Skip to content

Chore: Renovate와 CI Canary 설정 추가 #376

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
rlagkswn00 wants to merge 1 commit into
base: develop
Choose a base branch
from
+116 −0
Open

Chore: Renovate와 CI Canary 설정 추가 #376

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
67 changes: 67 additions & 0 deletions .github/workflows/canary.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,67 @@
name: CI Canary

# 이 워크플로는 Github Actions에서 CI/CD 과정 수행 전에 조기에 문제를 감지하기 위한 용도다.
on:
workflow_dispatch:
schedule:
# 매주 월요일 오전 9시 (KST)
- cron: '0 0 * * 1'

env:
GPG_PASSPHRASE: ${{ secrets.GPG_PASSPHRASE }}

jobs:
canary:
name: Run tests on ubuntu-latest
runs-on: ubuntu-latest

steps:
- uses: actions/checkout@v3

- name: Set up JDK 17
uses: actions/setup-java@v3
with:
Comment on lines +19 to +23
Copy link
Copy Markdown

@coderabbitai coderabbitai bot Apr 16, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🔴 Critical

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
# 워크플로 내 구버전 액션 사용 위치 확인 (read-only)
rg -n 'uses:\s*actions/(checkout|setup-java)@v3' .github/workflows

Repository: ku-ring/ku-ring-backend-web

Length of output: 602

🌐 Web query:

What are the currently supported major versions for actions/checkout and actions/setup-java on GitHub Actions runners, and are v3 releases deprecated/incompatible?

💡 Result:

Currently supported major versions: actions/checkout: v4, v5, v6 (v6 latest, released 2026-01-09; v5 and v4 receive updates including Node 24 support and security fixes). actions/setup-java: v4, v5 (v5 latest, released 2026-01-22; v4 also maintained). v3 releases are deprecated/incompatible: Both v3 versions use Node 16 runtime (checkout v3.0.0+ updated to Node 16; setup-java v3 predates Node 20). Node 16 reached end-of-life in GitHub Actions runners on 2024-11-12; runners no longer support Node 16, causing v3 to fail or silently upgrade (potentially incompatible). Official docs promote v6/v5 and v5 respectively; v3 not featured in READMEs or examples. Upgrade recommended for compatibility with current runners (v2.327+ required for Node 24).

Citations:

Canary 워크플로의 구버전 액션으로 인한 실행 실패 위험

Line 19와 Line 22의 actions/checkout@v3, actions/setup-java@v3은 2024년 11월 12일 GitHub Actions 러너에서 Node 16 지원 종료로 더 이상 호환되지 않습니다. 현재 지원 버전은 checkout의 경우 v4v6 (v6 최신), setup-java의 경우 v4v5 (v5 최신)입니다. v3는 Node 16을 사용하므로 워크플로 시작 단계에서 실패하거나 예상 외의 동작을 할 수 있습니다.

수정 제안 
-      - uses: actions/checkout@v3
+      - uses: actions/checkout@v4
       - name: Set up JDK 17
-        uses: actions/setup-java@v3
+        uses: actions/setup-java@v5
📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change
- uses: actions/checkout@v3
- name: Set up JDK 17
uses: actions/setup-java@v3
with:
- uses: actions/checkout@v4
- name: Set up JDK 17
uses: actions/setup-java@v5
with:
🧰 Tools
🪛 actionlint (1.7.12)

[error] 19-19: the runner of "actions/checkout@v3" action is too old to run on GitHub Actions. update the action's version to fix this issue

(action)

[error] 22-22: the runner of "actions/setup-java@v3" action is too old to run on GitHub Actions. update the action's version to fix this issue

(action)

🤖 Prompt for AI Agents 
Verify each finding against the current code and only fix it if needed.

In @.github/workflows/canary.yml around lines 19 - 23, The workflow uses
outdated action versions "actions/checkout@v3" and "actions/setup-java@v3" which
rely on Node 16; update the "uses:" entries for the checkout and setup-java
steps (the occurrences of actions/checkout@v3 and actions/setup-java@v3) to
supported major releases (for example actions/checkout@v6 and
actions/setup-java@v5 or at minimum v4+ for checkout and v4+ for setup-java) so
the runner uses a Node 18+ compatible action; keep the step names and inputs
unchanged, only bump the version tags.

distribution: 'temurin'
java-version: 17

- name: Decrypt secrets
id: decrypt
run: sh .github/workflows/decrypt.sh

- name: Run test task
id: test_task
run: ./gradlew test --info

- name: Notify Discord on failure
id: notify
if: failure()
env:
DISCORD_WEBHOOK_URL: ${{ secrets.DISCORD_WEBHOOK_URL }}
run: |
RUN_URL="${{ github.server_url }}/${{ github.repository }}/actions/runs/${{ github.run_id }}"
SHORT_SHA="$(printf '%s' "${GITHUB_SHA}" | cut -c1-7)"
FAILED_STEP="unknown"

if [ "${{ steps.decrypt.outcome }}" = "failure" ]; then
FAILED_STEP="Decrypt secrets"
elif [ "${{ steps.test_task.outcome }}" = "failure" ]; then
FAILED_STEP="Run test task"
fi

MESSAGE="$(
printf '%s\n' \
'CI Canary failed' \
'- Repo: ${{ github.repository }}' \
'- Ref: ${{ github.ref_name }}' \
'- Trigger: ${{ github.event_name }}' \
'- Actor: ${{ github.actor }}' \
"- Failed step: ${FAILED_STEP}" \
"- Commit: ${SHORT_SHA}" \
"- Run: ${RUN_URL}"
)"

PAYLOAD="$(MESSAGE="${MESSAGE}" python3 -c 'import json, os; print(json.dumps({"content": os.environ["MESSAGE"]}))')"
curl \
-H "Content-Type: application/json" \
-d "${PAYLOAD}" \
"$DISCORD_WEBHOOK_URL"
49 changes: 49 additions & 0 deletions renovate.json
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,49 @@
{
"$schema": "https://docs.renovatebot.com/renovate-schema.json",
"baseBranchPatterns": ["develop"],
"enabledManagers": ["gradle", "gradle-wrapper", "github-actions"],
"dependencyDashboard": true,
"prConcurrentLimit": 2,
"prHourlyLimit": 1,
"packageRules": [
{
"description": "아래에서 명시적으로 다시 허용한 항목 외에는 일반 Gradle 의존성 업데이트를 비활성화한다.",
"matchManagers": ["gradle"],
"enabled": false
},
{
"description": "Gradle wrapper와 GitHub Actions는 major가 아닌 업데이트를 무시한다.",
"matchManagers": ["gradle-wrapper", "github-actions"],
"matchUpdateTypes": ["minor", "patch", "pin", "digest"],
"enabled": false
Comment on lines +10 to +18
Copy link
Copy Markdown

@coderabbitai coderabbitai bot Apr 16, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🟠 Major

🧩 Analysis chain

🌐 Web query:

What is the recommended Renovate configuration to keep major-only updates by default but still allow security-related minor/patch updates for Gradle dependencies?

💡 Result:

The recommended Renovate configuration to keep only major updates by default but allow security-related minor/patch updates for Gradle dependencies (datasource: maven) is: { "extends": [ "config:recommended" ], "major": { "enabled": true }, "minor": { "enabled": false }, "patch": { "enabled": false }, "separateMinorPatch": true, "packageRules": [ { "matchDatasources": ["maven"], "matchUpdateTypes": ["minor", "patch"], "enabled": false } ], "vulnerabilityAlerts": { "enabled": true }, "osvVulnerabilityAlerts": true } This disables minor and patch updates globally (and explicitly for maven/Gradle), while major updates remain enabled. Security vulnerability alerts (via GitHub Advisories and OSV) will still create PRs for vulnerable dependencies, potentially including minor/patch fixes if that's the resolution for the vulnerability. The separateMinorPatch: true ensures patch and minor are treated distinctly for the disable rules. Note: Security PRs bypass normal enabled: false packageRules restrictions, as they are handled separately by Renovate's vulnerability alerts feature.

Citations:

Gradle 의존성이 보안 패치를 받지 못하는 구성입니다.

Line 10-13과 Line 17의 "enabled": false 조합으로 Spring Boot/Testcontainers 외 Gradle 의존성의 patch/minor 업데이트가 차단됩니다. Major 중심 정책을 유지하되 보안 취약점이 감지되면 자동으로 PR을 생성하도록 renovate.json에 다음을 추가하세요:

"vulnerabilityAlerts": true,
"osvVulnerabilityAlerts": true

이 설정은 enabled: false 제약을 우회하여 보안 관련 minor/patch 업데이트를 별도로 처리합니다. 또는 특정 패키지에 대해 보안 업데이트 전용 packageRule을 명시적으로 추가하는 방법도 있습니다.

🤖 Prompt for AI Agents 
Verify each finding against the current code and only fix it if needed.

In `@renovate.json` around lines 10 - 18, The current renovate.json disables
Gradle dependency updates (enabled: false) which blocks patch/minor security
fixes; add top-level keys "vulnerabilityAlerts": true and
"osvVulnerabilityAlerts": true to the renovate.json (or alternatively add a
packageRule that allows security-only updates for Gradle dependencies) so
Renovate will still open PRs for detected vulnerabilities while keeping the
existing major-only policy for normal updates.

},
{
"description": "Spring Boot는 major 업데이트만 허용한다.",
"matchManagers": ["gradle"],
"matchPackageNames": ["org.springframework.boot"],
"matchUpdateTypes": ["major"],
Comment on lines +21 to +24
Copy link
Copy Markdown

@coderabbitai coderabbitai bot Apr 16, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🟠 Major

🧩 Analysis chain

🌐 Web query:

In Renovate packageRules for Gradle, does matchPackageNames with "org.springframework.boot" match dependencies like "org.springframework.boot:spring-boot-starter-web", or is a regex/prefix required?

💡 Result:

No, "matchPackageNames": ["org.springframework.boot"] performs an exact match against the full packageName, which for the Gradle dependency "org.springframework.boot:spring-boot-starter-web" is "org.springframework.boot:spring-boot-starter-web". It will not match dependencies like this by default. A regex or glob pattern is required for prefix matching, such as "matchPackageNames": ["org.springframework.boot:"] (glob) or ["/^org\.springframework\.boot:/"] (regex). This is because: - Renovate's Gradle manager uses the "maven" datasource. - For Maven/Gradle dependencies, both depName and packageName are set to the full "group:artifact" string, e.g. "org.springframework.boot:spring-boot-starter-web". - matchPackageNames matches against packageName using exact, glob, or regex patterns (since v38, July 2024). - Exact match requires the full name; prefix requires glob/regex like "org.springframework.boot:" or "/^org.springframework.boot:/". Examples from docs and issues confirm depName is the full "group:artifact" for Gradle deps, e.g. "org.springframework.cloud:spring-cloud-dependencies". Group presets use patterns like "group:springBoot" implying prefix matching needs patterns.

Citations:

Spring Boot 규칙이 실제 의존성과 매칭되지 않습니다.

Line 23의 "matchPackageNames": ["org.springframework.boot"]는 정확한 일치(exact match)를 수행하므로, Gradle 의존성 org.springframework.boot:spring-boot-starter-web (packageName: org.springframework.boot:spring-boot-starter-web)과 매칭되지 않습니다. 따라서 의도한 major 업데이트 규칙이 작동하지 않습니다.

제안 수정 
     {
       "description": "Spring Boot는 major 업데이트만 허용한다.",
       "matchManagers": ["gradle"],
-      "matchPackageNames": ["org.springframework.boot"],
+      "matchPackageNames": ["org.springframework.boot:*"],
       "matchUpdateTypes": ["major"],
🤖 Prompt for AI Agents 
Verify each finding against the current code and only fix it if needed.

In `@renovate.json` around lines 21 - 24, The rule uses matchPackageNames which
requires exact package name so it won't match Gradle coordinates like
org.springframework.boot:spring-boot-starter-web; change the rule to use
matchPackagePatterns (or a group-prefix matcher) instead of matchPackageNames
and supply a regex that matches the groupId prefix (e.g. a pattern matching
^org\.springframework\.boot(:|$)) so the rule with matchManagers ["gradle"] and
matchUpdateTypes ["major"] will match dependencies such as
org.springframework.boot:spring-boot-starter-web.

"enabled": true,
"groupName": "spring-boot-major"
},
{
"description": "Testcontainers는 major 업데이트만 허용한다.",
"matchManagers": ["gradle"],
"matchPackageNames": ["/^org\\.testcontainers:/"],
"matchUpdateTypes": ["major"],
"enabled": true,
"groupName": "testcontainers-major"
},
{
"description": "Gradle wrapper는 major 업데이트만 허용한다.",
"matchManagers": ["gradle-wrapper"],
"matchUpdateTypes": ["major"],
"groupName": "gradle-wrapper-major"
},
{
"description": "GitHub Actions는 major 업데이트만 허용한다.",
"matchManagers": ["github-actions"],
"matchUpdateTypes": ["major"],
"groupName": "github-actions-major"
}
]
}
Loading