From 305304c5bff475aca1c17218813c4c52f2d78275 Mon Sep 17 00:00:00 2001 From: Chris Farhood Date: Wed, 13 May 2026 12:50:09 +0000 Subject: [PATCH 1/4] Add Renovate GitHub Actions workflow Co-Authored-By: Paperclip --- .github/workflows/renovate.yaml | 30 ++++++++++++++++++++++++++++++ 1 file changed, 30 insertions(+) create mode 100644 .github/workflows/renovate.yaml diff --git a/.github/workflows/renovate.yaml b/.github/workflows/renovate.yaml new file mode 100644 index 0000000..33e0fd5 --- /dev/null +++ b/.github/workflows/renovate.yaml @@ -0,0 +1,30 @@ +name: Renovate + +on: + schedule: + - cron: '0 2 * * 6' # Saturday 2:00 UTC — aligns with "every weekend" in renovate-config.json + workflow_dispatch: + +jobs: + renovate: + runs-on: runners-privilegedescalation + steps: + - name: Checkout repository + uses: actions/checkout@v6 + + - name: Generate GitHub App token + id: app-token + uses: actions/create-github-app-token@v3 + with: + app-id: ${{ secrets.RELEASE_APP_ID }} + private-key: ${{ secrets.RELEASE_APP_PRIVATE_KEY }} + owner: privilegedescalation + + - name: Run Renovate + uses: renovatebot/github-action@v41.0.0 + with: + token: ${{ steps.app-token.outputs.token }} + configurationFile: renovate-config.json + env: + LOG_LEVEL: debug + RENOVATE_AUTODISCOVER: "true" \ No newline at end of file From 7af5336b40b8837f702b5b1dce5b1b88a5deee8f Mon Sep 17 00:00:00 2001 From: "privilegedescalation-engineer[bot]" <269729446+privilegedescalation-engineer[bot]@users.noreply.github.com> Date: Wed, 13 May 2026 13:06:43 +0000 Subject: [PATCH 2/4] fix: add trailing newline at EOF in renovate.yaml --- .github/workflows/renovate.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/renovate.yaml b/.github/workflows/renovate.yaml index 33e0fd5..51001ec 100644 --- a/.github/workflows/renovate.yaml +++ b/.github/workflows/renovate.yaml @@ -27,4 +27,4 @@ jobs: configurationFile: renovate-config.json env: LOG_LEVEL: debug - RENOVATE_AUTODISCOVER: "true" \ No newline at end of file + RENOVATE_AUTODISCOVER: "true" From e75859c67aa8ca6ce9aeb4c759462e2fdb93a8a9 Mon Sep 17 00:00:00 2001 From: Chris Farhood Date: Thu, 14 May 2026 05:58:37 +0000 Subject: [PATCH 3/4] fix: resolve BASE_REF from PR API on pull_request_review events BASE_REF is empty on pull_request_review events since github.base_ref is only populated on pull_request events. The empty string hit the case * wildcard and silently passed the promotion gate. Add a fallback that fetches .base.ref from the PR API when BASE_REF is empty but a PR_NUMBER is available. Co-Authored-By: Claude Opus 4.7 --- .github/workflows/dual-approval-check.yaml | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/.github/workflows/dual-approval-check.yaml b/.github/workflows/dual-approval-check.yaml index d759e70..b4aa7d9 100644 --- a/.github/workflows/dual-approval-check.yaml +++ b/.github/workflows/dual-approval-check.yaml @@ -29,6 +29,14 @@ jobs: echo "Checking promotion gate for PR #${PR_NUMBER} targeting ${BASE_REF} in ${REPO}" + if [ -z "${BASE_REF}" ] && [ -n "${PR_NUMBER}" ] && [ "${PR_NUMBER}" != "null" ]; then + BASE_REF=$(curl -sf \ + -H "Authorization: Bearer ${GH_TOKEN}" \ + -H "Accept: application/vnd.github.v3+json" \ + "https://api.github.com/repos/${REPO}/pulls/${PR_NUMBER}" | jq -r '.base.ref') + echo "BASE_REF was empty; resolved from PR #${PR_NUMBER} API: ${BASE_REF}" + fi + # Determine required reviewer based on target branch case "${BASE_REF}" in dev) From 8f8e75a6d87ebdbd91e52e83b76cd4f41e70a218 Mon Sep 17 00:00:00 2001 From: Chris Farhood Date: Thu, 14 May 2026 06:06:35 +0000 Subject: [PATCH 4/4] remove: drop renovate.yaml from PR branch (out of scope, blocks CI) Co-Authored-By: Claude Opus 4.7 --- .github/workflows/renovate.yaml | 30 ------------------------------ 1 file changed, 30 deletions(-) delete mode 100644 .github/workflows/renovate.yaml diff --git a/.github/workflows/renovate.yaml b/.github/workflows/renovate.yaml deleted file mode 100644 index 51001ec..0000000 --- a/.github/workflows/renovate.yaml +++ /dev/null @@ -1,30 +0,0 @@ -name: Renovate - -on: - schedule: - - cron: '0 2 * * 6' # Saturday 2:00 UTC — aligns with "every weekend" in renovate-config.json - workflow_dispatch: - -jobs: - renovate: - runs-on: runners-privilegedescalation - steps: - - name: Checkout repository - uses: actions/checkout@v6 - - - name: Generate GitHub App token - id: app-token - uses: actions/create-github-app-token@v3 - with: - app-id: ${{ secrets.RELEASE_APP_ID }} - private-key: ${{ secrets.RELEASE_APP_PRIVATE_KEY }} - owner: privilegedescalation - - - name: Run Renovate - uses: renovatebot/github-action@v41.0.0 - with: - token: ${{ steps.app-token.outputs.token }} - configurationFile: renovate-config.json - env: - LOG_LEVEL: debug - RENOVATE_AUTODISCOVER: "true"