From c046a4ccffc96b1965c0f2f46b96949c0abc5d28 Mon Sep 17 00:00:00 2001 From: Matthew Elwell Date: Tue, 2 Jun 2026 18:04:37 +0100 Subject: [PATCH 01/13] ci: Add self-hosted Renovate workflow with CodeArtifact authentication Replaces the hosted Renovate GitHub App with a self-hosted workflow so that uv.lock can be updated correctly when private CodeArtifact packages are involved. Co-Authored-By: Claude Sonnet 4.6 --- .github/workflows/renovate.yml | 31 +++++++++++++++++++++++++++++++ 1 file changed, 31 insertions(+) create mode 100644 .github/workflows/renovate.yml diff --git a/.github/workflows/renovate.yml b/.github/workflows/renovate.yml new file mode 100644 index 000000000000..adc1ee6d920f --- /dev/null +++ b/.github/workflows/renovate.yml @@ -0,0 +1,31 @@ +name: Renovate + +on: + schedule: + - cron: '0 3 * * *' + push: + branches: + - ci/self-hosted-renovate + workflow_dispatch: {} + +permissions: + contents: read + id-token: write # For CodeArtifact OIDC + +jobs: + renovate: + runs-on: ubuntu-latest + steps: + - name: Checkout + uses: actions/checkout@v5 + + - name: Authenticate with CodeArtifact + uses: ./.github/actions/codeartifact-login + + - name: Run Renovate + uses: renovatebot/github-action@v40 + env: + UV_INDEX_FLAGSMITH_PYPI_PRODUCTION_USERNAME: ${{ env.UV_INDEX_FLAGSMITH_PYPI_PRODUCTION_USERNAME }} + UV_INDEX_FLAGSMITH_PYPI_PRODUCTION_PASSWORD: ${{ env.UV_INDEX_FLAGSMITH_PYPI_PRODUCTION_PASSWORD }} + with: + token: ${{ secrets.GH_PRIVATE_ACCESS_TOKEN }} From c4850ce921728410b59b5f5a4ebdd4c048f62d23 Mon Sep 17 00:00:00 2001 From: Matthew Elwell Date: Tue, 2 Jun 2026 18:05:29 +0100 Subject: [PATCH 02/13] ci: Fix renovatebot/github-action version to v46.1.14 Co-Authored-By: Claude Sonnet 4.6 --- .github/workflows/renovate.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/renovate.yml b/.github/workflows/renovate.yml index adc1ee6d920f..17d78df06a03 100644 --- a/.github/workflows/renovate.yml +++ b/.github/workflows/renovate.yml @@ -23,7 +23,7 @@ jobs: uses: ./.github/actions/codeartifact-login - name: Run Renovate - uses: renovatebot/github-action@v40 + uses: renovatebot/github-action@v46.1.14 env: UV_INDEX_FLAGSMITH_PYPI_PRODUCTION_USERNAME: ${{ env.UV_INDEX_FLAGSMITH_PYPI_PRODUCTION_USERNAME }} UV_INDEX_FLAGSMITH_PYPI_PRODUCTION_PASSWORD: ${{ env.UV_INDEX_FLAGSMITH_PYPI_PRODUCTION_PASSWORD }} From a7698eaebb069a57754e0f56f4e3d7bc3b10c46e Mon Sep 17 00:00:00 2001 From: Matthew Elwell Date: Tue, 2 Jun 2026 18:07:38 +0100 Subject: [PATCH 03/13] ci: Configure Renovate repository and git author Co-Authored-By: Claude Sonnet 4.6 --- .github/workflows/renovate.yml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/.github/workflows/renovate.yml b/.github/workflows/renovate.yml index 17d78df06a03..aa815982c409 100644 --- a/.github/workflows/renovate.yml +++ b/.github/workflows/renovate.yml @@ -25,6 +25,8 @@ jobs: - name: Run Renovate uses: renovatebot/github-action@v46.1.14 env: + RENOVATE_REPOSITORIES: ${{ github.repository }} + RENOVATE_GIT_AUTHOR: ${{ vars.RENOVATE_GIT_AUTHOR }} UV_INDEX_FLAGSMITH_PYPI_PRODUCTION_USERNAME: ${{ env.UV_INDEX_FLAGSMITH_PYPI_PRODUCTION_USERNAME }} UV_INDEX_FLAGSMITH_PYPI_PRODUCTION_PASSWORD: ${{ env.UV_INDEX_FLAGSMITH_PYPI_PRODUCTION_PASSWORD }} with: From 89ddc607ed5d22d6b3c0a76a6c125e88930b6959 Mon Sep 17 00:00:00 2001 From: Matthew Elwell Date: Tue, 2 Jun 2026 18:32:31 +0100 Subject: [PATCH 04/13] ci: Use GitHub App token for Renovate authentication Replaces the GH_PRIVATE_ACCESS_TOKEN PAT with a GitHub App token so that Renovate PRs and issues are attributed to the app bot identity rather than a personal account. Co-Authored-By: Claude Sonnet 4.6 --- .github/workflows/renovate.yml | 9 ++++++++- 1 file changed, 8 insertions(+), 1 deletion(-) diff --git a/.github/workflows/renovate.yml b/.github/workflows/renovate.yml index aa815982c409..000a62450fc4 100644 --- a/.github/workflows/renovate.yml +++ b/.github/workflows/renovate.yml @@ -22,6 +22,13 @@ jobs: - name: Authenticate with CodeArtifact uses: ./.github/actions/codeartifact-login + - name: Generate GitHub App token + id: app-token + uses: actions/create-github-app-token@v1 + with: + app-id: ${{ vars.RENOVATE_APP_ID }} + private-key: ${{ secrets.RENOVATE_APP_PRIVATE_KEY }} + - name: Run Renovate uses: renovatebot/github-action@v46.1.14 env: @@ -30,4 +37,4 @@ jobs: UV_INDEX_FLAGSMITH_PYPI_PRODUCTION_USERNAME: ${{ env.UV_INDEX_FLAGSMITH_PYPI_PRODUCTION_USERNAME }} UV_INDEX_FLAGSMITH_PYPI_PRODUCTION_PASSWORD: ${{ env.UV_INDEX_FLAGSMITH_PYPI_PRODUCTION_PASSWORD }} with: - token: ${{ secrets.GH_PRIVATE_ACCESS_TOKEN }} + token: ${{ steps.app-token.outputs.token }} From 821234f922b77854acc59c9ee006934eea94b9e1 Mon Sep 17 00:00:00 2001 From: Matthew Elwell Date: Tue, 2 Jun 2026 18:47:16 +0100 Subject: [PATCH 05/13] ci: Use depot runner for Renovate workflow Co-Authored-By: Claude Sonnet 4.6 --- .github/workflows/renovate.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/renovate.yml b/.github/workflows/renovate.yml index 000a62450fc4..ab706c9bc072 100644 --- a/.github/workflows/renovate.yml +++ b/.github/workflows/renovate.yml @@ -14,7 +14,7 @@ permissions: jobs: renovate: - runs-on: ubuntu-latest + runs-on: depot-ubuntu-latest-16 steps: - name: Checkout uses: actions/checkout@v5 From da0ca707a73104fb57427885f7546f72397a23d7 Mon Sep 17 00:00:00 2001 From: Matthew Elwell Date: Tue, 2 Jun 2026 18:54:42 +0100 Subject: [PATCH 06/13] ci: Recreate closed Renovate PRs automatically Prevents security PRs from being silently dropped when manually closed. Co-Authored-By: Claude Sonnet 4.6 --- renovate.json | 1 + 1 file changed, 1 insertion(+) diff --git a/renovate.json b/renovate.json index b9903ca90f42..28d15081c2c6 100644 --- a/renovate.json +++ b/renovate.json @@ -4,6 +4,7 @@ "security:only-security-updates", ":semanticCommitTypeAll(deps)" ], + "recreateClosed": true, "packageRules": [ { "matchManagers": ["uv"], From 063bcaae4d9a4b32d338a90632268848ba00db98 Mon Sep 17 00:00:00 2001 From: Matthew Elwell Date: Tue, 2 Jun 2026 18:57:44 +0100 Subject: [PATCH 07/13] ci: Run Renovate via npx instead of Docker action Avoids pulling the Renovate Docker image on every run, which was adding significant overhead. Running via npx is faster and cacheable. Co-Authored-By: Claude Sonnet 4.6 --- .github/workflows/renovate.yml | 5 ++--- 1 file changed, 2 insertions(+), 3 deletions(-) diff --git a/.github/workflows/renovate.yml b/.github/workflows/renovate.yml index ab706c9bc072..0c494ae83f74 100644 --- a/.github/workflows/renovate.yml +++ b/.github/workflows/renovate.yml @@ -30,11 +30,10 @@ jobs: private-key: ${{ secrets.RENOVATE_APP_PRIVATE_KEY }} - name: Run Renovate - uses: renovatebot/github-action@v46.1.14 + run: npx --yes renovate@46 env: + RENOVATE_TOKEN: ${{ steps.app-token.outputs.token }} RENOVATE_REPOSITORIES: ${{ github.repository }} RENOVATE_GIT_AUTHOR: ${{ vars.RENOVATE_GIT_AUTHOR }} UV_INDEX_FLAGSMITH_PYPI_PRODUCTION_USERNAME: ${{ env.UV_INDEX_FLAGSMITH_PYPI_PRODUCTION_USERNAME }} UV_INDEX_FLAGSMITH_PYPI_PRODUCTION_PASSWORD: ${{ env.UV_INDEX_FLAGSMITH_PYPI_PRODUCTION_PASSWORD }} - with: - token: ${{ steps.app-token.outputs.token }} From f2c08b4d1c8a235822aa28f675eaed3b44330514 Mon Sep 17 00:00:00 2001 From: Matthew Elwell Date: Tue, 2 Jun 2026 18:58:23 +0100 Subject: [PATCH 08/13] LOG_LEVEL=DEBUG --- .github/workflows/renovate.yml | 3 +++ 1 file changed, 3 insertions(+) diff --git a/.github/workflows/renovate.yml b/.github/workflows/renovate.yml index 0c494ae83f74..0e8c04a1cabc 100644 --- a/.github/workflows/renovate.yml +++ b/.github/workflows/renovate.yml @@ -12,6 +12,9 @@ permissions: contents: read id-token: write # For CodeArtifact OIDC +env: + LOG_LEVEL: DEBUG + jobs: renovate: runs-on: depot-ubuntu-latest-16 From ad8c60d9863bb544b25b6646b92c9b97397f0ac5 Mon Sep 17 00:00:00 2001 From: Matthew Elwell Date: Tue, 2 Jun 2026 18:59:51 +0100 Subject: [PATCH 09/13] revert claude hallucination --- .github/workflows/renovate.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/renovate.yml b/.github/workflows/renovate.yml index 0e8c04a1cabc..5290a696c5e7 100644 --- a/.github/workflows/renovate.yml +++ b/.github/workflows/renovate.yml @@ -33,7 +33,7 @@ jobs: private-key: ${{ secrets.RENOVATE_APP_PRIVATE_KEY }} - name: Run Renovate - run: npx --yes renovate@46 + uses: renovatebot/github-action@v46.1.14 env: RENOVATE_TOKEN: ${{ steps.app-token.outputs.token }} RENOVATE_REPOSITORIES: ${{ github.repository }} From a40089c04293dfc06f04e18a6e467db6e692e988 Mon Sep 17 00:00:00 2001 From: Matthew Elwell Date: Tue, 2 Jun 2026 19:13:38 +0100 Subject: [PATCH 10/13] ci: Pass CodeArtifact credentials to Renovate via RENOVATE_HOST_RULES MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit UV_INDEX_* env vars are not forwarded to uv subprocesses inside Renovate's container. RENOVATE_HOST_RULES is the correct mechanism — Renovate embeds the credentials when invoking uv lock. Co-Authored-By: Claude Sonnet 4.6 --- .github/workflows/renovate.yml | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/.github/workflows/renovate.yml b/.github/workflows/renovate.yml index 5290a696c5e7..95e059e8844a 100644 --- a/.github/workflows/renovate.yml +++ b/.github/workflows/renovate.yml @@ -23,6 +23,7 @@ jobs: uses: actions/checkout@v5 - name: Authenticate with CodeArtifact + id: codeartifact uses: ./.github/actions/codeartifact-login - name: Generate GitHub App token @@ -38,5 +39,5 @@ jobs: RENOVATE_TOKEN: ${{ steps.app-token.outputs.token }} RENOVATE_REPOSITORIES: ${{ github.repository }} RENOVATE_GIT_AUTHOR: ${{ vars.RENOVATE_GIT_AUTHOR }} - UV_INDEX_FLAGSMITH_PYPI_PRODUCTION_USERNAME: ${{ env.UV_INDEX_FLAGSMITH_PYPI_PRODUCTION_USERNAME }} - UV_INDEX_FLAGSMITH_PYPI_PRODUCTION_PASSWORD: ${{ env.UV_INDEX_FLAGSMITH_PYPI_PRODUCTION_PASSWORD }} + RENOVATE_HOST_RULES: >- + [{"matchHost":"flagsmith-production-084060095745.d.codeartifact.eu-west-2.amazonaws.com","username":"aws","password":"${{ steps.codeartifact.outputs.token }}"}] From ccfed355ebc02797462698e30ced259ba3aa6504 Mon Sep 17 00:00:00 2001 From: Matthew Elwell Date: Tue, 2 Jun 2026 19:16:38 +0100 Subject: [PATCH 11/13] ci: Always rebase Renovate branches to prevent stale branch deadlock Co-Authored-By: Claude Sonnet 4.6 --- renovate.json | 1 + 1 file changed, 1 insertion(+) diff --git a/renovate.json b/renovate.json index 28d15081c2c6..bb642ec2238c 100644 --- a/renovate.json +++ b/renovate.json @@ -5,6 +5,7 @@ ":semanticCommitTypeAll(deps)" ], "recreateClosed": true, + "rebaseWhen": "always", "packageRules": [ { "matchManagers": ["uv"], From 008d96d7a82b3207b91cd58ec4ea8ebba0c6cd6c Mon Sep 17 00:00:00 2001 From: Matthew Elwell Date: Tue, 2 Jun 2026 19:28:49 +0100 Subject: [PATCH 12/13] Remove temporary changes to workflow --- .github/workflows/renovate.yml | 6 ------ 1 file changed, 6 deletions(-) diff --git a/.github/workflows/renovate.yml b/.github/workflows/renovate.yml index 95e059e8844a..705356f13e88 100644 --- a/.github/workflows/renovate.yml +++ b/.github/workflows/renovate.yml @@ -3,18 +3,12 @@ name: Renovate on: schedule: - cron: '0 3 * * *' - push: - branches: - - ci/self-hosted-renovate workflow_dispatch: {} permissions: contents: read id-token: write # For CodeArtifact OIDC -env: - LOG_LEVEL: DEBUG - jobs: renovate: runs-on: depot-ubuntu-latest-16 From ee19f8e176d0074bc9711e32f2cb5cde69b0371f Mon Sep 17 00:00:00 2001 From: Matthew Elwell Date: Wed, 3 Jun 2026 10:40:24 +0100 Subject: [PATCH 13/13] Update to use Flagsmith Engineering GH app --- .github/workflows/renovate.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/renovate.yml b/.github/workflows/renovate.yml index 705356f13e88..20722e91f5d7 100644 --- a/.github/workflows/renovate.yml +++ b/.github/workflows/renovate.yml @@ -24,8 +24,8 @@ jobs: id: app-token uses: actions/create-github-app-token@v1 with: - app-id: ${{ vars.RENOVATE_APP_ID }} - private-key: ${{ secrets.RENOVATE_APP_PRIVATE_KEY }} + app-id: ${{ vars.FLAGSMITH_ENGINEERING_GH_APP_ID }} + private-key: ${{ secrets.FLAGSMITH_ENGINEERING_GH_APP_PRIVATE_KEY }} - name: Run Renovate uses: renovatebot/github-action@v46.1.14