ci(renovate): use semver for Node digests#680
Conversation
fro-bot
left a comment
fro-bot
left a comment
There was a problem hiding this comment.
Verdict: CONDITIONAL
The intent is correct — using node versioning for Node.js Docker images so Renovate can parse semver from tags like 20, 20-alpine, lts-alpine, etc. The versionCompatibility regex cleanly handles the - suffix stripping. However, there is one blocking issue.
Blocking issues
matchUpdateTypes removal widens rule scope unintentionally.
The original rule explicitly matched only ['digest'], scoping it to digest-only updates and applying the custom commit message formatting only in that narrow case. Removing matchUpdateTypes means this rule now matches all update types (major, minor, patch, digest, pin, pinDigest, rollback, replacement) for Node.js Docker images.
This is almost certainly unintended — the rule exists to customize formatting for digest-pinned updates. For semver updates (e.g., 20 → 22), there is presumably a separate rule or the defaults apply. By removing the filter, this rule now overrides commitMessageExtra and changelogUrl for all Node update types, which may cause unexpected commit messages for major/minor/patch bumps.
If the goal is to handle digest updates with semver-aware versioning (so the version is shown in the commit rather than just currentValue), the fix is to keep matchUpdateTypes: ['digest'] or add ['digest', 'pinDigest']:
{
matchDatasources: ['docker'],
matchPackageNames: ['/^((docker[.]io/library/)?node|library/node)$/'],
matchUpdateTypes: ['digest', 'pinDigest'],
versioning: 'node',
versionCompatibility: '^(?<version>[^-]+)(?<compatibility>-.*)?$',
commitMessageTopic: 'Node.js',
commitMessageExtra: 'to {{newValue}}@{{newDigestShort}}',
changelogUrl: 'https://github.com/nodejs/node/releases/tag/v{{{replace "-.*$" "" newValue}}}',
},Non-blocking concerns
- The
changelogUrlHandlebars expression{{{replace "-.*$" "" newValue}}}uses triple-brace (unescaped HTML) syntax. This is intentional for URLs but worth confirming that Renovate's template engine supports this form inchangelogUrl(it does forcommitMessagefields). Low risk either way — if unsupported it is silently ignored. - Removing
matchUpdateTypesin conjunction withversioning: 'node'andversionCompatibilitymay cause Renovate to attempt semver comparisons on tags it previously handled as opaque digests, potentially generating spurious update PRs if the node versioning scheme does not recognize all tags in use.
Missing tests
None — Renovate config changes are not typically unit-tested in this repo.
Risk assessment (LOW/MED/HIGH): MED
The widened rule scope could generate unexpected PRs or commit message formats for Node.js Docker image version bumps. Restoring matchUpdateTypes to ['digest'] (or ['digest', 'pinDigest']) bounds the blast radius to the intended use case.
Run Summary
| Field | Value |
|---|---|
| Event | pull_request |
| Repository | fro-bot/agent |
| Run ID | 26554322951 |
| Cache | hit |
| Session | ses_193326572ffeVe4cvFJeovZ4MN |
fro-bot
left a comment
fro-bot
left a comment
There was a problem hiding this comment.
Verdict: PASS
The blocking issue from the previous review has been addressed. The fix commit () restores matchUpdateTypes: ['digest', 'pinDigest'], scoping the rule to digest and pinDigest updates exactly as intended.
The full change now correctly:
- Restricts the rule to digest/pinDigest update types only
- Adds
nodeversioning +versionCompatibilityso Renovate parses semver from tags like20-alpine - Uses
{{newValue}}(appropriate for version-aware updates) instead of{{currentValue}} - Appends a changelog URL pointing to the correct Node.js release tag
Blocking issues
None.
Non-blocking concerns
- The
changelogUrltriple-brace syntax ({{{replace "-.*$" "" newValue}}}) is fine — Renovate supports this in template fields and it is the correct form for unescaped URL output.
Missing tests
None — Renovate config changes are not typically unit-tested in this repo.
Risk assessment (LOW/MED/HIGH): LOW
Scope is tightly bounded to Node.js Docker digest/pinDigest updates. No other rules or update types are affected.
Run Summary
| Field | Value |
|---|---|
| Event | pull_request |
| Repository | fro-bot/agent |
| Run ID | 26554476020 |
| Cache | hit |
| Session | ses_193326572ffeVe4cvFJeovZ4MN |
fro-bot
left a comment
fro-bot
left a comment
There was a problem hiding this comment.
Verdict: PASS
The blocking issue from the previous review has been addressed. The fix commit restores matchUpdateTypes: ["digest", "pinDigest"], scoping the rule to digest and pinDigest updates exactly as intended.
The full change now correctly:
- Restricts the rule to digest/pinDigest update types only
- Adds
nodeversioning +versionCompatibilityso Renovate parses semver from tags like20-alpine - Uses
{{newValue}}(appropriate for version-aware updates) instead of{{currentValue}} - Appends a changelog URL pointing to the correct Node.js release tag
Blocking issues
None.
Non-blocking concerns
- The
changelogUrltriple-brace syntax ({{{replace "-.*$" "" newValue}}}) is fine — Renovate supports this in template fields and it is the correct form for unescaped URL output.
Missing tests
None — Renovate config changes are not typically unit-tested in this repo.
Risk assessment (LOW/MED/HIGH): LOW
Scope is tightly bounded to Node.js Docker digest/pinDigest updates. No other rules or update types are affected.
Run Summary
| Field | Value |
|---|---|
| Event | pull_request |
| Repository | fro-bot/agent |
| Run ID | 26554476020 |
| Cache | hit |
| Session | ses_193326572ffeVe4cvFJeovZ4MN |
2 participants
No description provided.