Skip to content

build: Decrease renovate noise#529

Merged
aig-hannes merged 1 commit intomainfrom
feature/reduce-renovate-noise
Apr 17, 2026
Merged

build: Decrease renovate noise#529
aig-hannes merged 1 commit intomainfrom
feature/reduce-renovate-noise

Conversation

@aig-hannes
Copy link
Copy Markdown
Contributor

@aig-hannes aig-hannes commented Apr 8, 2026

Currently, renovate aggressively creates MRs in our repos, potentially pulling malicious dependencies from open source componentes before they may be spottet by the community (supply chain attacks). Furthermore, they are causing a lot of noise in our inboxes. This change introduces the following changes:

  • updates must be at least 2 weeks old
  • unless they fix a known vulnerability
  • pull requests are only opened once the change has passed the internal checks

@aig-hannes aig-hannes requested a review from olivermeyer April 8, 2026 13:54
@aig-hannes aig-hannes self-assigned this Apr 8, 2026
@olivermeyer
Copy link
Copy Markdown
Collaborator

olivermeyer commented Apr 8, 2026

Nice, I didn't know this was an option.

We discussed exactly this following the recent Trivy supply chain attack, and agreed to continue upgrading dependencies as quickly as possible, i.e. not use the minimumReleaseAge config. Our reasoning was that, while in the Trivy case the safe option was to not upgrade, it's just as likely that the safe option in the next incident will be to upgrade immediately. We did not however discuss the option of waiting 14 days for upgrades unless they fix a known vulnerability.

This seems to give the best of both worlds, but I'd be curious to get @helmut-hoffer-von-ankershoffen's thoughts on this as he was advocating for immediate upgrades.

@codecov
Copy link
Copy Markdown

codecov Bot commented Apr 8, 2026
edited
Loading

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ All tests successful. No failed tests found.
see 30 files with indirect coverage changes

@aig-hannes aig-hannes force-pushed the feature/reduce-renovate-noise branch from 093f425 to 03d12be Compare April 17, 2026 06:59
@aig-hannes aig-hannes requested a review from a team as a code owner April 17, 2026 06:59
@aig-hannes
build: Decrease renovate noise
4df9a01 
Currently, renovate aggressively creates MRs in our repos, potentially
pulling malicious dependencies from open source componentes before they
may be spottet by the community (supply chain attacks). Furthermore,
they are causing a lot of noise in our inboxes. This change introduces
the following changes:

* updates must be at least 2 weeks old
* unless they fix a known vulnerability
* pull requests are only opened once the change has passed the internal
  checks
@aig-hannes aig-hannes force-pushed the feature/reduce-renovate-noise branch from 03d12be to 4df9a01 Compare April 17, 2026 07:00
@aig-hannes
Copy link
Copy Markdown
Contributor Author

aig-hannes commented Apr 17, 2026

I updated the config to match the one from the foundry repository.

@sonarqubecloud
Copy link
Copy Markdown

sonarqubecloud Bot commented Apr 17, 2026

Quality Gate Passed Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud

@aig-hannes aig-hannes enabled auto-merge (squash) April 17, 2026 07:21
@aig-hannes aig-hannes merged commit d4e2f75 into main Apr 17, 2026
24 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@olivermeyer olivermeyer olivermeyer approved these changes

@helmut-hoffer-von-ankershoffen helmut-hoffer-von-ankershoffen Awaiting requested review from helmut-hoffer-von-ankershoffen helmut-hoffer-von-ankershoffen is a code owner

Assignees

@aig-hannes aig-hannes

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@aig-hannes @olivermeyer