Add Renovate workflow for Docker base image updates (UI scope) by ChengYanJin · Pull Request #4919 · scality/metalk8s

ChengYanJin · 2026-05-07T14:24:26Z

Summary

Add Renovate configuration to automatically update Docker base images
Scoped to UI-related Dockerfiles only (shell-ui/, ui/, images/metalk8s-ui/)
Runs on weekdays at 8am UTC with manual trigger option
Auto-approves Renovate PRs via /approve comment
Prevents CVE from outdated base layers

Test plan

Verify workflow runs successfully on manual trigger
Verify Renovate detects Dockerfile base image updates

🤖 Generated with Claude Code

Keep Docker base images up to date automatically to prevent CVE from outdated base layers. Scoped to UI-related Dockerfiles only: shell-ui/, ui/, images/metalk8s-ui/. Runs on weekdays at 8am UTC. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

bert-e · 2026-05-07T14:24:30Z

Hello chengyanjin,

My role is to assist you with the merge of this
pull request. Please type @bert-e help to get information
on this process, or consult the user documentation.

Available options

name	description	privileged	authored
`/after_pull_request`	Wait for the given pull request id to be merged before continuing with the current one.
`/bypass_author_approval`	Bypass the pull request author's approval	⭐
`/bypass_build_status`	Bypass the build and test status	⭐
`/bypass_commit_size`	Bypass the check on the size of the changeset `TBA`	⭐
`/bypass_incompatible_branch`	Bypass the check on the source branch prefix	⭐
`/bypass_jira_check`	Bypass the Jira issue check	⭐
`/bypass_peer_approval`	Bypass the pull request peers' approval	⭐
`/bypass_leader_approval`	Bypass the pull request leaders' approval	⭐
`/approve`	Instruct Bert-E that the author has approved the pull request.		✍️
`/create_pull_requests`	Allow the creation of integration pull requests.
`/create_integration_branches`	Allow the creation of integration branches.
`/no_octopus`	Prevent Wall-E from doing any octopus merge and use multiple consecutive merge instead
`/unanimity`	Change review acceptance criteria from `one reviewer at least` to `all reviewers`
`/wait`	Instruct Bert-E not to run until further notice.

Available commands

name	description	privileged
`/help`	Print Bert-E's manual in the pull request.
`/status`	Print Bert-E's current status in the pull request `TBA`
`/clear`	Remove all comments from Bert-E from the history `TBA`
`/retry`	Re-start a fresh build `TBA`
`/build`	Re-start a fresh build `TBA`
`/force_reset`	Delete integration branches & pull requests, and restart merge process from the beginning.
`/reset`	Try to remove integration branches unless there are commits on them which do not appear on the source branch.

Status report is not available.

bert-e · 2026-05-07T14:24:38Z

Waiting for approval

The following approvals are needed before I can proceed with the merge:

the author
2 peers

Peer approvals must include at least 1 approval from the following list:

ChengYanJin · 2026-05-07T15:12:49Z

/approve

bert-e · 2026-05-07T15:13:00Z

Waiting for approval

The following approvals are needed before I can proceed with the merge:

the author
2 peers

Peer approvals must include at least 1 approval from the following list:

The following options are set: approve

g-carre · 2026-05-07T15:42:42Z

Renovate dry-run output

Two PRs would be opened (only dockerfile manager is enabled).

`improvement/renovate-nginx-1.x` — Update nginx Docker tag to v1.30.0

File	From	To	Type
`shell-ui/Dockerfile`	`nginx:1.28.0-alpine`	`nginx:1.30.0-alpine`	minor
`images/metalk8s-ui/Dockerfile`	`nginx:1.15.8`	`nginx:1.30.0`	minor

`improvement/renovate-node-22.x` — Update Node.js to v22

File	From	To	Type
`ui/Dockerfile`	`node:20-alpine3.19`	`node:22-alpine3.19`	major
`shell-ui/Dockerfile`	`node:20-alpine3.19`	`node:22-alpine3.19`	major

Notes

images/metalk8s-ui/Dockerfile is on nginx 1.15.8 (2019-era). Labeled "minor" because the major doesn't change, but it spans ~15 stable releases — worth careful smoke-testing
of asset serving, TLS, and HTTP/2 behavior.
Node v20 → v22 is a real major bump. Typical breakage points: native module rebuilds, crypto legacy provider deprecations, fetch/streams semantics changes. Run the test suite
against the new image before merging.
Stats: 3 Dockerfiles, 4 deps total, folded into 2 grouped PRs.

Optional: bundle into a single PR

Add this to renovate.json packageRules:

{                        
  "matchManagers": ["dockerfile"],
  "groupName": "ui-base-images"
}

g-carre · 2026-05-11T12:15:21Z

@ChengYanJin Are you willing renovate to request 2 separate PR for Node and Nginx ?
I would prefer to deal with only a single merged PR but I'm just asking

bert-e · 2026-05-12T11:01:31Z

Integration data created

I have created the integration data for the additional destination branches.

this pull request will merge improvement/add-renovate-dockerfile into
development/133.0
w/134.0/improvement/add-renovate-dockerfile will be merged into development/134.0

The following branches will NOT be impacted:

development/123.0
development/124.0
development/124.1
development/125.0
development/126.0
development/127.0
development/128.0
development/129.0
development/130.0
development/131.0
development/132.0
development/2.0
development/2.1
development/2.10
development/2.11
development/2.2
development/2.3
development/2.4
development/2.5
development/2.6
development/2.7
development/2.8
development/2.9

You can set option create_pull_requests if you need me to create
integration pull requests in addition to integration branches, with:

@bert-e create_pull_requests

The following options are set: approve

bert-e · 2026-05-12T11:01:35Z

Waiting for approval

The following approvals are needed before I can proceed with the merge:

the author
2 peers

Peer approvals must include at least 1 approval from the following list:

The following options are set: approve

ChengYanJin · 2026-05-12T14:11:17Z

@ChengYanJin Are you willing renovate to request 2 separate PR for Node and Nginx ? I would prefer to deal with only a single merged PR but I'm just asking

@g-carre good point, I will setup renovate to group all the dockerfile updates into a single PR.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

claude · 2026-05-12T14:15:01Z

+        env:
+          GH_TOKEN: ${{ steps.app-token.outputs.token }}
+        run: |
+          gh pr list --repo ${{ github.repository }} --state open --json number,headRefName --jq '.[] | select(.headRefName | startswith("improvement/renovate-")) | .number' | while read -r pr; do


The auto-approve step filters PRs only by branch name prefix (improvement/renovate-), not by PR author. Anyone with push access could create a branch matching this pattern and receive an automatic /approve. Add an author check to the jq filter — include author in the --json fields and filter on .author.login.

— Claude Code

claude · 2026-05-12T14:15:11Z

Security: Auto-approve lacks author verification — The auto-approve step at line 37 matches PRs solely by branch prefix (improvement/renovate-). Any user with push access could create a branch with that prefix and receive an automatic /approve. The jq filter should also check .author.login to verify the PR was created by the Renovate bot.

Review by Claude Code

bert-e · 2026-05-20T09:22:12Z

Waiting for approval

The following approvals are needed before I can proceed with the merge:

the author
2 peers

Peer approvals must include at least 1 approval from the following list:

The following options are set: approve

bert-e · 2026-06-15T06:27:47Z

Waiting for approval

The following approvals are needed before I can proceed with the merge:

the author
2 peers

Peer approvals must include at least 1 approval from the following list:

The following options are set: approve

bert-e · 2026-06-15T15:56:48Z

In the queue

The changeset has received all authorizations and has been added to the
relevant queue(s). The queue(s) will be merged in the target development
branch(es) as soon as builds have passed.

The changeset will be merged in:

✔️ development/133.0
✔️ development/134.0

The following branches will NOT be impacted:

development/123.0
development/124.0
development/124.1
development/125.0
development/126.0
development/127.0
development/128.0
development/129.0
development/130.0
development/131.0
development/132.0
development/2.0
development/2.1
development/2.10
development/2.11
development/2.2
development/2.3
development/2.4
development/2.5
development/2.6
development/2.7
development/2.8
development/2.9

There is no action required on your side. You will be notified here once
the changeset has been merged. In the unlikely event that the changeset
fails permanently on the queue, a member of the admin team will
contact you to help resolve the matter.

IMPORTANT

Please do not attempt to modify this pull request.

Any commit you add on the source branch will trigger a new cycle after the
current queue is merged.
Any commit you add on one of the integration branches will be lost.

If you need this pull request to be removed from the queue, please contact a
member of the admin team now.

The following options are set: approve

bert-e · 2026-06-15T17:31:25Z

Queue build failed

The corresponding build for the queue failed:

Checkout the status page.
Identify the failing build and review the logs.
If no issue is found, re-run the build.
If an issue is identified, checkout the steps below to remove
the pull request from the queue for further analysis and maybe rebase/merge.

Remove the pull request from the queue

Add a /wait comment on this pull request.
Click on login on the status page.
Go into the manage page.
Find the option called Rebuild the queue and click on it.
Bert-E will loop again on all pull requests to put the valid ones
in the queue again, while skipping the one with the /wait comment.
Wait for the new queue to merge, then merge/rebase your pull request
with the latest changes to then work on a proper fix.
Once the issue is fixed, delete the /wait comment and
follow the usual process to merge the pull request.

bert-e · 2026-06-18T08:58:00Z

I have successfully merged the changeset of this pull request
into targetted development branches:

✔️ development/133.0
✔️ development/134.0

The following branches have NOT changed:

development/123.0
development/124.0
development/124.1
development/125.0
development/126.0
development/127.0
development/128.0
development/129.0
development/130.0
development/131.0
development/132.0
development/2.0
development/2.1
development/2.10
development/2.11
development/2.2
development/2.3
development/2.4
development/2.5
development/2.6
development/2.7
development/2.8
development/2.9

Please check the status of the associated issue None.

Goodbye chengyanjin.

ChengYanJin requested a review from a team as a code owner May 7, 2026 14:24

scality deleted a comment from claude Bot May 7, 2026

Group all Dockerfile updates into a single Renovate PR

7231abb

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

claude Bot reviewed May 12, 2026

View reviewed changes

g-carre approved these changes Jun 15, 2026

View reviewed changes

JBWatenbergScality approved these changes Jun 15, 2026

View reviewed changes

bert-e merged commit b92e65e into development/133.0 Jun 18, 2026
36 of 37 checks passed

bert-e deleted the improvement/add-renovate-dockerfile branch June 18, 2026 08:58

Conversation

ChengYanJin commented May 7, 2026

Summary

Test plan

Uh oh!

bert-e commented May 7, 2026

Hello chengyanjin,

Uh oh!

bert-e commented May 7, 2026

Waiting for approval

Uh oh!

ChengYanJin commented May 7, 2026

Uh oh!

bert-e commented May 7, 2026

Waiting for approval

Uh oh!

g-carre commented May 7, 2026

Renovate dry-run output

improvement/renovate-nginx-1.x — Update nginx Docker tag to v1.30.0

improvement/renovate-node-22.x — Update Node.js to v22

Notes

Uh oh!

g-carre commented May 11, 2026

Uh oh!

bert-e commented May 12, 2026

Integration data created

Uh oh!

bert-e commented May 12, 2026

Waiting for approval

Uh oh!

ChengYanJin commented May 12, 2026 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Uh oh!

claude Bot May 12, 2026

Choose a reason for hiding this comment

Uh oh!

claude Bot commented May 12, 2026

Uh oh!

bert-e commented May 20, 2026

Waiting for approval

Uh oh!

bert-e commented Jun 15, 2026

Waiting for approval

Uh oh!

bert-e commented Jun 15, 2026

In the queue

Uh oh!

bert-e commented Jun 15, 2026

Queue build failed

Uh oh!

bert-e commented Jun 18, 2026

Uh oh!

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

4 participants

`improvement/renovate-nginx-1.x` — Update nginx Docker tag to v1.30.0

`improvement/renovate-node-22.x` — Update Node.js to v22

ChengYanJin commented May 12, 2026 •

edited

Loading