chore(deps): set up Renovate for automated dependency updates (Forgejo-native) #667

New issue

Closed

opened 2026-06-01 15:05:35 +02:00 by claude · 1 comment

claude commented

2026-06-01 15:05:35 +02:00

Collaborator

Context

Dependency-freshness audit (2026-06-01) found no automated dependency tracking in pdurlej/platform: zero Renovate/Dependabot config, zero dependency-update PRs. Consequence: upstream images drift silently — e.g. PostgreSQL fell 2 security-patch releases behind (11 CVEs in the gap) without anyone noticing. Manual audits every ~2 weeks don't scale across 89 modules + ~30 upstream images.

This is the root-cause fix: automate the tracking so drift surfaces as PRs, not as a surprise during a manual sweep.

Tool choice: Renovate (NOT Dependabot)

Dependabot is GitHub-native and does not run natively on a self-hosted Forgejo instance. Renovate has first-class Gitea/Forgejo support and is the correct tool here (self-hosted bot or scheduled Forgejo Action / external cron against the Forgejo API).

Scope

Add renovate.json (repo root or .forgejo/).
Run Renovate as a self-hosted job — Forgejo Action on a schedule, or external cron — against pdurlej/platform.
Datasources to cover:
- Docker image tags in compose/{base,core,apps,edge}/compose.yaml + the ${VAR_IMAGE:-default} defaults.
- control-plane/pyproject.toml (PyPI: click, PyYAML, jsonschema, referencing, httpx, pytest).
- scripts/zenbox-wordpress-mcp/pyproject.toml + uv.lock.
- Forgejo Action versions (uses: in .forgejo/workflows/*.yml).
- Dockerfiles under scripts/*.
Grouping + schedule: weekly; group minor/patch; flag security updates separately (own PR, higher priority).
Flow through existing discipline: Renovate PRs go through review → canary → platformctl apply (gated). No auto-merge for runtime images. Respect ADR-0017 (no stacked PRs).

Known blind spot (precondition)

Renovate cannot bump :latest-tagged images — there's no version to increment. The 7 images currently on :latest must be pinned to explicit versions first (see the companion "pin :latest images" issue) before Renovate can track them.

Acceptance criteria

renovate.json merged + Renovate job running (Forgejo-native).
First run opens update PRs (e.g. Synapse, Forgejo, Infisical, traefik, redis...).
Docker + PyPI + Action datasources all covered.
Documented in AGENTS.md / runbook (how it runs, schedule, where the config lives).

Evidence

Audit 2026-06-01: 89 module manifests; image versions env-driven (${VAR_IMAGE} in compose, real pins in host env); last manual image-audit 2026-05-17; 0 renovate/dependabot config in tree; 0 dependency-update PRs open. Authored by claude (design/capture); execution = Codex lane.

## Context Dependency-freshness audit (2026-06-01) found **no automated dependency tracking** in `pdurlej/platform`: zero Renovate/Dependabot config, zero dependency-update PRs. Consequence: upstream images drift silently — e.g. PostgreSQL fell **2 security-patch releases behind** (11 CVEs in the gap) without anyone noticing. Manual audits every ~2 weeks don't scale across 89 modules + ~30 upstream images. This is the **root-cause fix**: automate the tracking so drift surfaces as PRs, not as a surprise during a manual sweep. ## Tool choice: Renovate (NOT Dependabot) Dependabot is **GitHub-native** and does not run natively on a self-hosted Forgejo instance. **Renovate** has first-class Gitea/Forgejo support and is the correct tool here (self-hosted bot or scheduled Forgejo Action / external cron against the Forgejo API). ## Scope - Add `renovate.json` (repo root or `.forgejo/`). - Run Renovate as a self-hosted job — Forgejo Action on a schedule, or external cron — against `pdurlej/platform`. - **Datasources to cover:** - Docker image tags in `compose/{base,core,apps,edge}/compose.yaml` + the `${VAR_IMAGE:-default}` defaults. - `control-plane/pyproject.toml` (PyPI: click, PyYAML, jsonschema, referencing, httpx, pytest). - `scripts/zenbox-wordpress-mcp/pyproject.toml` + `uv.lock`. - Forgejo Action versions (`uses:` in `.forgejo/workflows/*.yml`). - Dockerfiles under `scripts/*`. - **Grouping + schedule:** weekly; group minor/patch; flag security updates separately (own PR, higher priority). - **Flow through existing discipline:** Renovate PRs go through review → canary → `platformctl apply` (gated). **No auto-merge for runtime images.** Respect ADR-0017 (no stacked PRs). ## Known blind spot (precondition) Renovate **cannot bump `:latest`-tagged images** — there's no version to increment. The 7 images currently on `:latest` must be pinned to explicit versions first (see the companion "pin `:latest` images" issue) before Renovate can track them. ## Acceptance criteria - [ ] `renovate.json` merged + Renovate job running (Forgejo-native). - [ ] First run opens update PRs (e.g. Synapse, Forgejo, Infisical, traefik, redis...). - [ ] Docker + PyPI + Action datasources all covered. - [ ] Documented in `AGENTS.md` / runbook (how it runs, schedule, where the config lives). ## Evidence Audit 2026-06-01: 89 module manifests; image versions env-driven (`${VAR_IMAGE}` in compose, real pins in host env); last manual image-audit `2026-05-17`; 0 renovate/dependabot config in tree; 0 dependency-update PRs open. Authored by claude (design/capture); execution = Codex lane.

claude added this to the 10 - Improvements milestone

2026-06-01 15:05:35 +02:00

claude added the

agent/codex

priority:p1

labels

2026-06-01 15:05:35 +02:00

claude commented

2026-06-01 17:19:13 +02:00

Author

Collaborator

Refinement (claude, from a GPT-5.5 Pro red-team of our security roadmap) — Renovate must SEE the env-driven pins, or this half-works.

Sharp catch worth baking into the AC: our image versions live as ${POSTGRES_IMAGE}-style refs in compose/* with the real pin in a host .env — which Renovate's standard docker-compose manager does not see. Without explicitly modeling it, Renovate runs but silently misses exactly the drift that started this (the postgres:16.12 case).

Add to scope:

Make the pins visible + reviewable — introduce an in-repo images.lock.env (or equivalent) holding the real IMAGE=name:tag@sha256:… values; compose references those.
Renovate customManagers (custom regex manager) targeting that file — this is exactly what Renovate's regex/custom manager exists for (non-standard version locations).
Digest pinning (name:tag@sha256:…) — Renovate recommends it because Docker tags are mutable.
CI hard-fail on floating tags (:latest / :stable / unpinned) — pairs with #669.

The key fix isn't "install Renovate" — it's Renovate must see the real pins. Our env-driven model hides the important state unless we intentionally expose it.

Gate policy (keep the scanner from becoming an operator-tax): new floating tag → hard-fail; secret in diff → hard-fail; new high/critical fixable CVE in a changed runtime image → hard-fail; inherited/no-fix CVEs + medium/low + SBOM → report-only.

**Refinement (claude, from a GPT-5.5 Pro red-team of our security roadmap) — Renovate must SEE the env-driven pins, or this half-works.** Sharp catch worth baking into the AC: our image versions live as `${POSTGRES_IMAGE}`-style refs in `compose/*` with the **real pin in a host `.env`** — which Renovate's standard docker-compose manager **does not see**. Without explicitly modeling it, Renovate runs but silently misses exactly the drift that started this (the `postgres:16.12` case). **Add to scope:** - **Make the pins visible + reviewable** — introduce an in-repo `images.lock.env` (or equivalent) holding the real `IMAGE=name:tag@sha256:…` values; compose references those. - **Renovate `customManagers` (custom regex manager)** targeting that file — this is exactly what Renovate's regex/custom manager exists for (non-standard version locations). - **Digest pinning** (`name:tag@sha256:…`) — Renovate recommends it because Docker tags are mutable. - **CI hard-fail on floating tags** (`:latest` / `:stable` / unpinned) — pairs with #669. > The key fix isn't "install Renovate" — it's **Renovate must see the real pins.** Our env-driven model hides the important state unless we intentionally expose it. **Gate policy (keep the scanner from becoming an operator-tax):** new floating tag → hard-fail; secret in diff → hard-fail; new high/critical *fixable* CVE in a changed runtime image → hard-fail; inherited/no-fix CVEs + medium/low + SBOM → report-only.

claude referenced this issue

2026-06-01 17:19:15 +02:00

docs(strategy): platform security & maturity roadmap v1 (audit-grounded) #674

claude added the

status:codex-ready

label

2026-06-02 07:45:26 +02:00