Skip to content

ci(renovate): fix pip managers bypassing security-only mode#333

Merged
matthewelwell merged 1 commit into
mainfrom
ci/renovate-fix-pip-bypass
Jun 29, 2026
Merged

ci(renovate): fix pip managers bypassing security-only mode#333
matthewelwell merged 1 commit into
mainfrom
ci/renovate-fix-pip-bypass

Conversation

@matthewelwell

Copy link
Copy Markdown
Contributor

Summary

PR #316 switched extends to security:only-security-updates, but we kept getting non-security renovate PRs for Python deps (e.g. #325, bumping datamodel-code-generator from 0.33.0 → 0.66.0).

The cause was the second packageRule:

{
  "matchManagers": ["git-submodules", "pip_requirements", "pip-compile", "pep621", "poetry"],
  "enabled": true
}

packageRules are evaluated in order and later rules override earlier ones, so this rule re-enabled every normal update type for the pip managers and effectively short-circuited the security-only preset.

Changes

  • Narrow the re-enable rule to git-submodules only — that's the one manager we genuinely want to keep updating outside the security flow (engine-test-data submodule).
  • Drop the now-redundant "disable all update types" rule — security:only-security-updates already disables normal-flow updates via :disableRenovate.
  • Rename renovate.jsonrenovate.json5 so the config can carry inline comments explaining what each block does, including a warning at the re-enable rule so we don't accidentally re-introduce the pip-manager bypass.

Security PRs are unaffected — they flow through the vulnerabilityAlerts block, which is evaluated separately from packageRules.

Test plan

  • Renovate picks up renovate.json5 (it's listed as a supported filename — https://docs.renovatebot.com/configuration-options/)
  • After merge: confirm no further non-security PRs are raised for pip_requirements / pep621 / poetry packages
  • After merge: confirm security PRs and git-submodules PRs still flow

🤖 Generated with Claude Code

The packageRule that re-enabled git-submodules also listed the pip
managers, which overrode security:only-security-updates and let normal
(non-security) PRs through for Python deps (e.g. #325).

Narrow the re-enable to git-submodules only, drop the now-redundant
disable rule (the security preset already handles it), and switch to
json5 so the file can carry explanatory comments.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
@matthewelwell matthewelwell requested a review from a team as a code owner June 29, 2026 21:40
@matthewelwell matthewelwell requested review from khvn26 and removed request for a team June 29, 2026 21:40
@github-actions

Copy link
Copy Markdown

File Coverage Missing
All files 100%

Minimum allowed coverage is 100%

Generated by 🐒 cobertura-action against 3a5f27d

@gemini-code-assist gemini-code-assist Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Code Review

This pull request replaces the Renovate configuration file with a JSON5 version (renovate.json5) and updates the package rules. Specifically, it restricts normal-flow updates to only git-submodules and removes various Python package managers (such as pip and poetry) from normal updates to ensure only security-related updates are processed for Python dependencies. There are no review comments, so I have no feedback to provide.

@codspeed-hq

codspeed-hq Bot commented Jun 29, 2026

Copy link
Copy Markdown

Merging this PR will not alter performance

✅ 1 untouched benchmark


Comparing ci/renovate-fix-pip-bypass (3a5f27d) with main (8f5bdd3)

Open in CodSpeed

@matthewelwell matthewelwell merged commit b8e4a8e into main Jun 29, 2026
9 checks passed
@matthewelwell matthewelwell deleted the ci/renovate-fix-pip-bypass branch June 29, 2026 21:50
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

3 participants