Enable Renovate automerge#109
Conversation
Automerge non-major gomod bumps (minor/patch), Go-toolchain bumps, and non-major GitHub Actions updates so Go-dep/stdlib CVE fixes land without manual review. Security updates get their own ungrouped, automerged path via vulnerabilityAlerts so a CVE fix is never blocked behind the grouped batch. Majors stay manual (automerge explicitly set to false). Automerge still waits for green CI before merging.
joe4dev
left a comment
There was a problem hiding this comment.
Thanks for pushing this forward Carole 🙌
The automerge settings for non-major changes look reasonable 👍
I updated the following settings. Can you double-check before merging?
The default branch is localstack:

I enabled build and the RIE smoke test as mandatory checks. We also require PRs to be merged with a squash commit (following the LS standard):

❓ Two questions:
- a) How do we ensure that we catch any potentially breaking regression through the LocalStack tests before (accidentally) shipping lambda-images? We are currently missing managed versioning for K8 and sufficient quality gates in the lambda-images repo. See this diagram (internal Notion link) for a release overview (discussed in Lambda handover to squad-aws).
- b) How do we integrate upstream changes now that merging into
localstackis blocked? Can we adjust the instructions accordingly? A quick (and dirty) option would be to add bypass rules exceptions; any better ideas?
|
Security: Shall we consider enabling some standard security scan (e.g., upstream uses CodeQL https://github.com/aws/aws-lambda-runtime-interface-emulator/actions/workflows/github-code-scanning/codeql) as a quality gate to avoid shipping a dependency update with a known issue? |
Towards COSY-807
Related to #108
Automerge renovate PR for non major bumps
The goal is to have vulnerabilities auto-resolve weekly without human intervention.