chore: Update Container dependencies#1698
Merged
Merged
Conversation
renovate
Bot
added
dependencies
Contributor
Dependency Review✅ No vulnerabilities or license issues or OpenSSF Scorecard issues found.Scanned FilesNone |
renovate
Bot
force-pushed
the
renovate/container
branch
8 times, most recently
from
a66b257 to
9103cff
Compare
renovate
Bot
force-pushed
the
renovate/container
branch
3 times, most recently
from
cfb3a43 to
2e0da8e
Compare
Aureliolo
added a commit
that referenced
this pull request
May 3, 2026
## Summary Adds a cross-PR file-overlap analysis step to the `/review-dep-pr` skill so that batch reviews surface merge conflicts upfront and the user can pick a sequencing strategy before triage. ### What changed - **New Phase 5 — Cross-PR File Overlap Analysis** (skipped for single-PR runs): - Pulls each PR's changed-file list via `gh pr view --json files`. - Builds a per-file conflict map and classifies overlaps as **none / lockfile-only / config / source**. - Treats `package-lock.json`, `pnpm-lock.yaml`, `uv.lock`, `go.sum`, `atlas.sum`, etc. as lockfile-only (rebase needed, not a hard blocker). - Groups PRs into merge **waves** (Wave 1 = parallel-safe, Wave 2+ = sequential after rebase). - **Phase 6 (Present Findings)** now leads with a "Batch Overlap Summary" header and adds a `Files touched / conflicts with` row to each per-PR card. - **Phase 7 (User Decision)** opens with a strategy question whenever ≥ 2 PRs share files: - Wave-based parallel - Strict sequential - Combine into one PR - Defer the conflicting subset - **Phase 8 (Execute Decisions)** honours the chosen strategy when sequencing merges (parallel waves, rebase between waves, etc.). - New rule: multi-PR runs always compute the conflict map; lockfile-only overlaps are acceptable but expect rebase between merges. ### Why Without this, the skill would propose merging in parallel any PRs whose CI is green, then run into surprise conflicts on the second/third merge — most often on workflow YAMLs and lockfiles. The new phase makes the conflict surface explicit before the user picks a strategy, and the strategy choice is then carried through to execution. ### Test plan Dogfooded against the 8 open Renovate PRs in this repo (#1698-#1705). Surfaced three conflict clusters (`docker.yml` between #1698/#1701/#1703, `cli.yml` between #1702/#1703, `web/package.json` between #1700/#1704) plus the expected lockfile-only overlaps. The Wave-based strategy successfully merged 5 PRs sequentially with `--squash --admin` and the lockfile PR (#1705) was rebased via Renovate. ### Review coverage `/pre-pr-review quick` — docs-only change to a `.claude/` skill file, no code/agents required. Pre-commit hooks passed (trailing whitespace, EOF, secrets, em-dashes).
renovate
Bot
force-pushed
the
renovate/container
branch
from
2e0da8e to
e3a493a
Compare
Aureliolo
added a commit
that referenced
this pull request
May 3, 2026
…anager
Default*ImageTag in cli/internal/config/state.go is now the only place
the postgres + nats DHI tags are spelled out. verify/dhi.go vars,
start.go's third-party image list, and the dhi_test.go fixtures all
derive from it. Update_test.go fixtures stay literal because they
represent historical compose.yml snapshots used to test upgrade
transitions, not current state.
Adds a Renovate customManager that watches the new // renovate:
annotations on Default*ImageTag so a future tag bump propagates to
both the constant and the dhiPinnedIndexDigests map line in one PR
(grouped under depName=dhi.io/{nats,postgres}). The previous PR
#1698 missed 9 call sites because the existing manager only updated
the digest map line.
renovate
Bot
force-pushed
the
renovate/container
branch
from
e3a493a to
0c2a27b
Compare
Aureliolo
added a commit
that referenced
this pull request
May 3, 2026
…anager
Default*ImageTag in cli/internal/config/state.go is now the only place
the postgres + nats DHI tags are spelled out. verify/dhi.go vars,
start.go's third-party image list, and the dhi_test.go fixtures all
derive from it. Update_test.go fixtures stay literal because they
represent historical compose.yml snapshots used to test upgrade
transitions, not current state.
Adds a Renovate customManager that watches the new // renovate:
annotations on Default*ImageTag so a future tag bump propagates to
both the constant and the dhiPinnedIndexDigests map line in one PR
(grouped under depName=dhi.io/{nats,postgres}). The previous PR
#1698 missed 9 call sites because the existing manager only updated
the digest map line.
Aureliolo
added a commit
that referenced
this pull request
May 3, 2026
…anager (#1723) ## Summary Hoists the DHI image-tag literals (`dhi.io/postgres:18-debian13`, `dhi.io/nats:2.12-debian13`) into a single source of truth so a future Renovate bump propagates to every call site instead of a single line. - `cli/internal/config/state.go` keeps the canonical `DefaultPostgresImageTag` / `DefaultNATSImageTag` constants and now carries `// renovate: datasource=docker depName=dhi.io/{postgres,nats}` annotations - `cli/internal/verify/dhi.go` package vars derive from those constants instead of duplicating the literal - `cli/cmd/start.go` `thirdPartyImages()` builds image refs from the constants - `cli/internal/verify/dhi_test.go`, `cli/cmd/init_postgres_test.go`, `cli/internal/compose/generate_test.go` assertions reference the constants (so a Renovate bump that only updates one location fails the test instead of silently dropping verification) - `cli/cmd/update_test.go` left alone — those fixtures are intentional historical compose.yml snapshots used to test upgrade transitions, not current state - `renovate.json` adds a `customManager` for the new annotations on `Default*ImageTag` so Renovate watches the constants, grouped under the same `depName=dhi.io/{nats,postgres}` as the existing `dhiPinnedIndexDigests` map manager — both bump together - Doc references in `cli/CLAUDE.md`, `docs/reference/cli-persistence-backends.md`, `README.md` now point at the SoT constant location instead of duplicating the literal version, so prose stays valid across future bumps ## Why Unblocks #1698 (Container deps update). That PR's Renovate run only updated the `dhiPinnedIndexDigests` map line in `cli/internal/verify/dhi.go`, leaving 9 other call sites still hardcoding `2.12-debian13`. `TestDHIPinnedIndexDigest` and the cross-platform `CLI Test` jobs failed as a result. With this refactor, every literal lives in one place; the Renovate update on #1698 (or its replacement) will sweep all consumers in one diff. ## Validation plan After this merges: 1. Comment `@renovatebot rebase` on PR #1698 2. Confirm the resulting diff bumps **all** `dhi.io/nats:2.12-debian13` references (not just one map line) 3. CI on #1698 should now go green (CLI tests included) If any location is still missed, the Renovate regex needs another iteration — but the test gate (`TestDHIPinnedIndexDigest` deriving its key from the SoT constant) makes any drift a loud test failure rather than silent verification loss at runtime. ## Test plan - `go -C cli vet ./...` ✓ - `go -C cli build ./...` ✓ - `go -C cli test ./...` — full suite passes, including `TestDHIPinnedIndexDigest` and `TestParseDHIRef` after the constant-reference refactor - Pre-push gate: golangci-lint + go vet + go test all green ## Review coverage Pre-reviewed by 4 agents: - **docs-consistency** — 4 findings, all addressed (docs now reference the SoT instead of the literal) - **comment-quality-rot** — clean (the doc-block in `dhi.go` and the test rationale comment in `dhi_test.go` explain WHY, not origin/review context; commit-body `#1698` reference is justificatory git-log venue) - **go-reviewer** — clean / APPROVE (no `verify`→`config`→`verify` cycle, init-order safe, drift detection enforced at test time) - **go-conventions-enforcer** — clean (file sizes within budget, vars are correctly vars not consts because `Configure()` mutates them at runtime)
renovate
Bot
force-pushed
the
renovate/container
branch
from
0c2a27b to
5fee76a
Compare
Aureliolo
approved these changes
May 3, 2026
Owner
Aureliolo
left a comment
Aureliolo
left a comment
There was a problem hiding this comment.
Decision: Patch + digest refresh (apko v1.2.7→v1.2.9, uv 0.11.7→0.11.8, arigaio/atlas latest-community-distroless digest); CI green; no breaking changes touching our usage.
Changelog digest:
- Covered apko v1.2.7→v1.2.9 (two releases), uv 0.11.7→0.11.8 (single release), atlas digest-only refresh on
latest-community-distroless(Atlas v1.2.0 unchanged; new digest is a base-image rebuild picking up Go stdlib CVE patches that.github/.trivyignore.yamlalready documents as the expected Renovate refresh path). - Relevant: uv now supports
uv lockon apyproject.tomlcontaining onlydependency-groups(#19087), future-proofs our[dependency-groups](docs/dev/test) configuration; uv redacts pre-signed upload URLs in verbose output (#19146); uv tightens.tar.zstextraction against external symlinks (#19144); apko 1.2.9 verifies package-data hash against.PKGINFO(#2206), strengthening supply-chain integrity for our apko-composed bases (backend / sandbox / sidecar / fine-tune / web). - Reviewed but not relevant: new uv flags
UV_NO_PROJECT,UV_PYTHON_NO_REGISTRY,UV_PYTHON_SEARCH_PATH,--python-downloads-json-url,pip uninstall -y(no current use case); apko 1.2.8 was a release-pipeline-only fix; apko upstream chore work (chainguard.dev/sdk 0.1.52→0.1.54, goreleaser-action 7.0→7.1, golangci-lint v2.11 in their CI) does not surface in our usage.
Follow-ups: housekeeping only — .github/actions/build-apko-base/action.yml:19 still carries default: "v1.2.3" without a Renovate marker; input is required: true so callers always override, but the stale default is misleading. Out of scope for this PR.
Aureliolo
added a commit
that referenced
this pull request
May 3, 2026
…it everywhere (#1724) ## Summary Closes a follow-up flagged in the approval message of #1698. The `build-apko-base` composite action carried a hidden `default: "v1.2.3"` for its `apko-version` input with no `# renovate: ...` marker. All 5 callers (4 in `docker.yml`, 1 in `dast.yml`) inherited that silently because none passed the input explicitly. While `docker.yml`'s web base build and `apko-lock.yml` were on `v1.2.9` (latest), the 4 backend / sandbox / sidecar / fine-tune apko bases plus the DAST scan were running on `v1.2.3` — six patches behind. The hash-against-`.PKGINFO` verification (apko #2206 in v1.2.9) and the release-process / SDK chore work in v1.2.4-v1.2.9 never reached those images. ## What changed **Commit 1: `chore(ci): unify apko-version under workflow env so Renovate manages it everywhere`** - Lift the version into a workflow-scoped `env: APKO_VERSION` in **all three** workflows that touch apko (`docker.yml`, `dast.yml`, `apko-lock.yml`), each with the canonical `# renovate: datasource=github-releases depName=chainguard-dev/apko` marker. Renovate's existing `chainguard-dev/apko` packageRule routes the bump through "Container dependencies" and keeps all three sites in lockstep. - Pass `apko-version: ${{ env.APKO_VERSION }}` from each of the 5 `build-apko-base` callers, mirroring the existing `trivy-version: ${{ env.TRIVY_VERSION }}` pattern in the same files. - Drop the `default: "v1.2.3"` line from `.github/actions/build-apko-base/action.yml` so a future caller that forgets to pass `apko-version` fails workflow validation immediately instead of silently building on a stale binary. - Collapse the inline `# renovate: ... \n version: v1.2.9` annotations on `docker.yml`'s web base build (line 736) and `apko-lock.yml`'s setup-apko step into the same env reference; one source of truth per workflow. **Commit 2: `chore(ci): annotate dast.yml TRIVY_VERSION for Renovate`** - Drive-by: `dast.yml` carried `TRIVY_VERSION: 0.70.0` without the canonical `# renovate: datasource=github-releases depName=aquasecurity/trivy` marker, so the DAST scan silently fell behind every Container-deps grouped Trivy bump landing in `docker.yml` (which has the marker). Add the marker and quote the value to match. ## Net effect | Before | After | |---|---| | `v1.2.9` on web base + apko-lock | `v1.2.9` everywhere | | `v1.2.3` on backend / sandbox / sidecar / fine-tune base + DAST (silent) | covered | | 2 Renovate-tracked apko sites (docker.yml inline, apko-lock.yml inline) + 1 stale hidden default | 3 Renovate-tracked apko sites (docker.yml env, dast.yml env, apko-lock.yml env), no hidden defaults | | `dast.yml` TRIVY_VERSION un-tracked by Renovate | tracked alongside `docker.yml`'s TRIVY_VERSION | ## Test plan YAML-only change. Pre-commit hooks pass (trailing-whitespace, EOF, em-dash, secret scan, commitizen, ESLint web). The composite-action input is now strictly `required: true` with no default; the 5 caller sites all pass it explicitly, so workflow validation will catch any regression where a future caller forgets to pass it. Confirmed by `grep` that no other workflow uses `build-apko-base`. ## Review coverage `/pre-pr-review quick` — CI-only YAML change, no code agents required. Pre-commit gate passed.
Aureliolo
pushed a commit
that referenced
this pull request
May 3, 2026
<!-- HIGHLIGHTS_START --> ## Highlights > _AI-generated summary (model: `openai/gpt-4.1-mini` via GitHub Models). Commit-based changelog below._ ### What you'll notice - Frontend and UX polishing improves user interface responsiveness and visual consistency. - API hygiene and validation enhancements provide smoother and more reliable interactions. ### What's new - Introduced typed-boundary helpers enabling better type safety and parse_typed workflows. - Added codebase-audit skill prompt tuning for improved project auditing. ### Under the hood - Eliminated flaky tests caused by module-level state for more stable test outcomes. - Unified image tag management under CLI and Renovate for consistent dependency updates. - Added cross-PR file-overlap analysis to the review dependency pull request skill. - Updated multiple dependencies including Python, Web, CLI, and container libraries. - Improved CI tooling and lock file maintenance for better build reliability. <!-- HIGHLIGHTS_END --> :robot: I have created a release *beep* *boop* --- ## [0.7.8](v0.7.7...v0.7.8) (2026-05-03) ### Features * **api:** typed-boundary helper + codebase-audit skill prompt tuning ([#1712](#1712)) ([40ee65b](40ee65b)) * **boundary:** RFC [#1711](#1711) Phases 2 + 3 — typed boundaries via parse_typed ([#1720](#1720)) ([7b9f409](7b9f409)) ### Bug Fixes * **api:** audit cleanup B -- API hygiene & validation ([#1719](#1719)) ([3d790d9](3d790d9)) * audit cleanup C - persistence, concurrency & data integrity ([#1708](#1708)) ([#1717](#1717)) ([bcce097](bcce097)) * **test:** exterminate xdist-flaky tests with module-level state ([#1713](#1713)) ([#1721](#1721)) ([8d258dd](8d258dd)) * **web:** audit cleanup E -- frontend & UX polish ([#1710](#1710)) ([#1718](#1718)) ([3a3591a](3a3591a)) ### Refactoring * **cli:** single source of truth for DHI image tags + Renovate manager ([#1723](#1723)) ([57980a2](57980a2)) ### Documentation * audit cleanup D -- public-facing & docs sync ([#1709](#1709)) ([#1715](#1715)) ([ade03b7](ade03b7)) ### Tests * **engine:** make TestDrainTimeout deterministic + preserve subclass type in [@Ontology](https://github.com/ontology)_entity ([#1729](#1729)) ([b00fb05](b00fb05)) ### CI/CD * Update CI tool dependencies ([#1703](#1703)) ([355a9ff](355a9ff)) ### Maintenance * add cross-PR file-overlap analysis to review-dep-pr skill ([#1722](#1722)) ([3861d8a](3861d8a)) * **ci:** unify apko-version under workflow env so Renovate manages it everywhere ([#1724](#1724)) ([9c0a7fd](9c0a7fd)) * consolidate DHI image-pin custom regex managers ([#1726](#1726)) ([b8b0cba](b8b0cba)) * **deps:** update dependency chainguard-dev/melange to v0.50.4 ([#1701](#1701)) ([8cbf83a](8cbf83a)) * Lock file maintenance ([#1705](#1705)) ([414cfea](414cfea)) * Lock file maintenance ([#1727](#1727)) ([5cb1212](5cb1212)) * Update CLI dependencies ([#1702](#1702)) ([9fb57b9](9fb57b9)) * Update Container dependencies ([#1698](#1698)) ([6d24fd6](6d24fd6)) * Update dependency @eslint-react/eslint-plugin to v5 ([#1704](#1704)) ([1cb1294](1cb1294)) * Update Python dependencies ([#1699](#1699)) ([8e7af3a](8e7af3a)) * Update Python dependencies to v4.15.0 ([#1725](#1725)) ([69164c8](69164c8)) * Update Web dependencies ([#1700](#1700)) ([715300d](715300d)) --- This PR was generated with [Release Please](https://github.com/googleapis/release-please). See [documentation](https://github.com/googleapis/release-please#release-please). --------- Co-authored-by: synthorg-repo-bot[bot] <279117679+synthorg-repo-bot[bot]@users.noreply.github.com> Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
This PR contains the following updates:
96831da→eb72b2cv1.2.7→v1.2.90.11.7→0.11.8Warning
Some dependencies could not be looked up. Check the Dependency Dashboard for more information.
Release Notes
chainguard-dev/apko (chainguard-dev/apko)
v1.2.9Compare Source
Changelog
8d34c75apk: verify package data hash against .PKGINFO for completeness (#2206)312a150build(deps): bump chainguard.dev/sdk from 0.1.52 to 0.1.54 (#2199)5f7949bbuild(deps): bump github.com/invopop/jsonschema from 0.13.0 to 0.14.0 (#2197)e7c2fdfbuild(deps): bump goreleaser/goreleaser-action from 7.0.0 to 7.1.0 (#2198)0d06d1cchore(zizmor): trigger zizmor on updates to dependabot config [PSEC-871] (#2186)a7f10d8ci: bump golangci-lint to v2.11 and clear new findings (#2205)8ccb1edtestdata: refresh apko-discover lock for rotated chainguard key (#2203)v1.2.8Compare Source
Changelog
beb2867release: fetch full history for goreleaser changelog (#2192)astral-sh/uv (ghcr.io/astral-sh/uv)
v0.11.8Compare Source
Released on 2026-04-27.
Enhancements
--python-downloads-json-urltopython pin(#19092)pip uninstall -y(#19082)UV_PYTHON_NO_REGISTRY(#19035)exclude-newerto be missing from the lockfile whenexclude-newer-spanis present (#19024)uv self version --short(#19019)SSL_CERT_DIRdirectory (#19018)exclude-newerandexclude-newer-packagevalues in lockfiles (#19022, #19101)Configuration
UV_NO_PROJECT(#19052)UV_PYTHON_SEARCH_PATHfor Python discoveryPATHoverrides (#19034)Bug fixes
rust-toolchain.tomlto uv-build sdist (#19131)uv lockon apyproject.tomlthat only contains dependency-groups (#19087).python-version(#19102)Documentation
Configuration
📅 Schedule: (in timezone Etc/UTC)
* 0-6 * * 6)🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.
♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.
👻 Immortal: This PR will be recreated if closed unmerged. Get config help if that's undesired.
This PR was generated by Mend Renovate. View the repository job log.