The 2026-07-03 runs surfaced two config problems:
- The grouped "renovate/all" branch made Renovate fetch and hold the
changelog of every upgrade instance separately (Traefik v3.0.0->v3.7.6
was fetched ~10x, once per compose file), which blew the default 4GB
V8 heap: "FATAL ERROR: ... JavaScript heap out of memory" (exit 134),
killing the run after the branch was pushed but before the PR was
opened. Disable changelog fetching (release notes were truncated in
the grouped PR body anyway) and raise the Node heap to 8GB as a
safety net.
- No gitAuthor was set, so commits were authored as Mend's
renovate@whitesourcesoftware.com, which GitHub flags "Unverified"
(Vigilant Mode) and Renovate warns about on every run. Use the token
owner's noreply address instead.
Co-authored-by: Claude Fable 5 <noreply@anthropic.com>
* ⬆️ bump example image versions to latest stable
Align every docker-compose and Helm-values example on the same set:
- Traefik v3.0.0 / v3.5.0 → v3.7.1
- Crowdsec v1.6.1-2 / v1.6.8 / latest → v1.7.8
- Plugin pin v1.3.0 / v1.4.5 / v1.5.0 → v1.6.0
No env / volume changes needed: every Crowdsec example already mounts
/var/lib/crowdsec/data, so the v1.7 strict volume check is already
satisfied (CROWDSEC_BYPASS_DB_VOLUME_CHECK is only required when
running without persistence, as in the E2E suite).
* 🤖 chore: adopt Renovate (weekly, self-hosted) to replace manual version bumps
Automate the kind of bump this PR did by hand. Renovate covers what Dependabot
could not reach here:
- example docker-compose image tags (traefik / crowdsec) — native manager;
- the plugin self-pin (`experimental.plugins.bouncer.version=` in compose args
and `version:` in the Traefik Helm values) — customManager, github-tags;
- the Crowdsec/Traefik image tags in the Helm values (no `repository` key, so
matched by file) — customManager, docker;
- the pinned Traefik binary in the e2e mock suite (`TRAEFIK_VERSION`) —
customManager, github-releases;
- go.mod + GitHub Actions — native managers (this is why we drop Dependabot:
running both would open duplicate PRs).
Runs weekly via a self-hosted workflow (Mondays 04:00 UTC, plus manual
dispatch). Needs a RENOVATE_TOKEN secret (documented in the workflow). Renovate
PRs trigger the existing e2e CI, so a Traefik/Crowdsec bump is validated to
actually boot and bounce before merge.
Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
* 🔒 ci: pin Go to 1.22 (yaegi ceiling) and cap Renovate's Go updates
The plugin is interpreted by yaegi, bundled in Traefik. Even the latest Traefik
(v3.7.1) ships yaegi v0.16.1, which only supports Go 1.22 — so the plugin's real
ceiling is Go 1.22 on every current Traefik, regardless of the Go version
Traefik itself is built with.
- main.yml: build/test on Go 1.22 (was 1.23) so `go build`/`go test` reject
newer stdlib early; yaegi v0.16.1 stays the required yaegi_test guard.
- renovate.json: cap the go.mod `go`/`toolchain` directive at `<1.23` so
Renovate keeps deps/actions/toolchain current but never pushes the plugin
past what yaegi supports. Raise the cap when Traefik ships a newer yaegi.
Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
* 🐛 ci(renovate): stop ignoring examples/ and tests/ so custom managers run
config:recommended ships a default ignorePaths that excludes **/examples/**
and **/tests/** (and **/vendor/**). That silently disabled 4 of the 5 custom
managers and all example/helm coverage this PR adds — Renovate only saw the
root docker-compose, go.mod and workflows.
Override ignorePaths to keep only vendor/node_modules. Verified via
`renovate --platform=local --dry-run=full`: package files detected go from
7 -> 32, and every custom manager now extracts its dep (plugin self-pin
across 11 compose files, traefik/crowdsec helm tags, e2e TRAEFIK_VERSION pin).
Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
* ⏪ chore: drop one-time example version bumps, let Renovate own them
The manual version catch-up across the example docker-compose files and the
Helm values is now redundant: Renovate (this PR) covers all of them via its
native docker-compose/docker managers plus the custom managers for the plugin
self-pin and the e2e Traefik binary. Reverting these files to keep the PR a
clean "adopt Renovate" change; Renovate will open the bump PRs itself.
Note: examples/tls-auth uses crowdsecurity/crowdsec:latest again — Renovate
does not pin rolling tags, so that one stays floating unless pinned separately.
Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
* 📌 examples(tls-auth): pin crowdsec to v1.6.8 instead of :latest
Rolling `latest` tags aren't reproducible and Renovate can't manage them.
v1.6.8 is already the crowdsec tag used in the root docker-compose files and,
unlike the `-2` build-suffixed tags, Renovate bumps it (→ v1.7.8).
Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
* 📌 examples: normalize crowdsec v1.6.1-2 -> v1.6.8 so Renovate can manage it
Renovate's docker versioning won't advance a build-suffixed tag (v1.6.1-2) to
a clean release (v1.7.8), so those 8 examples would have stayed frozen. v1.6.8
is already used in the root compose files and Renovate bumps it. Also updated
the captcha README snippet to match its compose.
Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
* 🍱 group all + no dashboard + branch prefix
---------
Co-authored-by: Claude Opus 4.8 <noreply@anthropic.com>
Co-authored-by: maxlerebourg <maxlerebourg@gmail.com>