From b112224c6df59ea8f789050622213e58d496b5e1 Mon Sep 17 00:00:00 2001 From: Titus Fortner Date: Tue, 19 May 2026 11:13:40 -0500 Subject: [PATCH 1/2] [build] remove overly complicated renovate workflow and replace with built-in features --- .github/workflows/ci-rbe.yml | 3 +- .github/workflows/ci-renovate-rbe.yml | 43 ++++++++ .github/workflows/renovate-dependencies.yml | 102 ------------------ .github/workflows/renovate-dependency-pr.yml | 106 ------------------- renovate.json | 24 +---- 5 files changed, 48 insertions(+), 230 deletions(-) create mode 100644 .github/workflows/ci-renovate-rbe.yml delete mode 100644 .github/workflows/renovate-dependencies.yml delete mode 100644 .github/workflows/renovate-dependency-pr.yml diff --git a/.github/workflows/ci-rbe.yml b/.github/workflows/ci-rbe.yml index eb8d841f9723f..4541fc2478259 100644 --- a/.github/workflows/ci-rbe.yml +++ b/.github/workflows/ci-rbe.yml @@ -12,6 +12,7 @@ on: required: false default: false type: boolean + workflow_call: concurrency: group: ${{ github.workflow }}-${{ github.event_name }}-${{ github.event.pull_request.number || github.ref }} @@ -24,7 +25,7 @@ permissions: jobs: test: name: Test - if: github.event.repository.fork == false && startsWith(github.head_ref, 'renovate/') != true + if: github.event.repository.fork == false uses: ./.github/workflows/bazel.yml with: name: All RBE tests diff --git a/.github/workflows/ci-renovate-rbe.yml b/.github/workflows/ci-renovate-rbe.yml new file mode 100644 index 0000000000000..6ded3a5671cf8 --- /dev/null +++ b/.github/workflows/ci-renovate-rbe.yml @@ -0,0 +1,43 @@ +name: CI - Renovate - RBE + +on: + push: + branches: + - renovate/* + +permissions: + contents: read + +jobs: + pin: + name: Repin Dependencies + if: github.event.repository.fork == false + uses: ./.github/workflows/bazel.yml + with: + name: Repin Dependencies + run: | + ./go all:pin + ./go rust:pin + ./go format + artifact-name: repin-changes + + commit-repins: + name: Commit Repins + needs: pin + permissions: + contents: write + actions: read + uses: ./.github/workflows/commit-changes.yml + with: + artifact-name: repin-changes + commit-message: "Repin dependencies" + + test: + name: Test + needs: commit-repins + uses: ./.github/workflows/ci-rbe.yml + + ci-gh: + name: CI - GitHub + needs: commit-repins + uses: ./.github/workflows/ci.yml diff --git a/.github/workflows/renovate-dependencies.yml b/.github/workflows/renovate-dependencies.yml deleted file mode 100644 index 84ba399d01043..0000000000000 --- a/.github/workflows/renovate-dependencies.yml +++ /dev/null @@ -1,102 +0,0 @@ -name: Renovate Dependencies - -on: - workflow_dispatch: - -concurrency: - group: renovate-dependencies - cancel-in-progress: true - -permissions: - actions: read - contents: write - issues: write - pull-requests: write - -jobs: - reset-update-branch: - name: Reset temp/bazel-updates to ${{ github.ref_name }} - if: github.event.repository.fork == false - runs-on: ubuntu-latest - steps: - - name: Checkout base ref - uses: actions/checkout@v6 - with: - token: ${{ secrets.SELENIUM_CI_TOKEN || github.token }} - - name: Force-push to temp/bazel-updates - run: git push --force origin "HEAD:temp/bazel-updates" - - prepare-updates: - name: Prepare Bazel updates - needs: reset-update-branch - if: github.event.repository.fork == false - uses: ./.github/workflows/bazel.yml - with: - name: Prepare Bazel updates - caching: false - run: | - ./go all:update - ./go rust:update - artifact-name: bazel-updates - - push-update-branch: - name: Push Bazel update branch - needs: prepare-updates - if: github.event.repository.fork == false - uses: ./.github/workflows/commit-changes.yml - with: - artifact-name: bazel-updates - commit-message: "Update dependencies" - push-branch: temp/bazel-updates - secrets: - SELENIUM_CI_TOKEN: ${{ secrets.SELENIUM_CI_TOKEN }} - - renovate: - name: Renovate dependencies - needs: push-update-branch - if: github.event.repository.fork == false - runs-on: ubuntu-latest - steps: - - name: Checkout update branch - uses: actions/checkout@v6 - with: - ref: temp/bazel-updates - - name: Reset eval branches - run: | - for kind in minor major; do - branch="renovate/${kind}-eval" - if git ls-remote --exit-code --heads origin "$branch" >/dev/null; then - git push origin --delete "$branch" - fi - done - - name: Run Renovate - uses: renovatebot/github-action@v46.1.14 - with: - token: ${{ secrets.SELENIUM_CI_TOKEN || github.token }} - env: - LOG_LEVEL: info - RENOVATE_PLATFORM: github - RENOVATE_REPOSITORIES: ${{ github.repository }} - RENOVATE_FORCE: | - { - "baseBranchPatterns": ["temp/bazel-updates"], - "dependencyDashboard": false, - "dependencyDashboardApproval": false, - "prCreation": "approval", - "pruneStaleBranches": false, - "schedule": null - } - - dependency-pr: - name: ${{ matrix.kind }} dependency PR - needs: renovate - if: always() && github.event.repository.fork == false - strategy: - fail-fast: false - matrix: - kind: [minor, major] - uses: ./.github/workflows/renovate-dependency-pr.yml - with: - kind: ${{ matrix.kind }} - secrets: - SELENIUM_CI_TOKEN: ${{ secrets.SELENIUM_CI_TOKEN }} diff --git a/.github/workflows/renovate-dependency-pr.yml b/.github/workflows/renovate-dependency-pr.yml deleted file mode 100644 index a98b171588f15..0000000000000 --- a/.github/workflows/renovate-dependency-pr.yml +++ /dev/null @@ -1,106 +0,0 @@ -name: Renovate Dependency PR - -on: - workflow_call: - inputs: - kind: - description: Dependency update type. Must be minor or major. - required: true - type: string - secrets: - SELENIUM_CI_TOKEN: - required: true - -permissions: - actions: read - contents: write - issues: write - pull-requests: write - -jobs: - detect-branch: - name: Detect ${{ inputs.kind }} branch - runs-on: ubuntu-latest - outputs: - exists: ${{ steps.detect.outputs.exists }} - steps: - - name: Detect branch - id: detect - env: - KIND: ${{ inputs.kind }} - REPO_URL: ${{ github.server_url }}/${{ github.repository }}.git - run: | - case "$KIND" in - minor|major) ;; - *) echo "::error::kind must be minor or major"; exit 1 ;; - esac - if git ls-remote --exit-code --heads "$REPO_URL" "renovate/${KIND}-eval" >/dev/null; then - echo "exists=true" >> "$GITHUB_OUTPUT" - else - echo "exists=false" >> "$GITHUB_OUTPUT" - fi - - evaluate: - name: Evaluate ${{ inputs.kind }} dependencies - needs: detect-branch - if: needs.detect-branch.outputs.exists == 'true' - uses: ./.github/workflows/bazel.yml - with: - name: Evaluate ${{ inputs.kind }} dependencies - ref: renovate/${{ inputs.kind }}-eval - ruby-version: jruby-10.1.0.0 - run: | - ./go all:pin - ./go rust:pin - ./go format - ./scripts/github-actions/ci-build.sh - git fetch origin "${{ github.ref_name }}" --depth=1 - git add -A - git diff --binary --cached "origin/${{ github.ref_name }}" > full-changes.patch - artifact-name: ${{ inputs.kind }}-dependency-changes - artifact-path: full-changes.patch - - promote: - name: Promote ${{ inputs.kind }} dependencies - needs: evaluate - runs-on: ubuntu-latest - steps: - - name: Checkout base - uses: actions/checkout@v6 - with: - persist-credentials: false - - name: Download patch - uses: actions/download-artifact@v8 - with: - name: ${{ inputs.kind }}-dependency-changes - - name: Apply patch - run: | - git apply --index full-changes.patch - rm full-changes.patch - - name: Create or update PR - uses: peter-evans/create-pull-request@v8 - with: - token: ${{ secrets.SELENIUM_CI_TOKEN }} - commit-message: "[build] Update ${{ inputs.kind }} dependencies" - author: Selenium CI Bot - branch: renovate/${{ inputs.kind }} - base: ${{ github.ref_name }} - title: "[build] Update ${{ inputs.kind }} dependencies" - labels: | - C-build - B-dependencies - body: | - This PR contains the latest passing ${{ inputs.kind }} dependency updates, squashed into a single commit. - - Included changes: - - Repository dependency updates from `./go all:update` and `./go rust:update` - - Renovate ${{ inputs.kind }} dependency updates - - Generated dependency pins after `./go all:pin` and `./go rust:pin` - - Formatting fixes from `./go format` - - This PR only advances when pinning, formatting, and RBE validation all pass. If a later evaluation fails, the PR stays on the most recent passing dependency set and the workflow run shows what failed. - - The Renovate [Dependency Dashboard](https://github.com/${{ github.repository }}/issues/13964) is independent of this PR and is used to inspect specific versions and evaluate updates; do not approve dashboard items to drive merges here. - - Workflow runs: ${{ github.server_url }}/${{ github.repository }}/actions/workflows/renovate-dependencies.yml - This PR run: ${{ github.server_url }}/${{ github.repository }}/actions/runs/${{ github.run_id }} diff --git a/renovate.json b/renovate.json index 3a7c0e13b4104..6608377c8a69d 100644 --- a/renovate.json +++ b/renovate.json @@ -2,15 +2,11 @@ "$schema": "https://docs.renovatebot.com/renovate-schema.json", "extends": ["config:recommended"], "dependencyDashboard": true, - "dependencyDashboardApproval": true, "dependencyDashboardLabels": ["B-dependencies"], - "dependencyDashboardTitle": "Dependency Dashboard", - "dependencyDashboardHeader": "Renovate is configured to list discovered dependency updates here first. Do not approve dashboard items until the update scope has been reviewed.", - "automerge": false, + "dependencyDashboardHeader": "This dashboard exists for visibility into Renovate's state and for surfacing problems. Renovate creates branches automatically for eligible updates; each branch is pinned and tested by the CI - Renovate - RBE workflow. PRs are intentionally suppressed (prCreation: approval) — do not tick checkboxes under 'Pending Approval', as doing so would create a PR we don't want. For per-branch CI status, open the branch in GitHub and view its Actions runs.", + "prCreation": "approval", + "branchConcurrentLimit": 1, "skipArtifactsUpdate": true, - "lockFileMaintenance": { - "enabled": false - }, "labels": ["B-dependencies"], "baseBranchPatterns": ["trunk"], "ignorePaths": [ @@ -145,20 +141,6 @@ "matchManagers": ["bazel-module"], "matchPackageNames": ["rules_python"], "allowedVersions": "<2" - }, - { - "description": "Orchestrated workflow only: group major updates into the major-eval branch.", - "matchBaseBranches": ["temp/bazel-updates"], - "matchUpdateTypes": ["major"], - "groupName": "major dependency updates", - "groupSlug": "major-eval" - }, - { - "description": "Orchestrated workflow only: group non-major updates into the minor-eval branch.", - "matchBaseBranches": ["temp/bazel-updates"], - "matchUpdateTypes": ["minor", "patch", "pin", "digest"], - "groupName": "minor dependency updates", - "groupSlug": "minor-eval" } ] } From cab6b1a340504482838d220b0d53956f683be835 Mon Sep 17 00:00:00 2001 From: Titus Fortner Date: Tue, 19 May 2026 12:13:21 -0500 Subject: [PATCH 2/2] add concurrency to prevent race conditions --- .github/workflows/ci-renovate-rbe.yml | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/.github/workflows/ci-renovate-rbe.yml b/.github/workflows/ci-renovate-rbe.yml index 6ded3a5671cf8..014adb2cf5a44 100644 --- a/.github/workflows/ci-renovate-rbe.yml +++ b/.github/workflows/ci-renovate-rbe.yml @@ -5,6 +5,10 @@ on: branches: - renovate/* +concurrency: + group: ci-renovate-rbe-${{ github.ref }} + cancel-in-progress: true + permissions: contents: read