From 7e36dd095ad5a4bf4db0e8eb07e13af035f3c00f Mon Sep 17 00:00:00 2001 From: James Cameron Date: Tue, 14 Jul 2026 12:31:08 +1000 Subject: [PATCH 1/3] ci: add Renovate --- .github/workflows/renovate.yml | 27 +++++++++++++++++++++++ renovate-config.js | 39 ++++++++++++++++++++++++++++++++++ 2 files changed, 66 insertions(+) create mode 100644 .github/workflows/renovate.yml create mode 100644 renovate-config.js diff --git a/.github/workflows/renovate.yml b/.github/workflows/renovate.yml new file mode 100644 index 0000000..626868b --- /dev/null +++ b/.github/workflows/renovate.yml @@ -0,0 +1,27 @@ +name: Renovate update dependencies +on: + schedule: + # UTC 10:00 PM Sunday - Thursday (AEST 8:00 AM, Monday - Friday) + - cron: "0 22 * * 0-4" + workflow_dispatch: + inputs: + dry-run: + description: "Dry run" + required: false + default: false + type: boolean + +jobs: + renovate: + name: Renovate + runs-on: ubuntu-latest + steps: + - name: Checkout + uses: actions/checkout@v6 + - name: Renovate + uses: renovatebot/github-action@6d859fc95779be83a0335ca704879b47e5d79641 # v46.1.16 + with: + configurationFile: renovate-config.js + token: ${{ secrets.RENOVATE_GITHUB_TOKEN }} + env: + RENOVATE_DRY_RUN: ${{ inputs.dry-run && 'full' || null }} diff --git a/renovate-config.js b/renovate-config.js new file mode 100644 index 0000000..46deadc --- /dev/null +++ b/renovate-config.js @@ -0,0 +1,39 @@ +module.exports = { + platform: 'github', + timezone: 'Australia/Brisbane', + requireConfig: 'optional', + onboarding: false, + + repositories: ['OctopusDeploy/openfeature-provider-java'], + reviewers: ['team:team-devex'], + branchPrefix: 'renovate/', + + // Limit concurrent PRs for better manageability + prConcurrentLimit: 5, + + // Add labels to PRs + labels: ['dependencies'], + + // Enable vulnerability alerts + osvVulnerabilityAlerts: true, + + // Produce conventional-commit PR titles so validate-pr-title passes + semanticCommits: 'enabled', + + // Extend with recommended config + extends: ['config:recommended'], + + // Only manage Maven deps and GitHub Actions (leaves the `specification` submodule alone) + enabledManagers: ['maven', 'github-actions'], + + packageRules: [ + { + // GitHub Actions: pin third-party actions to a commit SHA for security. + matchManagers: ['github-actions'], + matchPackageNames: [ + '!actions/**', // Trust official GitHub actions (checkout, setup-java, etc.); don't pin. + ], + pinDigests: true, + }, + ], +}; From 68f40bdb26191b8173c3999338d4d074f66927fd Mon Sep 17 00:00:00 2001 From: James Cameron Date: Tue, 14 Jul 2026 14:34:33 +1000 Subject: [PATCH 2/3] ci: Restrict GITHUB_TOKEN permissions Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com> --- .github/workflows/renovate.yml | 3 +++ 1 file changed, 3 insertions(+) diff --git a/.github/workflows/renovate.yml b/.github/workflows/renovate.yml index 626868b..b3f67dc 100644 --- a/.github/workflows/renovate.yml +++ b/.github/workflows/renovate.yml @@ -11,6 +11,9 @@ on: default: false type: boolean +permissions: + contents: read + jobs: renovate: name: Renovate From f6955cacfadbbe6a007b7c86a6fab8765d1dd725 Mon Sep 17 00:00:00 2001 From: James Cameron Date: Tue, 14 Jul 2026 14:37:21 +1000 Subject: [PATCH 3/3] ci: Require a 2-day minimum release age --- renovate-config.js | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/renovate-config.js b/renovate-config.js index 46deadc..0091014 100644 --- a/renovate-config.js +++ b/renovate-config.js @@ -14,6 +14,10 @@ module.exports = { // Add labels to PRs labels: ['dependencies'], + // Wait until a release has been published for at least 2 days before updating, + // to avoid picking up versions that get yanked or hotfixed shortly after release. + minimumReleaseAge: '2 days', + // Enable vulnerability alerts osvVulnerabilityAlerts: true,