Renovate with grouped PRs, release-age quarantine, and lockfile-only updates #44

Closed
opened 2026-06-14 19:24:16 +00:00 by james · 0 comments
Owner

Automate dependency updates with guardrails that protect against the most common supply-chain pattern: a compromised release of a package we already trust. The scanners in #14 catch known CVEs after they're disclosed; this ticket catches the update mechanism itself becoming the attack vector.

Scope

  • Wire Renovate up against this repo via its Forgejo support. Self-hosted runner is fine; the lowest-friction path is a scheduled Forgejo Actions job that invokes the Renovate CLI.
  • Grouped PRs so a typical week is a handful of PRs, not dozens. Suggested groupings: npm prod deps, npm dev deps, Forgejo Actions SHAs (see sibling ticket on SHA pinning), Dockerfile base-image digests (see #16).
  • Minimum release age of 3–7 days before Renovate will open a PR for any update. This is the high-leverage knob — most "package hijacked, malicious release published, yanked within 24h" incidents are over before the quarantine window expires.
  • Lockfile-only mode by default. Renovate refreshes package-lock.json to pick up transitive bumps but does not modify package.json version ranges. Major-version bumps that require a range change get their own opt-in PR with human approval.
  • Auto-merge OK for lockfile-only patches that pass CI. Major bumps and any package.json range change require human approval.
  • Same pattern applies to Forgejo Action SHAs and Dockerfile base-image digests once those are pinned — Renovate keeps them fresh, humans review.
  • Document the policy in docs/ci.md (or CLAUDE.md if a separate CI doc doesn't exist yet) so it's discoverable.

Acceptance criteria

  • renovate.json checked in; Renovate runs on a schedule and opens grouped PRs.
  • A test bump (intentionally hold back a dev dep) produces a PR only after the configured quarantine window, not immediately.
  • Renovate is configured so a PR that changes a package.json range fails the gate or is blocked — only lockfile-only changes are auto-merge-eligible.
  • Policy documented (quarantine window, lockfile-only default, what requires human review).

Part of epic #2.

Automate dependency updates with guardrails that protect against the most common supply-chain pattern: a compromised release of a package we already trust. The scanners in #14 catch known CVEs after they're disclosed; this ticket catches the *update mechanism itself* becoming the attack vector. ## Scope - Wire Renovate up against this repo via its Forgejo support. Self-hosted runner is fine; the lowest-friction path is a scheduled Forgejo Actions job that invokes the Renovate CLI. - **Grouped PRs** so a typical week is a handful of PRs, not dozens. Suggested groupings: npm prod deps, npm dev deps, Forgejo Actions SHAs (see sibling ticket on SHA pinning), Dockerfile base-image digests (see #16). - **Minimum release age of 3–7 days** before Renovate will open a PR for any update. This is the high-leverage knob — most "package hijacked, malicious release published, yanked within 24h" incidents are over before the quarantine window expires. - **Lockfile-only mode by default.** Renovate refreshes `package-lock.json` to pick up transitive bumps but does **not** modify `package.json` version ranges. Major-version bumps that require a range change get their own opt-in PR with human approval. - Auto-merge OK for lockfile-only patches that pass CI. Major bumps and any `package.json` range change require human approval. - Same pattern applies to Forgejo Action SHAs and Dockerfile base-image digests once those are pinned — Renovate keeps them fresh, humans review. - Document the policy in `docs/ci.md` (or `CLAUDE.md` if a separate CI doc doesn't exist yet) so it's discoverable. ## Acceptance criteria - [ ] `renovate.json` checked in; Renovate runs on a schedule and opens grouped PRs. - [ ] A test bump (intentionally hold back a dev dep) produces a PR only after the configured quarantine window, not immediately. - [ ] Renovate is configured so a PR that changes a `package.json` range fails the gate or is blocked — only lockfile-only changes are auto-merge-eligible. - [ ] Policy documented (quarantine window, lockfile-only default, what requires human review). Part of epic #2.
james closed this issue 2026-06-15 12:38:53 +00:00
Sign in to join this conversation.
No milestone
No project
No assignees
1 participant
Notifications
Due date
The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference
james/carol#44
No description provided.