Skip to content

Enable Renovate automerge#109

Open
carole-lavillonniere wants to merge 1 commit into
localstackfrom
cosy-807-renovate-automerge-rie-deps
Open

Enable Renovate automerge#109
carole-lavillonniere wants to merge 1 commit into
localstackfrom
cosy-807-renovate-automerge-rie-deps

Conversation

@carole-lavillonniere

@carole-lavillonniere carole-lavillonniere commented Jun 30, 2026

Copy link
Copy Markdown

Towards COSY-807
Related to #108

  • Automerge renovate PR for non major bumps

  • The goal is to have vulnerabilities auto-resolve weekly without human intervention.

  • ⚠️ Can a repo admin add branch protection and make the CI checks required before merging?

Automerge non-major gomod bumps (minor/patch), Go-toolchain bumps, and
non-major GitHub Actions updates so Go-dep/stdlib CVE fixes land without
manual review. Security updates get their own ungrouped, automerged path
via vulnerabilityAlerts so a CVE fix is never blocked behind the grouped
batch. Majors stay manual (automerge explicitly set to false).

Automerge still waits for green CI before merging.
@carole-lavillonniere carole-lavillonniere changed the title Enable Renovate automerge for non-major RIE dependency bumps Enable Renovate automerge Jun 30, 2026

@joe4dev joe4dev left a comment

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks for pushing this forward Carole 🙌

The automerge settings for non-major changes look reasonable 👍

I updated the following settings. Can you double-check before merging?
The default branch is localstack:
Image

I enabled build and the RIE smoke test as mandatory checks. We also require PRs to be merged with a squash commit (following the LS standard):
Image

❓ Two questions:

  • a) How do we ensure that we catch any potentially breaking regression through the LocalStack tests before (accidentally) shipping lambda-images? We are currently missing managed versioning for K8 and sufficient quality gates in the lambda-images repo. See this diagram (internal Notion link) for a release overview (discussed in Lambda handover to squad-aws).
  • b) How do we integrate upstream changes now that merging into localstack is blocked? Can we adjust the instructions accordingly? A quick (and dirty) option would be to add bypass rules exceptions; any better ideas?

@joe4dev

joe4dev commented Jul 1, 2026

Copy link
Copy Markdown
Member

Security: Shall we consider enabling some standard security scan (e.g., upstream uses CodeQL https://github.com/aws/aws-lambda-runtime-interface-emulator/actions/workflows/github-code-scanning/codeql) as a quality gate to avoid shipping a dependency update with a known issue?
I don't know whether we need to consider other practices such as cooldown (to mitigate supply chain attacks).

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants