Skip to content

Enable Renovate automerge#109

Open
carole-lavillonniere wants to merge 1 commit into
localstackfrom
cosy-807-renovate-automerge-rie-deps
Open

Enable Renovate automerge#109
carole-lavillonniere wants to merge 1 commit into
localstackfrom
cosy-807-renovate-automerge-rie-deps

Conversation

@carole-lavillonniere

@carole-lavillonniere carole-lavillonniere commented Jun 30, 2026

Copy link
Copy Markdown

Towards COSY-807
Related to #108

  • Automerge renovate PR for non major bumps

  • The goal is to have vulnerabilities auto-resolve weekly without human intervention.

  • ⚠️ Can a repo admin add branch protection and make the CI checks required before merging?

Automerge non-major gomod bumps (minor/patch), Go-toolchain bumps, and
non-major GitHub Actions updates so Go-dep/stdlib CVE fixes land without
manual review. Security updates get their own ungrouped, automerged path
via vulnerabilityAlerts so a CVE fix is never blocked behind the grouped
batch. Majors stay manual (automerge explicitly set to false).

Automerge still waits for green CI before merging.
@carole-lavillonniere carole-lavillonniere changed the title Enable Renovate automerge for non-major RIE dependency bumps Jun 30, 2026

@joe4dev joe4dev left a comment

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks for pushing this forward Carole 🙌

The automerge settings for non-major changes look reasonable 👍

I updated the following settings. Can you double-check before merging?
The default branch is localstack:
Image

I enabled build and the RIE smoke test as mandatory checks. We also require PRs to be merged with a squash commit (following the LS standard):
Image

❓ Two questions:

  • a) How do we ensure that we catch any potentially breaking regression through the LocalStack tests before (accidentally) shipping lambda-images? We are currently missing managed versioning for K8 and sufficient quality gates in the lambda-images repo. See this diagram (internal Notion link) for a release overview (discussed in Lambda handover to squad-aws).
  • b) How do we integrate upstream changes now that merging into localstack is blocked? Can we adjust the instructions accordingly? A quick (and dirty) option would be to add bypass rules exceptions; any better ideas?
@joe4dev

joe4dev commented Jul 1, 2026

Copy link
Copy Markdown
Member

Security: Shall we consider enabling some standard security scan (e.g., upstream uses CodeQL https://github.com/aws/aws-lambda-runtime-interface-emulator/actions/workflows/github-code-scanning/codeql) as a quality gate to avoid shipping a dependency update with a known issue?
I don't know whether we need to consider other practices such as cooldown (to mitigate supply chain attacks).

@dfangl

dfangl commented Jul 1, 2026

Copy link
Copy Markdown
Member

I approved, but I agree - we should have a cooldown defined, and the lifecycle of the lambda images is also a thing to take into account!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

3 participants