Add Renovate workflow for Docker base image updates (UI scope)#4919
Add Renovate workflow for Docker base image updates (UI scope)#4919ChengYanJin wants to merge 2 commits into
Conversation
Keep Docker base images up to date automatically to prevent CVE from outdated base layers. Scoped to UI-related Dockerfiles only: shell-ui/, ui/, images/metalk8s-ui/. Runs on weekdays at 8am UTC. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Hello chengyanjin,My role is to assist you with the merge of this Available options
Available commands
Status report is not available. |
Waiting for approvalThe following approvals are needed before I can proceed with the merge:
Peer approvals must include at least 1 approval from the following list: |
|
/approve |
Waiting for approvalThe following approvals are needed before I can proceed with the merge:
Peer approvals must include at least 1 approval from the following list: The following options are set: approve |
Renovate dry-run outputTwo PRs would be opened (only
|
| File | From | To | Type |
|---|---|---|---|
shell-ui/Dockerfile |
nginx:1.28.0-alpine |
nginx:1.30.0-alpine |
minor |
images/metalk8s-ui/Dockerfile |
nginx:1.15.8 |
nginx:1.30.0 |
minor |
improvement/renovate-node-22.x — Update Node.js to v22
| File | From | To | Type |
|---|---|---|---|
ui/Dockerfile |
node:20-alpine3.19 |
node:22-alpine3.19 |
major |
shell-ui/Dockerfile |
node:20-alpine3.19 |
node:22-alpine3.19 |
major |
Notes
images/metalk8s-ui/Dockerfileis on nginx 1.15.8 (2019-era). Labeled "minor" because the major doesn't change, but it spans ~15 stable releases — worth careful smoke-testing
of asset serving, TLS, and HTTP/2 behavior.- Node v20 → v22 is a real major bump. Typical breakage points: native module rebuilds,
cryptolegacy provider deprecations, fetch/streams semantics changes. Run the test suite
against the new image before merging. - Stats: 3 Dockerfiles, 4 deps total, folded into 2 grouped PRs.
Optional: bundle into a single PR
Add this to renovate.json packageRules:
{
"matchManagers": ["dockerfile"],
"groupName": "ui-base-images"
}
|
@ChengYanJin Are you willing renovate to request 2 separate PR for Node and Nginx ? |
Integration data createdI have created the integration data for the additional destination branches.
The following branches will NOT be impacted:
You can set option The following options are set: approve |
Waiting for approvalThe following approvals are needed before I can proceed with the merge:
Peer approvals must include at least 1 approval from the following list: The following options are set: approve |
@g-carre good point, I will setup renovate to group all the dockerfile updates into a single PR. |
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
![claude[bot]](https://avatars.githubusercontent.com/in/1236702?s=60&v=4){kind=small}
| env: | ||
| GH_TOKEN: ${{ steps.app-token.outputs.token }} | ||
| run: | | ||
| gh pr list --repo ${{ github.repository }} --state open --json number,headRefName --jq '.[] | select(.headRefName | startswith("improvement/renovate-")) | .number' | while read -r pr; do |
There was a problem hiding this comment.
The auto-approve step filters PRs only by branch name prefix (improvement/renovate-), not by PR author. Anyone with push access could create a branch matching this pattern and receive an automatic /approve. Add an author check to the jq filter — include author in the --json fields and filter on .author.login.
— Claude Code
|
3 participants
Summary
shell-ui/,ui/,images/metalk8s-ui/)/approvecommentTest plan
🤖 Generated with Claude Code