Skip to content

SONARJAVA-6316 Use semver range updates (not pinning) for SonarSource GitHub Actions#83

Open
tomasz-tylenda-sonarsource wants to merge 2 commits into
masterfrom
renovate/reconfigure
Open

SONARJAVA-6316 Use semver range updates (not pinning) for SonarSource GitHub Actions#83
tomasz-tylenda-sonarsource wants to merge 2 commits into
masterfrom
renovate/reconfigure

Conversation

@tomasz-tylenda-sonarsource
Copy link
Copy Markdown
Contributor

@tomasz-tylenda-sonarsource tomasz-tylenda-sonarsource commented May 1, 2026

No description provided.

@hashicorp-vault-sonar-prod hashicorp-vault-sonar-prod Bot changed the title Reconfigure renovate SONARJAVA-6316 Reconfigure renovate May 1, 2026
@hashicorp-vault-sonar-prod
Copy link
Copy Markdown

hashicorp-vault-sonar-prod Bot commented May 1, 2026
edited by atlassian Bot
Loading

SONARJAVA-6316

@sonar-review-alpha
Copy link
Copy Markdown

sonar-review-alpha Bot commented May 1, 2026
edited
Loading

Summary

This PR adds a new Renovate configuration rule for SonarSource GitHub Actions to use semver range updates instead of exact version pinning. The change applies the "replace" range strategy to any GitHub Actions from the SonarSource organization, allowing automatic minor and patch version updates while maintaining flexibility rather than locking to specific versions.

What reviewers should know

What to review:

  • The config rule targets the correct package pattern (^SonarSource/) and manager (github-actions)
  • The rangeStrategy: "replace" setting implements the intended semver range behavior per the ticket title
  • Placement in the config is correct — positioned among other manager-specific overrides and before quarterly update rules

Context:

  • This is purely a configuration change with no code impact
  • The comment in the config clearly explains the intent
  • Part of SONARJAVA-6316, which appears to be about standardizing dependency update strategies
  • Generate Walkthrough
  • Generate Diagram

🗣️ Give feedback

sonar-review-alpha[bot]

This comment was marked as resolved.

Sign in to view

sonar-review-alpha[bot]

This comment was marked as resolved.

Sign in to view

sonar-review-alpha[bot]

This comment was marked as resolved.

Sign in to view

@tomasz-tylenda-sonarsource tomasz-tylenda-sonarsource changed the title SONARJAVA-6316 Reconfigure renovate SONARJAVA-6316 Use semver range updates (not pinning) for SonarSource GitHub Actions May 1, 2026
@tomasz-tylenda-sonarsource tomasz-tylenda-sonarsource force-pushed the renovate/reconfigure branch 2 times, most recently from 2393643 to 93f608b Compare May 1, 2026 09:27
@sonarqube-next
Copy link
Copy Markdown

sonarqube-next Bot commented May 1, 2026

Quality Gate passed Quality Gate passed

Issues
0 New issues
0 Fixed issues
0 Accepted issues

Measures
0 Security Hotspots
0 Dependency risks
No data about Coverage
No data about Duplication

See analysis details on SonarQube

sonar-review-alpha[bot]
sonar-review-alpha Bot reviewed May 1, 2026
View reviewed changes
Copy link
Copy Markdown

@sonar-review-alpha sonar-review-alpha Bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The new rule is mostly correct, but there's a coverage gap worth clarifying before merge.

🗣️ Give feedback

Comment thread renovate.json5
{
// Use semver range updates (not pinning) for SonarSource GitHub Actions
matchManagers: [ "github-actions" ],
matchPackagePatterns: [ "^SonarSource/" ],
Copy link
Copy Markdown

@sonar-review-alpha sonar-review-alpha Bot May 1, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The pattern ^SonarSource/ is a case-sensitive regex. Five workflow files reference sonarsource/gh-action-lt-backlog (lowercase s) — specifically in PullRequestCreated.yml, PullRequestClosed.yml, RequestReview.yml, SubmitReview.yml, and ToggleLockBranch.yml.

Those actions use @v2-style tags and won't be matched by this rule, so they won't receive rangeStrategy: "replace" unless the parent config (quality-jvm-squad) already covers them.

If excluding sonarsource/ is intentional (e.g. the parent config already handles it), add a comment explaining why. If it's an oversight, widen the pattern to cover both casings:

Suggested change
matchPackagePatterns: [ "^SonarSource/" ],
matchPackagePatterns: [ "(?i)^sonarsource/" ],
  • Mark as noise

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@alban-auzeill alban-auzeill alban-auzeill approved these changes

@tomverin tomverin Awaiting requested review from tomverin

+1 more reviewer

@sonar-review-alpha sonar-review-alpha[bot] sonar-review-alpha[bot] left review comments

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@tomasz-tylenda-sonarsource @alban-auzeill