Description

This enhancement significantly improves the HyperShift repository's automated dependency management by implementing a sophisticated multi-branch Renovate configuration that balances innovation on the main branch with security and stability on release branches.

Background

Previously, the Renovate configuration only managed Tekton task updates via Konflux/Mintmaker presets. This limited automation left Go dependencies manually managed across all branches, creating maintenance overhead and potential security exposure on release branches where timely CVE patches are critical.

Implementation Details

Multi-Branch Strategy

_ {}Base Branches{_}*: Extended coverage to main plus 6 release branches (4.16, 4.17, 4.18, 4.19, 4.20)
_ {}Selective Automation{_}*: Implements branch-specific dependency update policies

Go Dependency Management Rules

1. Main Branch - Full Updates

• All Go dependency updates enabled
• Supports keeping dependencies current
• Allows testing of new library versions before release branch creation

2. Release Branches - Security Only

• Go dependency updates disabled by default to reduce reviewer fatigue.
• Security vulnerability updates explicitly enabled via vulnerabilityAlerts
• Minimizes risk of introducing breaking changes while ensuring CVE patches are applied
• Maintains stability of released versions

3. Tekton Tasks - All Branches

• Continues leveraging Konflux Mintmaker presets
• Maintains existing Fedora stable update integration
• Branch concurrency limited to 10 for controlled rollout

Configuration Structure

The new packageRules array implements a layered approach:

• Global disable rule for Go modules (baseline security)
• Main branch override enabling all updates (innovation)
• Release branch override enabling only vulnerability fixes (stability + security)

Benefits

1. 1. Enhanced Security Posture: Automated CVE patching on release branches ensures timely security updates without manual intervention
      2. Reduced Maintenance Burden: Eliminates manual tracking of security advisories across 6+ release branches
      3. Risk Mitigation: Security-only updates on release branches prevent unexpected breakage from feature updates
      4. Improved Main Branch Currency: Full automation keeps the main branch dependencies fresh and tested
      5. Consistent Process: Standardized approach across all supported release versions
      6. Scalability: Easy to add new release branches as they are created

Technical Implementation

Configuration Changes

• Added baseBranches array with 7 branch targets
• Implemented 3-tier packageRules hierarchy with gomod manager controls
• Preserved existing Tekton automation configuration
• Maintained branch concurrency limits

Files Modified

• renovate.json - Complete restructure with expanded functionality (43 lines vs 9 lines)

Acceptance Criteria

• Renovate processes updates on main and all 6 release branches
• Main branch receives all Go dependency update PRs
• Release branches only receive Go security vulnerability updates
• Tekton task updates continue functioning via Mintmaker presets
• Configuration validates against Renovate schema
• Branch concurrency limits prevent overwhelming CI/CD

Related Context

This configuration aligns with OpenShift's supported release strategy where multiple minor versions (4.16-4.20) remain actively supported, security patches must be backported to all supported releases, stability on release branches is paramount, and main branch development proceeds independently.

The security-focused approach for release branches reduces the attack surface for CVE exploitation while maintaining development velocity on main.