From 738c82498e9d2494caef048d6c047add5ab7940f Mon Sep 17 00:00:00 2001 From: carole-lavillonniere Date: Tue, 30 Jun 2026 16:22:56 +0200 Subject: [PATCH 1/4] Enable Renovate automerge for non-major RIE dependency bumps Automerge non-major gomod bumps (minor/patch), Go-toolchain bumps, and non-major GitHub Actions updates so Go-dep/stdlib CVE fixes land without manual review. Security updates get their own ungrouped, automerged path via vulnerabilityAlerts so a CVE fix is never blocked behind the grouped batch. Majors stay manual (automerge explicitly set to false). Automerge still waits for green CI before merging. --- renovate.json | 27 +++++++++++++++++++++++---- 1 file changed, 23 insertions(+), 4 deletions(-) diff --git a/renovate.json b/renovate.json index 3bf539a..10e8a27 100644 --- a/renovate.json +++ b/renovate.json @@ -4,24 +4,43 @@ "config:recommended" ], "postUpdateOptions": ["gomodTidy"], + "platformAutomerge": true, "packageRules": [ { "matchManagers": ["gomod"], "matchDepTypes": ["golang"], "rangeStrategy": "bump", - "groupName": "Go toolchain" + "groupName": "Go toolchain", + "automerge": true }, { "matchManagers": ["gomod"], "excludePackageNames": ["go"], "matchUpdateTypes": ["minor", "patch"], - "groupName": "Go dependencies (non-major)" + "groupName": "Go dependencies (non-major)", + "automerge": true }, { "matchManagers": ["gomod"], "excludePackageNames": ["go"], "matchUpdateTypes": ["major"], - "enabled": false + "enabled": false, + "automerge": false + }, + { + "matchManagers": ["github-actions"], + "matchUpdateTypes": ["minor", "patch", "digest"], + "automerge": true + }, + { + "matchManagers": ["github-actions"], + "matchUpdateTypes": ["major"], + "automerge": false } - ] + ], + "vulnerabilityAlerts": { + "groupName": null, + "automerge": true, + "labels": ["security"] + } } From 4df9e43642090e69adfddacd46b5a7dbae502b6c Mon Sep 17 00:00:00 2001 From: carole-lavillonniere Date: Thu, 2 Jul 2026 15:29:24 +0200 Subject: [PATCH 2/4] Add Renovate cooldown for non-security dependency updates --- renovate.json | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/renovate.json b/renovate.json index 10e8a27..328d160 100644 --- a/renovate.json +++ b/renovate.json @@ -5,6 +5,8 @@ ], "postUpdateOptions": ["gomodTidy"], "platformAutomerge": true, + "minimumReleaseAge": "3 days", + "internalChecksFilter": "strict", "packageRules": [ { "matchManagers": ["gomod"], @@ -41,6 +43,7 @@ "vulnerabilityAlerts": { "groupName": null, "automerge": true, - "labels": ["security"] + "labels": ["security"], + "minimumReleaseAge": "0" } } From 6a6a2e772146ca57c2db2d3511943b7605e248cd Mon Sep 17 00:00:00 2001 From: carole-lavillonniere Date: Thu, 2 Jul 2026 15:39:08 +0200 Subject: [PATCH 3/4] Pin Renovate automerge strategy to squash --- renovate.json | 1 + 1 file changed, 1 insertion(+) diff --git a/renovate.json b/renovate.json index 328d160..9fe2a89 100644 --- a/renovate.json +++ b/renovate.json @@ -5,6 +5,7 @@ ], "postUpdateOptions": ["gomodTidy"], "platformAutomerge": true, + "automergeStrategy": "squash", "minimumReleaseAge": "3 days", "internalChecksFilter": "strict", "packageRules": [ From e5207010f72844e039f491103bcb6b5ecc8b113e Mon Sep 17 00:00:00 2001 From: carole-lavillonniere Date: Thu, 2 Jul 2026 15:46:14 +0200 Subject: [PATCH 4/4] Add Trivy dependency scan as a PR quality gate --- .github/workflows/trivy.yml | 33 +++++++++++++++++++++++++++++++++ 1 file changed, 33 insertions(+) create mode 100644 .github/workflows/trivy.yml diff --git a/.github/workflows/trivy.yml b/.github/workflows/trivy.yml new file mode 100644 index 0000000..d18069e --- /dev/null +++ b/.github/workflows/trivy.yml @@ -0,0 +1,33 @@ +name: Trivy Dependency Scan + +# Quality gate for dependency bumps (incl. Renovate automerge): fail the PR if a +# changed dependency pulls in a known HIGH/CRITICAL vulnerability, so we never ship +# an update with a known issue. + +on: + push: + branches: [localstack] + pull_request: + branches: [localstack] + +concurrency: + group: ${{ github.workflow }}-${{ github.head_ref || github.run_id }} + cancel-in-progress: true + +jobs: + trivy-fs: + name: Scan go.mod for known CVEs + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@v7 + + - name: Run Trivy filesystem scan + uses: aquasecurity/trivy-action@v0.36.0 + with: + scan-type: fs + scanners: vuln + severity: HIGH,CRITICAL + # Skip CVEs with no fix available, otherwise an unfixable upstream CVE would + # permanently block every merge until a patch exists. + ignore-unfixed: true + exit-code: "1"