devops(deps): configure Renovate for Gitea with patch automerge (F-22) #624

New Issue

Open

opened 2026-05-19 14:43:52 +02:00 by marcel · 0 comments

marcel commented 2026-05-19 14:43:52 +02:00

Owner

Copy Link

Context

Pre-prod audit finding F-22 (dependency hygiene): the current renovate.json has no platform: "gitea" config and no automerge rules. This is directly why 12 advisories accumulated before issue #458 — each had a fixAvailable: true but no automation created a PR.

Issue #458 added a CI audit gate (npm audit --audit-level=high --omit=dev) as a structural safety net. This issue completes F-22 by making Renovate actually work against the self-hosted Gitea instance.

What's broken

renovate.json currently:

• Has no "platform": "gitea" — Renovate may not connect to the self-hosted instance at all
• Has no "endpoint" pointing to http://192.168.178.71:3005/api/v1
• Has no automerge rules — patch updates sit unmerged indefinitely
• Has no matchDepTypes rule to catch dev-dependency CVEs automatically

Approach

1. Add "platform": "gitea" and "endpoint" to renovate.json
2. Add "automerge": true + "automergeType": "pr" for patch updates (semver patch = low-risk)
3. Add "automerge": false for minor/major updates (require review)
4. Add a matchDepTypes: ["devDependencies"] group so dev CVEs trigger PRs, not just prod deps
5. Verify Renovate can authenticate and open a test PR against the repo

Critical files

• renovate.json

Verification

1. Renovate scan runs without authentication errors
2. A Renovate PR is opened for at least one pending patch update
3. Patch PR automerges after CI passes
4. Minor update PR is opened but NOT automerged (requires manual review)

Acceptance criteria

• renovate.json contains "platform": "gitea" and a valid "endpoint"
• Patch updates automerge after CI green
• Minor/major updates open PRs but require manual approval
• Renovate covers both dependencies and devDependencies

Effort

S — 30 minutes config + 1 hour verification

References

• Pre-prod audit finding F-22 (dependency hygiene)
• Issue #458 (immediate CVE fix + CI gate)
• Raised by: Markus, Nora, Tobias, Sara, Elicit in the #458 review

## Context Pre-prod audit finding **F-22** (dependency hygiene): the current `renovate.json` has no `platform: "gitea"` config and no automerge rules. This is directly why 12 advisories accumulated before issue #458 — each had a `fixAvailable: true` but no automation created a PR. Issue #458 added a CI audit gate (`npm audit --audit-level=high --omit=dev`) as a structural safety net. This issue completes F-22 by making Renovate actually work against the self-hosted Gitea instance. ## What's broken `renovate.json` currently: - Has no `"platform": "gitea"` — Renovate may not connect to the self-hosted instance at all - Has no `"endpoint"` pointing to `http://192.168.178.71:3005/api/v1` - Has no automerge rules — patch updates sit unmerged indefinitely - Has no `matchDepTypes` rule to catch dev-dependency CVEs automatically ## Approach 1. Add `"platform": "gitea"` and `"endpoint"` to `renovate.json` 2. Add `"automerge": true` + `"automergeType": "pr"` for patch updates (semver patch = low-risk) 3. Add `"automerge": false` for minor/major updates (require review) 4. Add a `matchDepTypes: ["devDependencies"]` group so dev CVEs trigger PRs, not just prod deps 5. Verify Renovate can authenticate and open a test PR against the repo ## Critical files - `renovate.json` ## Verification 1. Renovate scan runs without authentication errors 2. A Renovate PR is opened for at least one pending patch update 3. Patch PR automerges after CI passes 4. Minor update PR is opened but NOT automerged (requires manual review) ## Acceptance criteria - [ ] `renovate.json` contains `"platform": "gitea"` and a valid `"endpoint"` - [ ] Patch updates automerge after CI green - [ ] Minor/major updates open PRs but require manual approval - [ ] Renovate covers both `dependencies` and `devDependencies` ## Effort S — 30 minutes config + 1 hour verification ## References - Pre-prod audit finding F-22 (dependency hygiene) - Issue #458 (immediate CVE fix + CI gate) - Raised by: Markus, Nora, Tobias, Sara, Elicit in the #458 review

marcel added the P2-mediumdevops labels 2026-05-19 14:44:08 +02:00

marcel referenced this issue 2026-05-19 14:45:08 +02:00

security(deps): bump @sveltejs/kit + vite to clear 5 high CVEs #625

marcel referenced this issue 2026-05-19 14:51:29 +02:00

security(deps): bump @sveltejs/kit + vite to clear 5 high CVEs #625

marcel referenced this issue 2026-05-19 14:52:02 +02:00

security(deps): bump @sveltejs/kit + vite to clear 5 high CVEs #625

Sign in to join this conversation.

No Branch/Tag Specified

Branches Tags

main

feat/issue-380-decouple-mention-search

feat/issue-286-notification-bell-form-actions

feat/issue-580-sentry-backend

fix/issue-593-management-port-zero

worktree-feat+issue-557-upload-artifact-v3-pin

worktree-chore+issue-556-drop-client-branches-coverage-gate

fix/issue-514-prerender-crawl-bakes-redirects

fix/issue-472-prerender-entries

feat/issue-395-readme

feat/issue-345-bulk-mark-reviewed

feat/issue-344-bell-tooltip

feat/issue-341-annotieren-contrast

feat/issue-225-bulk-metadata-edit

feat/issue-317-bulk-upload

feat/issue-271-dashboard-redesign

docs/issue-240-mission-control-spec

refactor/issues-193-200

feat/issue-162-korrespondenz-redesign

feature/68-new-document-file-first

feat/81-discussion-discoverability

feat/62-document-bottom-panel

feature/56-backfill-file-hashes

feat/38-document-edit-history

fix/svelte5-test-delegation-and-login-auth

No results found.

Labels

Clear labels

P0-critical

Blocks a core user journey, causes data loss, or is a security/accessibility barrier. Work on this before P1+.

P1-high

Significant friction on a main user journey; workaround exists but is non-obvious. Next up after P0.

P2-medium

Noticeable improvement; doesn't block anything; schedule opportunistically.

P3-later

Cosmetic or parking-lot work; fine to stay open indefinitely.

audit

Read-only audit / assessment work; produces a report rather than changing code

bug

Something isn't working

cleanup

Removal of dead code, vague comments, naming violations, and scratch artifacts

collaboration

We want to extend the family archive to have more collaboration tools

conversation

descoped

We will do that later

devops

documentation

README, ARCHITECTURE, GLOSSARY, CONTRIBUTING, per-domain docs

epic

Marker for epic-level issues that group multiple child issues

feature

file-upload

legibility

Codebase Legibility Refactor — preparing the codebase for human evaluation and bus-factor reduction

notification

person

phase-1: security

Security hygiene — must be done first

phase-2: container-images

Production-ready multi-stage Docker images

phase-3: prod-compose

Production compose overlay + Caddy reverse proxy

phase-4: spring-prod-profile

Spring Boot production configuration profile

phase-5: backups

Database and object storage backup strategy

phase-6: deployment-docs

.env.example, DEPLOYMENT.md, runbook

phase-7: monitoring

Prometheus, Loki, Grafana, Alertmanager

refactor

Code restructuring without behaviour change

security

test

ui

UI/UX and accessibility issues

user

No Label P2-medium devops

Milestone

No items

No Milestone

Projects

Clear projects

No project

Assignees

Clear assignees

Jens marcel

No Assignees

1 Participants

Notifications

Subscribe

Due Date

No due date set.

Dependencies

No dependencies set.

Reference: marcel/familienarchiv#624