chore: configure Konflux bot for Python and pipeline dependency updates

[anik120]

Description

Configures Konflux bot to automatically track and create PRs for dependency updates.

Enabled tracking for:

• Python dependencies (requirements files, pyproject.toml)
• Tekton pipeline tasks
• Dockerfile base images
• GitHub Actions

Type of change

• Refactor
• New feature
• Bug fix
• CVE fix
• Optimization
• Documentation Update
• Configuration Update
• Bump-up service version
• Bump-up dependent library
• Bump-up library or tool used for development (does not change the final image)
• CI configuration change
• [*] Konflux configuration change
• Unit tests improvement
• Integration tests improvement
• End to end tests improvement
• Benchmarks improvement

Tools used to create PR

Identify any AI code assistants used in this PR (for transparency and review context)

• Assisted-by: Claude

Related Tickets & Documents

• Related Issue #
• Closes #

Checklist before requesting a review

• I have performed a self-review of my code.
• PR has passed all pre-merge test jobs.
• If it is a core feature, I have added thorough tests.

Testing

• Please provide detailed steps to perform tests related to this code change.
• How were the fix/results from this change verified? Please provide relevant screenshots or results.

Summary by CodeRabbit

• Chores
  • Extended dependency management to support Python packages, Docker images, and GitHub Actions alongside Tekton pipelines.
  • Configured automated grouping of related updates: Tekton pipelines, Python build dependencies, and security patches.
  • Enabled vulnerability alerts with security labels and scheduled dependency review cycles (before 6am on Mondays).

[coderabbitai]

Walkthrough

Configuration updates to renovate.json enabling multiple package managers (pip_requirements, pip_setup, pep621, dockerfile, github-actions) alongside existing tekton. Added grouping rules for Tekton pipelines and Python build dependencies, security update handling with automerge disabled, vulnerability alerts, and a scheduled execution window before 6am on Monday.

Changes

Cohort / File(s)

Summary

Renovate Configuration renovate.json

Expanded enabledManagers to include pip_requirements, pip_setup, pep621, dockerfile, and github-actions. Added pip_requirements file matching patterns for requirements files. Introduced packageRules for grouping Tekton updates, Python build dependencies, and security patches with automerge controls. Enabled vulnerabilityAlerts with security label and set execution schedule to before 6am on Monday.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~8 minutes

🚥 Pre-merge checks | ✅ 3

✅ Passed checks (3 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title clearly and specifically summarizes the main change: configuring a bot (Konflux) for managing Python and pipeline dependency updates, which directly aligns with the renovate.json configuration additions.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment

Tip

Try Coding Plans. Let us write the prompt for your AI agent so you can ship faster (with fewer bugs).
Share your feedback on Discord.

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 1

🧹 Nitpick comments (1)

renovate.json (1)

40-42: Consider exempting security updates from the weekly schedule.

The "before 6am on Monday" schedule is sensible for regular dependency updates, but vulnerability fixes often benefit from faster handling. You can exclude security updates from this schedule:

💡 Optional: Allow security updates outside the schedule

Add to the security packageRule (or the fixed isVulnerabilityAlert rule):

{
    "isVulnerabilityAlert": true,
    "automerge": false,
    "labels": ["security"],
    "schedule": ["at any time"]
}

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@renovate.json` around lines 40 - 42, The current Renovate schedule
("schedule": ["before 6am on Monday"]) delays security fixes; update the
Renovate configuration by adding or modifying the security packageRule (the rule
with "isVulnerabilityAlert" or the security-specific packageRules array) to
override the global schedule—set "isVulnerabilityAlert": true, "schedule": ["at
any time"], and ensure "automerge": false and a "labels": ["security"] entry so
vulnerability updates are allowed outside the weekly window and are clearly
labeled for manual review.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@renovate.json`:
- Around line 28-34: The current package rule in renovate.json uses
matchUpdateTypes: ["patch"] and matchCurrentVersion: "!/^0/" which will label
any patch (non-0.x) as "security" even when not a vulnerability; replace this by
using Renovate's top-level vulnerabilityAlerts configuration for true
vulnerability PR handling, or change the package rule to matchJsonata with
$exists(vulnerabilityFixVersion) to target only vulnerability-fix PRs (remove or
stop using matchUpdateTypes ["patch"] for security labeling and keep labels:
["security"] only for matches that pass the vulnerability check).

---

Nitpick comments:
In `@renovate.json`:
- Around line 40-42: The current Renovate schedule ("schedule": ["before 6am on
Monday"]) delays security fixes; update the Renovate configuration by adding or
modifying the security packageRule (the rule with "isVulnerabilityAlert" or the
security-specific packageRules array) to override the global schedule—set
"isVulnerabilityAlert": true, "schedule": ["at any time"], and ensure
"automerge": false and a "labels": ["security"] entry so vulnerability updates
are allowed outside the weekly window and are clearly labeled for manual review.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

Run ID: ba0828c9-341c-47c8-8017-28750ff11b86

📥 Commits

Reviewing files that changed from the base of the PR and between 9bb4017 and a91dabf.

📒 Files selected for processing (1)

• renovate.json

[coderabbitai]

⚠️ Potential issue | 🟠 Major

🧩 Analysis chain

🌐 Web query:

Renovate packageRules isVulnerabilityAlert security updates

💡 Result:

To handle “security updates” (GitHub/Dependabot vulnerability alerts) in Renovate, you don’t use matchUpdateTypes (it doesn’t include a “vulnerability” update type). Instead you configure the dedicated vulnerabilityAlerts object, and/or match vulnerability-fix upgrades via matchJsonata. [2][1]

1) Configure vulnerability-alert PRs (recommended)

{
  "vulnerabilityAlerts": {
    "enabled": true,
    "labels": ["security"],
    "automerge": true
  }
}

Renovate’s vulnerabilityAlerts config controls how vulnerability-fix PRs are created (e.g., labels, automerge, prCreation, branchTopic, fix strategy). [2]

2) Apply packageRules only to vulnerability-fix upgrades

Renovate suggests matching vulnerability fixes using fields like vulnerabilityFixVersion via matchJsonata: [1]

{
  "packageRules": [
    {
      "matchJsonata": ["$exists(vulnerabilityFixVersion)"],
      "labels": ["security"],
      "prPriority": 10
    }
  ]
}

If you specifically want the boolean flag, Renovate’s runtime config for alert rules includes isVulnerabilityAlert: true (seen in logs/debug output), so you can also match that: [4]

{
  "packageRules": [
    {
      "matchJsonata": ["isVulnerabilityAlert = true"],
      "labels": ["security"]
    }
  ]
}

3) Only create PRs when vulnerabilities exist

Use the preset security:only-security-updates (disables all normal updates, enables vulnerability alerts; also enables OSV alerts). [3]

{
  "extends": ["security:only-security-updates"]
}

Sources: Renovate config options for matchJsonata and example expressions [1], Renovate vulnerabilityAlerts behavior/options [2], Renovate security preset security:only-security-updates [3], Renovate discussion/log output showing isVulnerabilityAlert [4].

---

🌐 Web query:

Renovate vulnerability alerts configuration matchUpdateTypes patch

💡 Result:

matchUpdateTypes can’t be used inside vulnerabilityAlerts. The vulnerabilityAlerts block is only for “PRs needed due to a vulnerability in the existing package version” and has its own set of supported fields (e.g., rangeStrategy, commitMessageSuffix, prCreation, vulnerabilityFixStrategy, etc.).[1]

To apply logic like “only if the vulnerability fix is a patch”, do it with a packageRules rule (because matchUpdateTypes is valid only within packageRules).[2] For vulnerability-fix PRs, you can match them via matchJsonata using the presence of vulnerabilityFixVersion.[3]

Example (automerge only vulnerability-fix PRs that are patch updates):

{
  "vulnerabilityAlerts": {
    "enabled": true
  },
  "packageRules": [
    {
      "description": "Automerge vulnerability fixes only when update type is patch",
      "matchJsonata": ["$exists(vulnerabilityFixVersion)"],
      "matchUpdateTypes": ["patch"],
      "automerge": true
    }
  ]
}

Sources: Renovate vulnerabilityAlerts option[1], matchUpdateTypes (packageRules-only)[2], and matchJsonata example using vulnerabilityFixVersion[3].

[1] (docs.renovatebot.com)
[2] (docs.renovatebot.com)
[3] (docs.renovatebot.com)

Citations:

• 1: https://docs.renovatebot.com/configuration-options/
• 2: https://docs.renovatebot.com/configuration-options/
• 3: https://docs.renovatebot.com/configuration-options/

---

🌐 Web query:

Renovate "isVulnerabilityAlert" matcher packageRules

💡 Result:

isVulnerabilityAlert is not a supported packageRules matcher you can write in renovate.json. It’s an internal flag Renovate adds to the generated “alert package rules” it builds when processing GitHub (Dependabot) vulnerability alerts (you’ll see it in debug logs as alertPackageRules entries with "isVulnerabilityAlert": true). [2]

How to configure vulnerability-alert PRs (the supported way)

1) GitHub Dependabot alerts → use the top-level vulnerabilityAlerts object

This is the documented configuration hook for PRs created to fix an existing vulnerable version. [1]

{
  "vulnerabilityAlerts": {
    "labels": ["security"],
    "automerge": true,
    "commitMessageSuffix": "[SECURITY]",
    "vulnerabilityFixStrategy": "lowest"
  }
}

Renovate docs list vulnerabilityAlerts as “Config to apply when a PR is needed due to a vulnerability in the existing package version.” [1]

2) OSV-based alerts → enable osvVulnerabilityAlerts

If you want Renovate to open PRs based on OSV (osv.dev) vulnerability data, enable:

{
  "osvVulnerabilityAlerts": true
}

This is a separate feature flag. [1]

If your goal is “apply packageRules only to vulnerability PRs”

There’s no documented matcher like isVulnerabilityAlert for that. matchUpdateTypes also won’t help here because Renovate’s documented matchUpdateTypes values don’t include a “vulnerability” type. [1]

Sources: Renovate configuration docs for vulnerabilityAlerts, osvVulnerabilityAlerts, and matchUpdateTypes allowed values [1], plus Renovate discussion/log output showing alertPackageRules entries marked with isVulnerabilityAlert: true [2].

---

The security updates rule may not work as intended.

This rule matches all patch updates (matchUpdateTypes: ["patch"]) rather than actual security/vulnerability updates. The matchUpdateTypes field doesn't include a "vulnerability" type, so this rule will label any non-0.x patch update as "security" even when it's not security-related.

For handling vulnerability-triggered updates, use Renovate's dedicated vulnerabilityAlerts configuration object at the top level:

🔧 Recommended configuration for security updates

+    "vulnerabilityAlerts": {
+      "enabled": true,
+      "automerge": false,
+      "labels": ["security"]
+    },
     "packageRules": [
         {
             "description": "Separate security updates for faster merging",
-            "matchUpdateTypes": ["patch"],
-            "matchCurrentVersion": "!/^0/",
-            "automerge": false,
-            "labels": ["security"]
         }

Alternatively, if you need to apply packageRules only to vulnerability-fix PRs, use matchJsonata with $exists(vulnerabilityFixVersion):

         {
             "description": "Separate security updates for faster merging",
+            "matchJsonata": ["$exists(vulnerabilityFixVersion)"],
             "matchUpdateTypes": ["patch"],
             "matchCurrentVersion": "!/^0/",
             "automerge": false,
             "labels": ["security"]
         }

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@renovate.json` around lines 28 - 34, The current package rule in
renovate.json uses matchUpdateTypes: ["patch"] and matchCurrentVersion: "!/^0/"
which will label any patch (non-0.x) as "security" even when not a
vulnerability; replace this by using Renovate's top-level vulnerabilityAlerts
configuration for true vulnerability PR handling, or change the package rule to
matchJsonata with $exists(vulnerabilityFixVersion) to target only
vulnerability-fix PRs (remove or stop using matchUpdateTypes ["patch"] for
security labeling and keep labels: ["security"] only for matches that pass the
vulnerability check).