From 8f754bb734cb039b706e15dc66333178d562a739 Mon Sep 17 00:00:00 2001 From: Titus Fortner Date: Mon, 18 May 2026 08:54:59 -0500 Subject: [PATCH 1/5] [build] add renovate dependency workflow --- .github/workflows/ci-renovate-rbe.yml | 79 ------------ .github/workflows/renovate-dependencies.yml | 123 +++++++++++++++++++ .github/workflows/renovate-dependency-pr.yml | 101 +++++++++++++++ 3 files changed, 224 insertions(+), 79 deletions(-) delete mode 100644 .github/workflows/ci-renovate-rbe.yml create mode 100644 .github/workflows/renovate-dependencies.yml create mode 100644 .github/workflows/renovate-dependency-pr.yml diff --git a/.github/workflows/ci-renovate-rbe.yml b/.github/workflows/ci-renovate-rbe.yml deleted file mode 100644 index 6061011153877..0000000000000 --- a/.github/workflows/ci-renovate-rbe.yml +++ /dev/null @@ -1,79 +0,0 @@ -name: CI - Renovate - RBE - -on: - push: - branches: - - renovate/* - workflow_dispatch: - -permissions: - contents: read - -jobs: - pin: - name: Repin Dependencies - if: github.event.repository.fork == false - uses: ./.github/workflows/bazel.yml - with: - name: Repin Dependencies - run: | - COMMITS="${{ join(github.event.commits.*.message, ' ') }}" - if [[ "$COMMITS" == *"[java]"* ]]; then - RULES_JVM_EXTERNAL_REPIN=1 bazel run @maven//:pin - fi - if [[ "$COMMITS" == *"[rust]"* ]]; then - CARGO_BAZEL_REPIN=true bazel run @crates//:all - fi - if [[ "$COMMITS" == *"[js]"* ]]; then - bazel run -- @pnpm//:pnpm install --dir "$PWD" --lockfile-only - fi - if [[ "$COMMITS" == *"[dotnet]"* ]]; then - ./dotnet/update-deps.sh - fi - if [[ "$COMMITS" == *"[py]"* ]]; then - bazel run //py:requirements.update - fi - if [[ "$COMMITS" == *"[rb]"* ]]; then - ./go rb:pin - fi - artifact-name: repin-changes - - commit-repins: - name: Commit Repins - needs: pin - if: github.event.repository.fork == false - permissions: - contents: write - actions: read - uses: ./.github/workflows/commit-changes.yml - with: - artifact-name: repin-changes - commit-message: "Repin dependencies" - - check-format: - needs: commit-repins - name: Check format - if: github.event.repository.fork == false - uses: ./.github/workflows/bazel.yml - with: - name: Check format script run - caching: false - ruby-version: jruby-10.0.0.0 - run: ./scripts/github-actions/check-format.sh - - test: - name: Test - needs: commit-repins - if: github.event.repository.fork == false - uses: ./.github/workflows/bazel.yml - with: - name: All RBE tests - caching: false - ruby-version: jruby-10.0.0.0 - run: ./scripts/github-actions/ci-build.sh - - ci-gh: - name: CI - GitHub - needs: commit-repins - if: github.event.repository.fork == false - uses: ./.github/workflows/ci.yml diff --git a/.github/workflows/renovate-dependencies.yml b/.github/workflows/renovate-dependencies.yml new file mode 100644 index 0000000000000..862bd8e690a12 --- /dev/null +++ b/.github/workflows/renovate-dependencies.yml @@ -0,0 +1,123 @@ +name: Renovate Dependencies + +on: + workflow_dispatch: + inputs: + base-ref: + description: Base branch or ref to update + required: true + default: trunk + type: string + +concurrency: + group: renovate-dependencies + cancel-in-progress: true + +permissions: + actions: read + contents: write + issues: write + pull-requests: write + +jobs: + prepare-updates: + name: Prepare Bazel updates + if: github.event.repository.fork == false + uses: ./.github/workflows/bazel.yml + with: + name: Prepare Bazel updates + ref: ${{ inputs.base-ref }} + caching: false + run: | + ./go all:update + ./go rust:update + artifact-name: bazel-updates + + push-update-branch: + name: Push Bazel update branch + needs: prepare-updates + if: github.event.repository.fork == false + uses: ./.github/workflows/commit-changes.yml + with: + artifact-name: bazel-updates + commit-message: "Update dependencies" + ref: ${{ inputs.base-ref }} + push-branch: temp/bazel-updates + secrets: + SELENIUM_CI_TOKEN: ${{ secrets.SELENIUM_CI_TOKEN }} + + renovate: + name: Renovate ${{ matrix.kind }} dependencies + needs: push-update-branch + if: github.event.repository.fork == false + runs-on: ubuntu-latest + strategy: + fail-fast: false + matrix: + kind: [minor, major] + steps: + - name: Checkout update branch + uses: actions/checkout@v6 + with: + ref: temp/bazel-updates + - name: Reset eval branch + env: + EVAL_BRANCH: renovate/${{ matrix.kind }}-eval + run: | + if git ls-remote --exit-code --heads origin "$EVAL_BRANCH" >/dev/null; then + git push origin --delete "$EVAL_BRANCH" + fi + - name: Configure Renovate + env: + KIND: ${{ matrix.kind }} + run: | + if [ "$KIND" = "major" ]; then + update_rules='[{"enabled": false}, {"matchUpdateTypes": ["major"], "enabled": true}]' + else + update_rules='[{"matchUpdateTypes": ["major"], "enabled": false}]' + fi + + { + echo "RENOVATE_FORCE<> "$GITHUB_ENV" + - name: Run Renovate + uses: renovatebot/github-action@v46.1.14 + with: + token: ${{ secrets.SELENIUM_CI_TOKEN || github.token }} + env: + LOG_LEVEL: info + RENOVATE_PLATFORM: github + RENOVATE_REPOSITORIES: ${{ github.repository }} + + dependency-pr: + name: ${{ matrix.kind }} dependency PR + needs: renovate + if: always() && github.event.repository.fork == false + strategy: + fail-fast: false + matrix: + kind: [minor, major] + uses: ./.github/workflows/renovate-dependency-pr.yml + with: + base-ref: ${{ inputs.base-ref }} + kind: ${{ matrix.kind }} + secrets: + SELENIUM_CI_TOKEN: ${{ secrets.SELENIUM_CI_TOKEN }} diff --git a/.github/workflows/renovate-dependency-pr.yml b/.github/workflows/renovate-dependency-pr.yml new file mode 100644 index 0000000000000..d435487ae8b3b --- /dev/null +++ b/.github/workflows/renovate-dependency-pr.yml @@ -0,0 +1,101 @@ +name: Renovate Dependency PR + +on: + workflow_call: + inputs: + base-ref: + description: Base branch or ref to target + required: true + type: string + kind: + description: Dependency update type. Must be minor or major. + required: true + type: string + secrets: + SELENIUM_CI_TOKEN: + required: false + +permissions: + actions: read + contents: write + issues: write + pull-requests: write + +jobs: + detect-branch: + name: Detect ${{ inputs.kind }} branch + runs-on: ubuntu-latest + outputs: + exists: ${{ steps.detect.outputs.exists }} + steps: + - name: Detect branch + id: detect + env: + GH_TOKEN: ${{ github.token }} + run: | + case "${{ inputs.kind }}" in + minor|major) ;; + *) echo "::error::kind must be minor or major"; exit 1 ;; + esac + echo "exists=$(gh api repos/${{ github.repository }}/branches/renovate/${{ inputs.kind }}-eval --silent && echo "true" || echo "false")" >> "$GITHUB_OUTPUT" + + evaluate: + name: Evaluate ${{ inputs.kind }} dependencies + needs: detect-branch + if: needs.detect-branch.outputs.exists == 'true' + uses: ./.github/workflows/bazel.yml + with: + name: Evaluate ${{ inputs.kind }} dependencies + ref: renovate/${{ inputs.kind }}-eval + ruby-version: jruby-10.1.0.0 + run: | + ./go all:pin + ./go rust:pin + ./scripts/github-actions/ci-build.sh + artifact-name: ${{ inputs.kind }}-dependency-pins + + commit-pins: + name: Commit ${{ inputs.kind }} pin changes + needs: evaluate + uses: ./.github/workflows/commit-changes.yml + with: + artifact-name: ${{ inputs.kind }}-dependency-pins + commit-message: "Repin dependencies" + ref: renovate/${{ inputs.kind }}-eval + push-branch: renovate/${{ inputs.kind }}-eval + secrets: + SELENIUM_CI_TOKEN: ${{ secrets.SELENIUM_CI_TOKEN }} + + promote: + name: Promote ${{ inputs.kind }} dependencies + needs: [evaluate, commit-pins] + runs-on: ubuntu-latest + steps: + - name: Checkout eval branch + uses: actions/checkout@v6 + with: + ref: renovate/${{ inputs.kind }}-eval + - name: Create or update PR + uses: peter-evans/create-pull-request@v8 + with: + token: ${{ secrets.SELENIUM_CI_TOKEN }} + branch: renovate/${{ inputs.kind }} + base: ${{ inputs.base-ref }} + title: "[build] Update ${{ inputs.kind }} dependencies" + labels: | + C-build + B-dependencies + body: | + This PR contains the latest passing ${{ inputs.kind }} dependency updates. + + Included changes: + - Repository dependency updates from `./go all:update` and `./go rust:update` + - Renovate dependency updates for this update type + - Generated dependency pins after `./go all:pin` and `./go rust:pin` + + This branch only advances after pinning and RBE validation pass. If a later evaluation fails, the PR stays on the most recent passing dependency set and the workflow run shows what failed. + + The Renovate [Dependency Dashboard](https://github.com/${{ github.repository }}/issues/13964) is independent of this PR and is used to inspect specific versions and evaluate updates; do not approve dashboard items to drive merges here. + + Workflow runs: ${{ github.server_url }}/${{ github.repository }}/actions/workflows/renovate-dependencies.yml + This PR run: ${{ github.server_url }}/${{ github.repository }}/actions/runs/${{ github.run_id }} From 7b889460bf00de3fffa30c10f370da7c20b62d5d Mon Sep 17 00:00:00 2001 From: Titus Fortner Date: Mon, 18 May 2026 18:04:22 -0500 Subject: [PATCH 2/5] [build] simplify renovate orchestration and apply renovate.json rules --- .github/workflows/renovate-dependencies.yml | 59 ++++++--------------- renovate.json | 14 +++++ 2 files changed, 31 insertions(+), 42 deletions(-) diff --git a/.github/workflows/renovate-dependencies.yml b/.github/workflows/renovate-dependencies.yml index 862bd8e690a12..b45cf9036e6d6 100644 --- a/.github/workflows/renovate-dependencies.yml +++ b/.github/workflows/renovate-dependencies.yml @@ -47,57 +47,23 @@ jobs: SELENIUM_CI_TOKEN: ${{ secrets.SELENIUM_CI_TOKEN }} renovate: - name: Renovate ${{ matrix.kind }} dependencies + name: Renovate dependencies needs: push-update-branch if: github.event.repository.fork == false runs-on: ubuntu-latest - strategy: - fail-fast: false - matrix: - kind: [minor, major] steps: - name: Checkout update branch uses: actions/checkout@v6 with: ref: temp/bazel-updates - - name: Reset eval branch - env: - EVAL_BRANCH: renovate/${{ matrix.kind }}-eval - run: | - if git ls-remote --exit-code --heads origin "$EVAL_BRANCH" >/dev/null; then - git push origin --delete "$EVAL_BRANCH" - fi - - name: Configure Renovate - env: - KIND: ${{ matrix.kind }} + - name: Reset eval branches run: | - if [ "$KIND" = "major" ]; then - update_rules='[{"enabled": false}, {"matchUpdateTypes": ["major"], "enabled": true}]' - else - update_rules='[{"matchUpdateTypes": ["major"], "enabled": false}]' - fi - - { - echo "RENOVATE_FORCE<> "$GITHUB_ENV" + for kind in minor major; do + branch="renovate/${kind}-eval" + if git ls-remote --exit-code --heads origin "$branch" >/dev/null; then + git push origin --delete "$branch" + fi + done - name: Run Renovate uses: renovatebot/github-action@v46.1.14 with: @@ -106,6 +72,15 @@ jobs: LOG_LEVEL: info RENOVATE_PLATFORM: github RENOVATE_REPOSITORIES: ${{ github.repository }} + RENOVATE_FORCE: | + { + "baseBranchPatterns": ["temp/bazel-updates"], + "dependencyDashboard": false, + "dependencyDashboardApproval": false, + "prCreation": "approval", + "pruneStaleBranches": false, + "schedule": null + } dependency-pr: name: ${{ matrix.kind }} dependency PR diff --git a/renovate.json b/renovate.json index 0a1f17d531a1c..cc1bafd3ce4c4 100644 --- a/renovate.json +++ b/renovate.json @@ -140,6 +140,20 @@ "matchManagers": ["bazel-module"], "matchPackageNames": ["rules_python"], "allowedVersions": "<2" + }, + { + "description": "Orchestrated workflow only: group major updates into the major-eval branch.", + "matchBaseBranches": ["temp/bazel-updates"], + "matchUpdateTypes": ["major"], + "groupName": "major dependency updates", + "groupSlug": "major-eval" + }, + { + "description": "Orchestrated workflow only: group non-major updates into the minor-eval branch.", + "matchBaseBranches": ["temp/bazel-updates"], + "matchUpdateTypes": ["minor", "patch", "pin", "digest"], + "groupName": "minor dependency updates", + "groupSlug": "minor-eval" } ] } From fbe66c11e0d9a5e3608780333a89c8950b993704 Mon Sep 17 00:00:00 2001 From: Titus Fortner Date: Mon, 18 May 2026 18:09:13 -0500 Subject: [PATCH 3/5] address review feedback --- .github/workflows/renovate-dependencies.yml | 14 ++++++++++++++ .github/workflows/renovate-dependency-pr.yml | 13 +++++++++---- 2 files changed, 23 insertions(+), 4 deletions(-) diff --git a/.github/workflows/renovate-dependencies.yml b/.github/workflows/renovate-dependencies.yml index b45cf9036e6d6..636d9ea9e1b02 100644 --- a/.github/workflows/renovate-dependencies.yml +++ b/.github/workflows/renovate-dependencies.yml @@ -20,8 +20,22 @@ permissions: pull-requests: write jobs: + reset-update-branch: + name: Reset temp/bazel-updates to ${{ inputs.base-ref }} + if: github.event.repository.fork == false + runs-on: ubuntu-latest + steps: + - name: Checkout base ref + uses: actions/checkout@v6 + with: + ref: ${{ inputs.base-ref }} + token: ${{ secrets.SELENIUM_CI_TOKEN || github.token }} + - name: Force-push to temp/bazel-updates + run: git push --force origin "HEAD:temp/bazel-updates" + prepare-updates: name: Prepare Bazel updates + needs: reset-update-branch if: github.event.repository.fork == false uses: ./.github/workflows/bazel.yml with: diff --git a/.github/workflows/renovate-dependency-pr.yml b/.github/workflows/renovate-dependency-pr.yml index d435487ae8b3b..74ff77d6c4b0a 100644 --- a/.github/workflows/renovate-dependency-pr.yml +++ b/.github/workflows/renovate-dependency-pr.yml @@ -13,7 +13,7 @@ on: type: string secrets: SELENIUM_CI_TOKEN: - required: false + required: true permissions: actions: read @@ -31,13 +31,17 @@ jobs: - name: Detect branch id: detect env: - GH_TOKEN: ${{ github.token }} + KIND: ${{ inputs.kind }} run: | - case "${{ inputs.kind }}" in + case "$KIND" in minor|major) ;; *) echo "::error::kind must be minor or major"; exit 1 ;; esac - echo "exists=$(gh api repos/${{ github.repository }}/branches/renovate/${{ inputs.kind }}-eval --silent && echo "true" || echo "false")" >> "$GITHUB_OUTPUT" + if git ls-remote --exit-code --heads origin "renovate/${KIND}-eval" >/dev/null; then + echo "exists=true" >> "$GITHUB_OUTPUT" + else + echo "exists=false" >> "$GITHUB_OUTPUT" + fi evaluate: name: Evaluate ${{ inputs.kind }} dependencies @@ -51,6 +55,7 @@ jobs: run: | ./go all:pin ./go rust:pin + ./go format ./scripts/github-actions/ci-build.sh artifact-name: ${{ inputs.kind }}-dependency-pins From 7895f48d7fcb310ea0ab6abdf3783523149ee87d Mon Sep 17 00:00:00 2001 From: Titus Fortner Date: Mon, 18 May 2026 18:28:12 -0500 Subject: [PATCH 4/5] more fixes --- .github/workflows/renovate-dependency-pr.yml | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/.github/workflows/renovate-dependency-pr.yml b/.github/workflows/renovate-dependency-pr.yml index 74ff77d6c4b0a..225dfcd9c9038 100644 --- a/.github/workflows/renovate-dependency-pr.yml +++ b/.github/workflows/renovate-dependency-pr.yml @@ -32,12 +32,13 @@ jobs: id: detect env: KIND: ${{ inputs.kind }} + REPO_URL: ${{ github.server_url }}/${{ github.repository }}.git run: | case "$KIND" in minor|major) ;; *) echo "::error::kind must be minor or major"; exit 1 ;; esac - if git ls-remote --exit-code --heads origin "renovate/${KIND}-eval" >/dev/null; then + if git ls-remote --exit-code --heads "$REPO_URL" "renovate/${KIND}-eval" >/dev/null; then echo "exists=true" >> "$GITHUB_OUTPUT" else echo "exists=false" >> "$GITHUB_OUTPUT" From d644e2d5be0873e55d66bb64b12d5c77b4ac3ed8 Mon Sep 17 00:00:00 2001 From: Titus Fortner Date: Mon, 18 May 2026 18:58:04 -0500 Subject: [PATCH 5/5] fix how we are using create-pull-request action --- .github/workflows/renovate-dependency-pr.yml | 44 +++++++++++--------- 1 file changed, 24 insertions(+), 20 deletions(-) diff --git a/.github/workflows/renovate-dependency-pr.yml b/.github/workflows/renovate-dependency-pr.yml index 225dfcd9c9038..06ff7601acd28 100644 --- a/.github/workflows/renovate-dependency-pr.yml +++ b/.github/workflows/renovate-dependency-pr.yml @@ -4,7 +4,7 @@ on: workflow_call: inputs: base-ref: - description: Base branch or ref to target + description: Base branch to target required: true type: string kind: @@ -58,33 +58,36 @@ jobs: ./go rust:pin ./go format ./scripts/github-actions/ci-build.sh - artifact-name: ${{ inputs.kind }}-dependency-pins - - commit-pins: - name: Commit ${{ inputs.kind }} pin changes - needs: evaluate - uses: ./.github/workflows/commit-changes.yml - with: - artifact-name: ${{ inputs.kind }}-dependency-pins - commit-message: "Repin dependencies" - ref: renovate/${{ inputs.kind }}-eval - push-branch: renovate/${{ inputs.kind }}-eval - secrets: - SELENIUM_CI_TOKEN: ${{ secrets.SELENIUM_CI_TOKEN }} + git fetch origin "${{ inputs.base-ref }}" --depth=1 + git add -A + git diff --binary --cached "origin/${{ inputs.base-ref }}" > full-changes.patch + artifact-name: ${{ inputs.kind }}-dependency-changes + artifact-path: full-changes.patch promote: name: Promote ${{ inputs.kind }} dependencies - needs: [evaluate, commit-pins] + needs: evaluate runs-on: ubuntu-latest steps: - - name: Checkout eval branch + - name: Checkout base uses: actions/checkout@v6 with: - ref: renovate/${{ inputs.kind }}-eval + ref: ${{ inputs.base-ref }} + persist-credentials: false + - name: Download patch + uses: actions/download-artifact@v8 + with: + name: ${{ inputs.kind }}-dependency-changes + - name: Apply patch + run: | + git apply --index full-changes.patch + rm full-changes.patch - name: Create or update PR uses: peter-evans/create-pull-request@v8 with: token: ${{ secrets.SELENIUM_CI_TOKEN }} + commit-message: "[build] Update ${{ inputs.kind }} dependencies" + author: Selenium CI Bot branch: renovate/${{ inputs.kind }} base: ${{ inputs.base-ref }} title: "[build] Update ${{ inputs.kind }} dependencies" @@ -92,14 +95,15 @@ jobs: C-build B-dependencies body: | - This PR contains the latest passing ${{ inputs.kind }} dependency updates. + This PR contains the latest passing ${{ inputs.kind }} dependency updates, squashed into a single commit. Included changes: - Repository dependency updates from `./go all:update` and `./go rust:update` - - Renovate dependency updates for this update type + - Renovate ${{ inputs.kind }} dependency updates - Generated dependency pins after `./go all:pin` and `./go rust:pin` + - Formatting fixes from `./go format` - This branch only advances after pinning and RBE validation pass. If a later evaluation fails, the PR stays on the most recent passing dependency set and the workflow run shows what failed. + This PR only advances when pinning, formatting, and RBE validation all pass. If a later evaluation fails, the PR stays on the most recent passing dependency set and the workflow run shows what failed. The Renovate [Dependency Dashboard](https://github.com/${{ github.repository }}/issues/13964) is independent of this PR and is used to inspect specific versions and evaluate updates; do not approve dashboard items to drive merges here.