Chore: Renovate와 CI Canary 설정 추가

[rlagkswn00]

#️⃣ 이슈

• [Infra] CI Canary 및 Renovate 의존성 자동화 도입 #375

📌 요약

• Renovate major 업데이트 정책 파일을 추가합니다.
• ubuntu-latest 기반 CI Canary 워크플로를 추가합니다.
• canary 실패 시 Discord 알림을 멀티라인 요약으로 전송하도록 구성합니다.

🛠️ 상세

• renovate.json 추가
  • base branch를 develop으로 지정
  • gradle, gradle-wrapper, github-actions만 활성화
  • Spring Boot, Testcontainers, Gradle wrapper, GitHub Actions의 major 업데이트만 허용
  • Dependency Dashboard 활성화
  • 동시 open PR 2개, 시간당 PR 1개로 제한
• .github/workflows/canary.yml 추가
  • 매주 월요일 오전 9시(KST) 및 수동 실행 지원
  • ubuntu-latest에서 ./gradlew test --info 수행
  • Firebase 리소스 파일 복호화 step 포함
  • 실패 시 Discord webhook으로 저장소/브랜치/트리거/실패 단계/run URL 요약 전송
• 설명성 주석과 Renovate rule description을 한국어로 정리

💬 기타

• renovate.json JSON 파싱과 canary.yml YAML 파싱을 확인했습니다.
• 로컬 ./gradlew test --info는 Firebase 리소스 파일 부재로 다수 테스트가 실패해 전체 통과를 확인하지 못했습니다.

Summary by CodeRabbit

Release Notes

• Chores
  • 프로젝트 의존성을 자동으로 관리하는 시스템이 추가되었습니다. 라이브러리, 빌드 도구, 개발 도구 등이 정기적으로 자동으로 최신 버전으로 업데이트되어 프로젝트의 보안성, 안정성, 호환성이 지속적으로 향상됩니다.
  • 정기적인 자동화된 테스트 파이프라인이 추가되었습니다. 정기적으로 코드에 대한 자동 테스트가 실행되며, 테스트 실패 시 즉시 알림 시스템이 작동하여 문제 대응이 신속해지고 코드 품질이 개선됩니다.

[coderabbitai]

Walkthrough

새로운 GitHub Actions CI Canary 워크플로우와 Renovate 의존성 관리 설정 파일이 추가되었습니다. CI Canary는 수동 트리거 또는 주기적 스케줄에 따라 테스트를 실행하고 실패 시 Discord 알림을 전송합니다.

Changes

Cohort / File(s)	Summary
CI Canary 워크플로우 .github/workflows/canary.yml	수동 dispatch 및 월요일 09:00 KST 크론으로 실행되는 GitHub Actions 워크플로우 추가. GPG 암호화 복호화 후 Gradle 테스트 실행. 실패 시 Discord 웹훅으로 알림 전송 (저장소명, ref, 트리거, 실행자, 실패 단계, 커밋 SHA 포함).
Renovate 설정 renovate.json	자동화된 의존성 업데이트 관리 설정 추가. develop 브랜치 대상, Gradle 및 GitHub Actions 매니저 활성화. PR 동시 실행 제한 및 Spring Boot, Testcontainers, Gradle Wrapper, GitHub Actions에 대한 선택적 메이저 업데이트 정책 구성.

Possibly related issues

• [Infra] CI Canary 및 Renovate 의존성 자동화 도입 #375: 이 PR이 CI Canary 워크플로우와 Renovate 설정 파일 추가를 통해 이슈에서 요청한 내용을 직접 구현합니다.

Poem

🐰 새로운 파이프라인이 춤을 춘다네,
Canary는 밤마다 노래하고,
Renovate가 의존성을 다스리니,
자동화의 마법이 펼쳐진다네! ✨

🚥 Pre-merge checks | ✅ 3

✅ Passed checks (3 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	PR 제목이 변경사항의 주요 내용을 명확하게 요약하고 있습니다. Renovate와 CI Canary 설정 추가라는 두 가지 핵심 변경사항을 정확하게 설명합니다.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch chore/issue-375-renovate-canary

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 3

🧹 Nitpick comments (1)

.github/workflows/canary.yml (1)

64-67: Discord 알림 전송의 실패 감지가 누락되어 있습니다.

Line 64-67은 웹훅이 4xx/5xx를 반환해도 성공으로 처리될 수 있습니다. 알림 신뢰성을 위해 실패 감지/재시도/타임아웃을 추가하는 편이 좋습니다.

제안 패치

-          curl \
-            -H "Content-Type: application/json" \
-            -d "${PAYLOAD}" \
-            "$DISCORD_WEBHOOK_URL"
+          curl --fail --silent --show-error \
+            --connect-timeout 5 \
+            --retry 3 --retry-delay 2 \
+            -H "Content-Type: application/json" \
+            -d "${PAYLOAD}" \
+            "$DISCORD_WEBHOOK_URL"

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In @.github/workflows/canary.yml around lines 64 - 67, The curl invocation that
posts "${PAYLOAD}" to "$DISCORD_WEBHOOK_URL" must detect failures and not treat
4xx/5xx as success; update the step that runs the curl command to use curl
options like --fail and --max-time to treat HTTP errors and timeouts as
failures, and wrap the call in a short retry loop with exponential backoff (or
use a retry action) that inspects the HTTP status and exits non‑zero if all
retries fail; ensure the change references the existing variables PAYLOAD and
DISCORD_WEBHOOK_URL and returns a non‑zero exit code on unrecoverable failures
so the workflow fails when Discord notifications cannot be delivered.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In @.github/workflows/canary.yml:
- Around line 19-23: The workflow uses outdated action versions
"actions/checkout@v3" and "actions/setup-java@v3" which rely on Node 16; update
the "uses:" entries for the checkout and setup-java steps (the occurrences of
actions/checkout@v3 and actions/setup-java@v3) to supported major releases (for
example actions/checkout@v6 and actions/setup-java@v5 or at minimum v4+ for
checkout and v4+ for setup-java) so the runner uses a Node 18+ compatible
action; keep the step names and inputs unchanged, only bump the version tags.

In `@renovate.json`:
- Around line 10-18: The current renovate.json disables Gradle dependency
updates (enabled: false) which blocks patch/minor security fixes; add top-level
keys "vulnerabilityAlerts": true and "osvVulnerabilityAlerts": true to the
renovate.json (or alternatively add a packageRule that allows security-only
updates for Gradle dependencies) so Renovate will still open PRs for detected
vulnerabilities while keeping the existing major-only policy for normal updates.
- Around line 21-24: The rule uses matchPackageNames which requires exact
package name so it won't match Gradle coordinates like
org.springframework.boot:spring-boot-starter-web; change the rule to use
matchPackagePatterns (or a group-prefix matcher) instead of matchPackageNames
and supply a regex that matches the groupId prefix (e.g. a pattern matching
^org\.springframework\.boot(:|$)) so the rule with matchManagers ["gradle"] and
matchUpdateTypes ["major"] will match dependencies such as
org.springframework.boot:spring-boot-starter-web.

---

Nitpick comments:
In @.github/workflows/canary.yml:
- Around line 64-67: The curl invocation that posts "${PAYLOAD}" to
"$DISCORD_WEBHOOK_URL" must detect failures and not treat 4xx/5xx as success;
update the step that runs the curl command to use curl options like --fail and
--max-time to treat HTTP errors and timeouts as failures, and wrap the call in a
short retry loop with exponential backoff (or use a retry action) that inspects
the HTTP status and exits non‑zero if all retries fail; ensure the change
references the existing variables PAYLOAD and DISCORD_WEBHOOK_URL and returns a
non‑zero exit code on unrecoverable failures so the workflow fails when Discord
notifications cannot be delivered.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: 048b5e65-c8cf-435c-8555-f0253b84bbc3

📥 Commits

Reviewing files that changed from the base of the PR and between 4bb3ecc and 3614320.

📒 Files selected for processing (2)

• .github/workflows/canary.yml
• renovate.json

[coderabbitai]

⚠️ Potential issue | 🔴 Critical

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
# 워크플로 내 구버전 액션 사용 위치 확인 (read-only)
rg -n 'uses:\s*actions/(checkout|setup-java)@v3' .github/workflows

Repository: ku-ring/ku-ring-backend-web

Length of output: 602

---

🌐 Web query:

What are the currently supported major versions for actions/checkout and actions/setup-java on GitHub Actions runners, and are v3 releases deprecated/incompatible?

💡 Result:

Currently supported major versions: actions/checkout: v4, v5, v6 (v6 latest, released 2026-01-09; v5 and v4 receive updates including Node 24 support and security fixes). actions/setup-java: v4, v5 (v5 latest, released 2026-01-22; v4 also maintained). v3 releases are deprecated/incompatible: Both v3 versions use Node 16 runtime (checkout v3.0.0+ updated to Node 16; setup-java v3 predates Node 20). Node 16 reached end-of-life in GitHub Actions runners on 2024-11-12; runners no longer support Node 16, causing v3 to fail or silently upgrade (potentially incompatible). Official docs promote v6/v5 and v5 respectively; v3 not featured in READMEs or examples. Upgrade recommended for compatibility with current runners (v2.327+ required for Node 24).

Citations:

• 1: https://github.com/actions/checkout/releases
• 2: https://github.com/actions/checkout/blob/main/README.md
• 3: https://github.com/actions/checkout?tab=readme-ov-file
• 4: https://github.com/actions/checkout
• 5: https://github.com/marketplace/actions/checkout
• 6: https://github.com/actions/setup-java?tab=readme-ov-file
• 7: https://github.com/actions/setup-java/blob/main/README.md
• 8: https://github.com/actions/setup-java
• 9: https://github.com/actions/setup-java/releases
• 10: https://github.com/actions/setup-java/releases/tag/v5.1.0
• 11: https://github.com/actions/setup-java/releases/tag/v4.0.0
• 12: https://github.com/actions/checkout/blob/main/CHANGELOG.md
• 13: actions/checkout@v3...v6
• 14: https://github.blog/changelog/2024-09-25-end-of-life-for-actions-node16/
• 15: https://github.com/actions/checkout/tree/v3.1.0
• 16: https://github.com/actions/setup-java/blob/4fb397523b853fa75ed64fd1d10a967e1eb3148a/README.md

---

Canary 워크플로의 구버전 액션으로 인한 실행 실패 위험

Line 19와 Line 22의 actions/checkout@v3, actions/setup-java@v3은 2024년 11월 12일 GitHub Actions 러너에서 Node 16 지원 종료로 더 이상 호환되지 않습니다. 현재 지원 버전은 checkout의 경우 v4v6 (v6 최신), setup-java의 경우 v4v5 (v5 최신)입니다. v3는 Node 16을 사용하므로 워크플로 시작 단계에서 실패하거나 예상 외의 동작을 할 수 있습니다.

수정 제안

-      - uses: actions/checkout@v3
+      - uses: actions/checkout@v4
       - name: Set up JDK 17
-        uses: actions/setup-java@v3
+        uses: actions/setup-java@v5

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	- uses: actions/checkout@v3
	- name: Set up JDK 17
	uses: actions/setup-java@v3
	with:
	- uses: actions/checkout@v4
	- name: Set up JDK 17
	uses: actions/setup-java@v5
	with:

🧰 Tools

🪛 actionlint (1.7.12)

[error] 19-19: the runner of "actions/checkout@v3" action is too old to run on GitHub Actions. update the action's version to fix this issue

(action)

---

[error] 22-22: the runner of "actions/setup-java@v3" action is too old to run on GitHub Actions. update the action's version to fix this issue

(action)

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In @.github/workflows/canary.yml around lines 19 - 23, The workflow uses
outdated action versions "actions/checkout@v3" and "actions/setup-java@v3" which
rely on Node 16; update the "uses:" entries for the checkout and setup-java
steps (the occurrences of actions/checkout@v3 and actions/setup-java@v3) to
supported major releases (for example actions/checkout@v6 and
actions/setup-java@v5 or at minimum v4+ for checkout and v4+ for setup-java) so
the runner uses a Node 18+ compatible action; keep the step names and inputs
unchanged, only bump the version tags.

[coderabbitai]

⚠️ Potential issue | 🟠 Major

🧩 Analysis chain

🌐 Web query:

What is the recommended Renovate configuration to keep major-only updates by default but still allow security-related minor/patch updates for Gradle dependencies?

💡 Result:

The recommended Renovate configuration to keep only major updates by default but allow security-related minor/patch updates for Gradle dependencies (datasource: maven) is: { "extends": [ "config:recommended" ], "major": { "enabled": true }, "minor": { "enabled": false }, "patch": { "enabled": false }, "separateMinorPatch": true, "packageRules": [ { "matchDatasources": ["maven"], "matchUpdateTypes": ["minor", "patch"], "enabled": false } ], "vulnerabilityAlerts": { "enabled": true }, "osvVulnerabilityAlerts": true } This disables minor and patch updates globally (and explicitly for maven/Gradle), while major updates remain enabled. Security vulnerability alerts (via GitHub Advisories and OSV) will still create PRs for vulnerable dependencies, potentially including minor/patch fixes if that's the resolution for the vulnerability. The separateMinorPatch: true ensures patch and minor are treated distinctly for the disable rules. Note: Security PRs bypass normal enabled: false packageRules restrictions, as they are handled separately by Renovate's vulnerability alerts feature.

Citations:

• 1: https://docs.renovatebot.com/configuration-options/
• 2: https://docs.renovatebot.com/modules/manager/gradle/
• 3: https://renovatebot.com/docs/presets-security/
• 4: https://docs.renovatebot.com/presets-security/
• 5: https://renovatebot.com/docs/configuration-options
• 6: Update dependencies for vulnerability alerts only renovatebot/config-help#138
• 7: https://docs.renovatebot.com/modules/datasource
• 8: Only update major.minor, not patch renovatebot/config-help#193
• 9: Disable Renovate if package update is patch renovatebot/config-help#611
• 10: updateTypes patch doesn't consider different minors renovatebot/config-help#260

---

Gradle 의존성이 보안 패치를 받지 못하는 구성입니다.

Line 10-13과 Line 17의 "enabled": false 조합으로 Spring Boot/Testcontainers 외 Gradle 의존성의 patch/minor 업데이트가 차단됩니다. Major 중심 정책을 유지하되 보안 취약점이 감지되면 자동으로 PR을 생성하도록 renovate.json에 다음을 추가하세요:

"vulnerabilityAlerts": true,
"osvVulnerabilityAlerts": true

이 설정은 enabled: false 제약을 우회하여 보안 관련 minor/patch 업데이트를 별도로 처리합니다. 또는 특정 패키지에 대해 보안 업데이트 전용 packageRule을 명시적으로 추가하는 방법도 있습니다.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@renovate.json` around lines 10 - 18, The current renovate.json disables
Gradle dependency updates (enabled: false) which blocks patch/minor security
fixes; add top-level keys "vulnerabilityAlerts": true and
"osvVulnerabilityAlerts": true to the renovate.json (or alternatively add a
packageRule that allows security-only updates for Gradle dependencies) so
Renovate will still open PRs for detected vulnerabilities while keeping the
existing major-only policy for normal updates.

[coderabbitai]

⚠️ Potential issue | 🟠 Major

🧩 Analysis chain

🌐 Web query:

In Renovate packageRules for Gradle, does matchPackageNames with "org.springframework.boot" match dependencies like "org.springframework.boot:spring-boot-starter-web", or is a regex/prefix required?

💡 Result:

No, "matchPackageNames": ["org.springframework.boot"] performs an exact match against the full packageName, which for the Gradle dependency "org.springframework.boot:spring-boot-starter-web" is "org.springframework.boot:spring-boot-starter-web". It will not match dependencies like this by default. A regex or glob pattern is required for prefix matching, such as "matchPackageNames": ["org.springframework.boot:"] (glob) or ["/^org\.springframework\.boot:/"] (regex). This is because: - Renovate's Gradle manager uses the "maven" datasource. - For Maven/Gradle dependencies, both depName and packageName are set to the full "group:artifact" string, e.g. "org.springframework.boot:spring-boot-starter-web". - matchPackageNames matches against packageName using exact, glob, or regex patterns (since v38, July 2024). - Exact match requires the full name; prefix requires glob/regex like "org.springframework.boot:" or "/^org.springframework.boot:/". Examples from docs and issues confirm depName is the full "group:artifact" for Gradle deps, e.g. "org.springframework.cloud:spring-cloud-dependencies". Group presets use patterns like "group:springBoot" implying prefix matching needs patterns.

Citations:

• 1: renovatebot/renovate@1e5cf6d
• 2: https://docs.renovatebot.com/modules/manager/gradle/
• 3: https://github.com/renovatebot/renovate/blob/main/docs/usage/java.md
• 4: https://docs.renovatebot.com/java
• 5: Gradle dependency Version using variable and set() renovatebot/renovate#8307
• 6: https://stackoverflow.com/questions/75678552/force-renovate-to-update-libraries-before-updating-service

---

Spring Boot 규칙이 실제 의존성과 매칭되지 않습니다.

Line 23의 "matchPackageNames": ["org.springframework.boot"]는 정확한 일치(exact match)를 수행하므로, Gradle 의존성 org.springframework.boot:spring-boot-starter-web (packageName: org.springframework.boot:spring-boot-starter-web)과 매칭되지 않습니다. 따라서 의도한 major 업데이트 규칙이 작동하지 않습니다.

제안 수정

     {
       "description": "Spring Boot는 major 업데이트만 허용한다.",
       "matchManagers": ["gradle"],
-      "matchPackageNames": ["org.springframework.boot"],
+      "matchPackageNames": ["org.springframework.boot:*"],
       "matchUpdateTypes": ["major"],

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@renovate.json` around lines 21 - 24, The rule uses matchPackageNames which
requires exact package name so it won't match Gradle coordinates like
org.springframework.boot:spring-boot-starter-web; change the rule to use
matchPackagePatterns (or a group-prefix matcher) instead of matchPackageNames
and supply a regex that matches the groupId prefix (e.g. a pattern matching
^org\.springframework\.boot(:|$)) so the rule with matchManagers ["gradle"] and
matchUpdateTypes ["major"] will match dependencies such as
org.springframework.boot:spring-boot-starter-web.

[github-actions]

Unit Test Results

  84 files  ±0    84 suites  ±0   1m 41s ⏱️ +8s
597 tests ±0  590 ✔️ ±0  7 💤 ±0  0 ❌ ±0 
600 runs  ±0  593 ✔️ ±0  7 💤 ±0  0 ❌ ±0 

Results for commit 3614320. ± Comparison against base commit 4bb3ecc.