search

slsa-framework / slsa-github-generator

Language-agnostic SLSA provenance generation for Github Actions
Apache License 2.0
385 stars 115 forks source link

chore: Fix Renovate config #3635

Closed ianlewis closed 4 weeks ago

ianlewis commented 4 weeks ago

Summary

Fixes renovate config to use the config:best-practices preset rather than the config:base preset since config:base seems to have gone away at some point.

Also fixes the schedule config by using the schedule:monthly preset. The previous schedule config seems to have been invalid because "4 am" had space between "4" and "am" (this was fixed in the slsa-verifier repo on https://github.com/slsa-framework/slsa-verifier/pull/727 but was never fixed here).

Also adds a pre-submit to run the renovate-config-validator to ensure that renovate config is valid. This pre-submit will need to be made required in the repository branch protection rule for main in the repository settings after this PR is merged.

Fixes #3634 #404

Testing Process

Checklist

ianlewis commented 4 weeks ago

Added the renovate-config-validator as a required pre-submit check on the branch protection rule.

HonkingGoose commented 4 weeks ago

Hi @ianlewis :wave:

I see you have a lot of questions about Renovate. I help maintain the Renovate docs, so I'm taking a shot at helping you. I hope you find this information helpful. :wink:

config:base was renamed to config:recommended in v36

Fixes renovate config to use the config:best-practices preset rather than the config:base preset since config:base seems to have gone away at some point.

config:base was renamed to config:recommended in Renovate's major 36.0.0 release. So that's why you have difficulty finding the old name.

Read Release Notes for major Renovate versions

Read the Renovate docs, Release notes, breaking changes for 36 section to learn more. Renovate's major releases now have maintainer commentary, that's always handy to read.

About config:best-practices and best practices for updating

You're using config:best-practices now. :partying_face: I recommend you read the Renovate docs, Upgrade best practices page. That also explains a bit more about the config:best-practices preset.

About schedule config not allowing 4 am with a space

Also fixes the schedule config by using the schedule:monthly preset. The previous schedule config seems to have been invalid because "4 am" had space between "4" and "am" (this was fixed in the slsa-verifier repo on slsa-framework/slsa-verifier#727 but was never fixed here).

The Renovate docs show the correct format in the schedule config option docs. But I can see how you may read past this, or assume that 4 am will work! I'll add a admonition to the Renovate docs, so it warns you about this limitation. :wink:

More info about Renovate config validation

Also adds a pre-submit to run the renovate-config-validator to ensure that renovate config is valid. This pre-submit will need to be made required in the repository branch protection rule for main in

Read the Renovate docs, config validation to learn about the ways you can validate Renovate's config.

ianlewis commented 3 weeks ago

@HonkingGoose thanks for the pointers. I did find those docs aside from the release notes.

I was a bit surprised that renovate reopened an old issue when the config was invalid instead of opening a new one. This meant that it was buried in the issues list and I missed it.

I was also surprised that the dashboard didn't include anything about the config errors so I was led down the wrong path for a while.

It would be kind of cool if renovate could automatically send PRs to fix some common issues (like the 4 am thing) with it's config or send PRs to migrate old deprecated config. Maybe that's wishful thinking though :)

HonkingGoose commented 3 weeks ago

@HonkingGoose thanks for the pointers. I did find those docs aside from the release notes.

You're welcome! Thanks for actually reading (most) of the docs! :heart: There's a lot to read so I don't expect you to read all. :smile:

Subscribe to the Renovate discussion

I was a bit surprised that Renovate reopened an old issue when the config was invalid instead of opening a new one. This meant that it was buried in the issues list and I missed it.

I was also surprised that the Dependency Dashboard didn't include anything about the config errors so I was led down the wrong path for a while.

I don't know enough to answer these questions. Please subscribe to this discussion:

Edit: Here's a PR that allows Renovate to create a new config warning issue:

Renovate can open config migration PRs (experimental feature)

It would be kind of cool if Renovate could automatically send PRs to fix some common issues (like the 4 am thing) with it's config or send PRs to migrate old deprecated config. Maybe that's wishful thinking though :)

You're in luck, Renovate can already migrate old stuff in your config. This is an experimental feature, so it may only work partially. Review config migration PRs, before merging them.

Read the Renovate docs, configMigration config option to learn how it works, and the limitations/problems we know about.

I guess the configMigration option can not fix bad syntax, or logical errors.

Issues related to configMigration on the Renovate repository

You get configMigration PRs because you use the config:best-practices preset

The config:best-practices preset has this config:

{
  "configMigration": true,
  "extends": [
    "config:recommended",
    "docker:pinDigests",
    "helpers:pinGitHubActionDigests",
    ":pinDevDependencies"
  ]
}

See how config:best-practices sets configMigration to true. So you will get Config Migration PRs when needed. :wink:

Conclusion

I hope this helps you again. :smile: