Skip to content

NE-2074: UPSTREAM: <carry>: Configure Renovate updates of images, go-toolset and CVEs #52

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 1 commit into from
Aug 6, 2025
Merged

NE-2074: UPSTREAM: <carry>: Configure Renovate updates of images, go-toolset and CVEs #52

Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
54 changes: 51 additions & 3 deletions renovate.json
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,6 +1,54 @@
{
"gomod": {
"enabled": false
"$schema": "https://docs.renovatebot.com/renovate-schema.json",
"enabledManagers": ["dockerfile", "gomod"],
"commitMessagePrefix": "UPSTREAM: <carry>: ",
"packageRules": [
{
"description": "Disable all Dockerfile updates by default. Only specific files will get targeted.",
"matchManagers": ["dockerfile"],
"enabled": false
},
{
"description": "Enable Docker image updates for Red Hat UBI images on major version 9 only in OpenShift files",
"matchManagers": ["dockerfile"],
"matchFileNames": [
"Containerfile.aws-load-balancer-controller",
"Dockerfile.openshift",
"drift-cache/Dockerfile.openshift"
],
"matchDatasources": ["docker"],
"matchPackageNames": [
"registry.access.redhat.com/ubi9/ubi-minimal",
"registry.access.redhat.com/ubi9/ubi"
],
"enabled": true,
"versioning": "redhat",
"allowedVersions": "/^9(\\.|$)/"
},
{
"description": "Keep Go toolset on minor version 1.22 only in OpenShift files",
"matchManagers": ["dockerfile"],
"matchFileNames": [
"Containerfile.aws-load-balancer-controller",
"Dockerfile.openshift",
"drift-cache/Dockerfile.openshift"
],
"matchDatasources": ["docker"],
"matchPackageNames": [
"registry.access.redhat.com/ubi9/go-toolset"
],
"enabled": true,
"versioning": "redhat",
"allowedVersions": "/^1\\.22(\\.|$)/"
},
{
"description": "Disable regular Go module updates, only allow vulnerability alerts",
"matchManagers": ["gomod"],
"enabled": false
}
],
"vulnerabilityAlerts": {
"enabled": true
},
"commitMessagePrefix": "UPSTREAM: <carry>: "
"osvVulnerabilityAlerts": true
Copy link

@alebedev87 alebedev87 Aug 1, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

What's the difference between osvVulnerabilityAlerts and vulnerabilityAlerts? And why they are called alerts? Will this really trigger some alert?

Copy link
Author

@grzpiotrowski grzpiotrowski Aug 1, 2025
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This I've taken from renovate docs: Security presets.

vulnerabilityAlerts uses Github advisory database as the source of information. It's also the config field that can be used to tweak CVE PRs, like specify the scheduling or prefixes, labels etc.
osvVulnerabilityAlerts is just a simple on/off switch to include osv.dev as the source of known vulnerabilities and I believe it covers more packages than github's database (?).

As for the alerts in the naming, as far as I researched there won't be any alerts apart from the PRs with bumps.

Copy link

@alebedev87 alebedev87 Aug 4, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

vulnerabilityAlerts uses Github advisory database as the source of information. It's also the config field that can be used to tweak CVE PRs, like specify the scheduling or prefixes, labels etc. osvVulnerabilityAlerts is just a simple on/off switch to include osv.dev as the source of known vulnerabilities and I believe it covers more packages than github's database (?).

Do you think it's worth a comment or it's documented in Renovate docs?

Copy link

@alebedev87 alebedev87 Aug 6, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We can always follow up to add more comments, LGTM.

Copy link
Author

@grzpiotrowski grzpiotrowski Aug 6, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thank you. For the record I added the relevant docs links to the PR's description. The information is mentioned there.

}