[build] remove overly complicated renovate workflow

[titusfortner]

🔗 Related Issues

#17504 was not a good approach (shocking I made it too complicated)
Turns out we can adjust renovate not to actually create PRs but just to create branches we can run tests against

💥 What does this PR do?

This is just to prove out the approach:

• Renovate should create a single branch here
• ci-renovate-rbe should kick off and run tests

🔧 Implementation Notes

This is the better alternative

🤖 AI assistance

• No substantial AI assistance used
• AI assisted (complete below)
  • Tool(s): claude
  • What was generated: json settings
  • I reviewed all AI output and can explain the change

💡 Additional Considerations

Follow on is to:

• Decide on Auto merge (maybe break into major/minor)
• expand to more than one branch at a time
• manage failures

[qodo-code-review]

Review Summary by Qodo

Simplify dependency workflow with Renovate branch-based testing

✨ Enhancement

Walkthroughs

Description

• Simplify dependency update workflow using Renovate's built-in branch creation
• Remove complex multi-step orchestration in favor of automatic branch-based testing
• Add new ci-renovate-rbe.yml workflow to test and commit dependency updates
• Update Renovate configuration to create branches instead of pull requests

Diagram

flowchart LR
  A["Renovate creates<br/>renovate/* branches"] --> B["ci-renovate-rbe<br/>workflow triggers"]
  B --> C["Repin dependencies<br/>and format"]
  C --> D["Commit changes<br/>to branch"]
  D --> E["Run RBE tests"]
  E --> F["Run GitHub CI"]

Loading

File Changes

1. .github/workflows/ci-rbe.yml ✨ Enhancement +2/-1

Add workflow_call trigger and remove renovate exclusion

• Add workflow_call trigger to allow reuse from other workflows
• Remove condition that excluded renovate branches from running tests
• Simplify job condition to only check for fork status

.github/workflows/ci-rbe.yml

---

2. .github/workflows/ci-renovate-rbe.yml ✨ Enhancement +43/-0

New workflow for testing renovate dependency branches

• New workflow triggered on renovate/* branch pushes
• Repin dependencies using ./go all:pin and ./go rust:pin
• Commit repins to branch and run full test suite
• Chain RBE tests and GitHub CI tests after successful commits

.github/workflows/ci-renovate-rbe.yml

---

3. .github/workflows/renovate-dependencies.yml ✨ Enhancement +0/-102

Remove overly complicated renovate orchestration workflow

• Completely removed complex orchestration workflow
• Eliminated manual branch reset and Renovate invocation logic
• Removed matrix-based major/minor dependency PR creation

.github/workflows/renovate-dependencies.yml

---

View more (2)

4. .github/workflows/renovate-dependency-pr.yml ✨ Enhancement +0/-106

Remove complex dependency PR creation workflow

• Completely removed workflow that created individual dependency PRs
• Eliminated branch detection and patch-based promotion logic
• Removed dependency on manual workflow orchestration

.github/workflows/renovate-dependency-pr.yml

---

5. renovate.json ⚙️ Configuration changes +3/-21

Configure Renovate for branch-based testing approach

• Set prCreation: "approval" to prevent automatic PR creation
• Add branchConcurrentLimit: 1 to limit concurrent dependency branches
• Remove dependencyDashboardApproval and automerge settings
• Update dashboard header to explain new branch-based workflow
• Remove orchestration-specific grouping rules for major/minor updates

renovate.json

---

[qodo-code-review]

Code Review by Qodo

🐞 Bugs (1) 📘 Rule violations (0)

1. Force-push branch race 🐞 Bug ☼ Reliability

Description

ci-renovate-rbe.yml triggers on push to renovate/* and then calls commit-changes.yml, which
force-pushes back to that same branch; without per-branch workflow concurrency this can overwrite
newer Renovate commits (or run CI on commits that are no longer the branch head). This is especially
risky if Renovate pushes additional commits to the branch while the workflow is still running.

Code

.github/workflows/ci-renovate-rbe.yml[R3-34]

+on:
+  push:
+    branches:
+      - renovate/*
+
+permissions:
+  contents: read
+
+jobs:
+  pin:
+    name: Repin Dependencies
+    if: github.event.repository.fork == false
+    uses: ./.github/workflows/bazel.yml
+    with:
+      name: Repin Dependencies
+      run: |
+        ./go all:pin
+        ./go rust:pin
+        ./go format
+      artifact-name: repin-changes
+
+  commit-repins:
+    name: Commit Repins
+    needs: pin
+    permissions:
+      contents: write
+      actions: read
+    uses: ./.github/workflows/commit-changes.yml
+    with:
+      artifact-name: repin-changes
+      commit-message: "Repin dependencies"
+

Evidence

The new workflow triggers on pushes to renovate/* and invokes the reusable commit workflow. That
reusable workflow force-pushes (git push --force) to the target branch, which can clobber newer
remote commits if another push lands while the run is executing; adding per-branch
concurrency/cancellation (and/or --force-with-lease) prevents these races.

.github/workflows/ci-renovate-rbe.yml[3-43]
.github/workflows/commit-changes.yml[46-59]

Agent prompt

The issue below was found during a code review. Follow the provided context and guidance below and implement a solution

### Issue description
The new `CI - Renovate - RBE` workflow runs on every push to `renovate/*` and then executes a force-push back to the same branch (via `commit-changes.yml`). Without a per-branch concurrency group, overlapping runs for the same branch (e.g., Renovate pushes again while CI is running) can lead to:
- wasted CI on superseded heads
- or worse: the force-push overwriting newer Renovate commits

### Issue Context
- The workflow is `on: push` for `renovate/*`.
- It uses `commit-changes.yml`, which does `git push --force`.

### Fix Focus Areas
- Add workflow-level concurrency scoped to the branch ref to serialize/cancel runs:
 - `.github/workflows/ci-renovate-rbe.yml[1-43]`
- Consider making the push safer by switching to `--force-with-lease` to avoid overwriting remote updates:
 - `.github/workflows/commit-changes.yml[46-56]`

ⓘ Copy this prompt and use it to remediate the issue with your preferred AI generation tools

---