cd Build, test and deployment related labels Jun 3, 2026
khvn26
khvn26 reviewed Jun 3, 2026
View reviewed changes
Copy link
Copy Markdown
Member

@khvn26 khvn26 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

2 questions

Comment thread .github/workflows/renovate.yml
Comment thread .github/workflows/renovate.yml
@matthewelwell matthewelwell merged commit 1946ec5 into main Jun 3, 2026
34 checks passed
@matthewelwell matthewelwell deleted the ci/self-hosted-renovate branch June 3, 2026 09:53
@flagsmithdev flagsmithdev mentioned this pull request Jun 3, 2026
Open
@matthewelwell matthewelwell mentioned this pull request Jun 3, 2026
Open
4 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@khvn26 khvn26 khvn26 approved these changes

Assignees

@khvn26 khvn26

Labels

ci-cd Build, test and deployment related

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@matthewelwell @khvn26