feat(konflux): set rpm-lockfile security updates to automerge#242
feat(konflux): set rpm-lockfile security updates to automerge#242
Conversation
.github/renovate.json5
Outdated
| "automergeSchedule": [ | ||
| "at any time", | ||
| ], | ||
| "rpmVulnerabilityAutomerge": "ALL", |
There was a problem hiding this comment.
How did you deduce top-level packageRules to be the correct place for this rpmVulnerabilityAutomerge setting?
This setting is custom and certainly won't pass Renovate validation. If placed in an unlucky spot, I fear, may break configuration.
There was a problem hiding this comment.
How did you deduce
packageRulesto be the correct place for thisrpmVulnerabilityAutomergesetting?
Guessing 🤷🏻♂️
This setting is custom and certainly won't pass Renovate validation. If placed in an unlucky spot, I fear, may break configuration.
I'm gonna request a review from the konflux team, they should be able to point us to the correct spot.
renovate-config-validator only complains about this field and the rpm-lockfiles manager:
INFO: Validating .github/renovate.json5
ERROR: Found errors in configuration
"file": ".github/renovate.json5",
"errors": [
{
"topic": "Configuration Error",
"message": "Invalid configuration option: packageRules[0].rpmVulnerabilityAutomerge"
},
{
"topic": "Configuration Error",
"message": "The following managers configured in enabledManagers are not supported: \"rpm-lockfile\""
}
]
There was a problem hiding this comment.
After reviewing this slack thread and some of its links, it seems like the rpmVulnerabilityAutomerge needs to be set at the top level of the configuration. It looks a bit weird to me still, but the https://github.com/openshift-kni/dpdk-base repo has it configured this way and it seems to work 🤷🏻♂️ .
There was a problem hiding this comment.
It's still kind of guessing. I would suggest you request Konflux folks update the documentation you referred to to indicate the right place. It's like when you try to integrate a new library in your project and library's documentation shows exactly the code snippet you need but without any include-s/import-s so you're left to have the best kind of fun.
There was a problem hiding this comment.
Another interesting thing for them to answer is how does it stack against all usual automerge* settings of Renovate.
For the `main` branch, all updates should be merged, we might want to change this for release branches. For reference, see: https://konflux-ci.dev/docs/mintmaker/rpm-lockfile/#how-to-enable-automerge-for-rpm-security-updates
Molter73
force-pushed
the
mauro/konflux/auto-merge-rpm-security
branch
from
2b3e149 to
b106ea2
Compare
|
@msugakov, are you OK with the current change given it is the same as the one used on a working repo? Or do we still want someone from the konflux team to take a look? |
2 participants
Description
For the
mainbranch, all updates should be merged, we might want to change this for release branches.For reference, see: https://konflux-ci.dev/docs/mintmaker/rpm-lockfile/#how-to-enable-automerge-for-rpm-security-updates
Checklist
Automated testing
If any of these don't apply, please comment below.
Testing Performed
I believe there is no way to validate
rpm-lockfileconfigurations other than checking than merging and hoping.