Skip to content

ci(deps): update pi-sidecar to 1.1.5 and add npm to Renovate#1140

Merged
myakove merged 3 commits into
mainfrom
ci/update-pi-sidecar-1.1.5
Jun 29, 2026
Merged

ci(deps): update pi-sidecar to 1.1.5 and add npm to Renovate#1140
myakove merged 3 commits into
mainfrom
ci/update-pi-sidecar-1.1.5

Conversation

@myakove

@myakove myakove commented Jun 29, 2026

Copy link
Copy Markdown
Collaborator

Summary

Bump pi-sidecar to 1.1.5 (both npm and Python) and add npm package manager to Renovate config for automated future updates.

Changes

File Change
sidecar-helper/package-lock.json @myk-org/pi-sidecar 1.1.1 → 1.1.5
uv.lock pi-sidecar-client 1.1.0 → 1.1.5
renovate.json Added matchManagers scoping: npm deps now tracked separately as npm-deps group

Renovate Config Update

Previously Renovate only managed Python deps. Now it also tracks npm deps in sidecar-helper/, so future pi-sidecar npm updates will be automated.

Verification

npm audit → 0 vulnerabilities

Bump @myk-org/pi-sidecar from 1.1.1 to 1.1.5 (npm)
Bump pi-sidecar-client from 1.1.0 to 1.1.5 (Python)

Add npm package manager to Renovate config so future
sidecar and npm dependency updates are automated.
@myakove-bot

Copy link
Copy Markdown
Collaborator

Report bugs in Issues

Welcome! 🎉

This pull request will be automatically processed with the following features:

🔄 Automatic Actions

  • Reviewer Assignment: Reviewers are automatically assigned based on the OWNERS file in the repository root
  • Size Labeling: PR size labels (XS, S, M, L, XL, XXL) are automatically applied based on changes
  • Issue Creation: Disabled for this repository
  • Pre-commit Checks: pre-commit runs automatically if .pre-commit-config.yaml exists
  • Branch Labeling: Branch-specific labels are applied to track the target branch
  • Auto-verification: Auto-verified users have their PRs automatically marked as verified
  • Labels: All label categories are enabled (default configuration)

📋 Available Commands

PR Status Management

  • /wip - Mark PR as work in progress (adds WIP: prefix to title)
  • /wip cancel - Remove work in progress status
  • /hold - Block PR merging (approvers only)
  • /hold cancel - Unblock PR merging
  • /verified - Mark PR as verified
  • /verified cancel - Remove verification status
  • /reprocess - Trigger complete PR workflow reprocessing (useful if webhook failed or configuration changed)
  • /regenerate-welcome - Regenerate this welcome message
  • /security-override - Set security check runs to pass (maintainers only)
  • /security-override cancel - Re-run security checks

Review & Approval

  • /lgtm - Approve changes (looks good to me)
  • /approve - Approve PR (approvers only)
  • /automerge - Enable automatic merging when all requirements are met (maintainers and approvers only)
  • /assign-reviewers - Assign reviewers based on OWNERS file
  • /assign-reviewer @username - Assign specific reviewer
  • /check-can-merge - Check if PR meets merge requirements

Testing & Validation

  • /retest tox - Run Python test suite with tox
  • /retest build-container - Rebuild and test container image
  • /retest python-module-install - Test Python package installation
  • /retest pre-commit - Run pre-commit hooks and checks
  • /retest conventional-title - Validate commit message format
  • /retest all - Run all available tests

Container Operations

  • /build-and-push-container - Build and push container image (tagged with PR number)
    • Supports additional build arguments: /build-and-push-container --build-arg KEY=value

Cherry-pick Operations

  • /cherry-pick <branch> - Schedule cherry-pick to target branch when PR is merged
    • Multiple branches: /cherry-pick branch1 branch2 branch3
  • /cherry-pick-retry <branch> - Retry a failed cherry-pick (merged PRs only)

Branch Management

  • /rebase - Rebase this PR branch onto its base branch

Label Management

  • /<label-name> - Add a label to the PR
  • /<label-name> cancel - Remove a label from the PR

✅ Merge Requirements

This PR will be automatically approved when the following conditions are met:

  1. Approval: /approve from at least one approver
  2. LGTM Count: Minimum 1 /lgtm from reviewers
  3. Status Checks: All required status checks must pass
  4. No Blockers: No wip, hold, has-conflicts labels and PR must be mergeable (no conflicts)
  5. Verified: PR must be marked as verified

📊 Review Process

Approvers and Reviewers

Approvers:

  • myakove
  • rnetser

Reviewers:

  • myakove
  • rnetser
Available Labels
  • hold
  • verified
  • wip
  • lgtm
  • approve
  • automerge
AI Features
  • Conventional Title: Mode: fix (claude/claude-opus-4-6-1m)
  • Cherry-Pick Conflict Resolution: Enabled (claude/claude-opus-4-6-1m)
  • Test Oracle: Triggers: approved (claude/claude-opus-4-6[1m]); /test-oracle can be used anytime
Security Checks
  • Suspicious Path Detection: Monitors paths: .claude/, .vscode/, .cursor/, .devcontainer/, .pi/, .github/workflows/, .github/actions/
  • Committer Identity Check: Verifies last committer matches PR author
  • Mandatory: Security checks block merge (use /security-override to bypass — maintainers only)

💡 Tips

  • WIP Status: Use /wip when your PR is not ready for review
  • Verification: The verified label is removed on new commits unless the push is detected as a clean rebase
  • Cherry-picking: Cherry-pick labels are processed when the PR is merged
  • Container Builds: Container images are automatically tagged with the PR number
  • Permission Levels: Some commands require approver permissions
  • Auto-verified Users: Certain users have automatic verification and merge privileges

For more information, please refer to the project documentation or contact the maintainers.

@qodo-code-review

Copy link
Copy Markdown

PR Summary by Qodo

ci(deps): bump pi-sidecar to 1.1.5 and enable npm Renovate updates
⚙️ Configuration changes ✨ Enhancement 🕐 10-20 Minutes

Grey Divider

Description

• Bump pi-sidecar dependencies to 1.1.5 for both npm and Python lockfiles.
• Teach Renovate to track and group npm updates separately from Python dependencies.
• Improve future dependency automation for the sidecar-helper Node project.
Diagram

graph TD
  R(["Renovate"]) --> C["renovate.json"] --> N["npm-deps rule"] --> PL["sidecar-helper/package-lock.json"] --> NR[("npm registry")]
  R --> C --> P["python-deps rule"] --> UL["uv.lock"] --> PY[("PyPI")]

  subgraph Legend
    direction LR
    _svc(["Service"]) ~~~ _file["File"] ~~~ _reg[("Registry")]
  end
Loading
High-Level Assessment

The following are alternative approaches to this PR:

1. Scope npm rule to sidecar-helper only (matchPaths)
  • ➕ Avoids accidentally managing npm deps elsewhere if more Node projects are added later
  • ➕ Keeps Renovate PRs tightly focused on the intended package-lock.json
  • ➖ Slightly more config complexity
  • ➖ Needs updating if npm projects move/expand
2. Use enabledManagers instead of broad packageRules
  • ➕ Simpler intent: explicitly enable npm + Python managers at the top level
  • ➕ Reduces reliance on catch-all matchPackagePatterns
  • ➖ Less flexibility for grouping/overrides if more managers are added
  • ➖ May still require packageRules for grouping behavior

Recommendation: The current approach (adding an npm-specific packageRule) is sound and consistent with existing Python grouping. Consider additionally scoping the npm rule via matchPaths (e.g., sidecar-helper/**) if this repo may gain other npm workspaces, to prevent unintended Renovate PR noise.

Files changed (3) +6 / -0

Other (3) +6 / -0
renovate.jsonAdd separate Renovate grouping for Python vs npm managers +6/-0

Add separate Renovate grouping for Python vs npm managers

• Adds explicit matchManagers for the existing Python dependency rule and introduces a new npm rule grouped as npm-deps. This allows Renovate to manage npm dependencies alongside Python while keeping PRs grouped by ecosystem.

renovate.json

package-lock.jsonUpdate @myk-org/pi-sidecar lock entry to 1.1.5 +0/-0

Update @myk-org/pi-sidecar lock entry to 1.1.5

• Updates the Node lockfile so @myk-org/pi-sidecar resolves to version 1.1.5. This keeps the sidecar-helper dependency aligned with the desired pi-sidecar release.

sidecar-helper/package-lock.json

uv.lockBump pi-sidecar-client to 1.1.5 in Python lockfile +0/-0

Bump pi-sidecar-client to 1.1.5 in Python lockfile

• Updates the uv lockfile to pin pi-sidecar-client at version 1.1.5. This aligns the Python client dependency with the same pi-sidecar version used by the npm sidecar-helper.

uv.lock

@qodo-code-review

qodo-code-review Bot commented Jun 29, 2026

Copy link
Copy Markdown

Code Review by Qodo

🐞 Bugs (0) 📘 Rule violations (0) 📜 Skill insights (0)

Context used
✅ Compliance rules (platform): 30 rules

Grey Divider


Informational

1. Renovate docs out of date ✓ Resolved 🐞 Bug ⚙ Maintainability
Description
docs/testing-and-maintenance.md still documents Renovate as having a single unscoped packageRule
that groups everything into "python-deps", but renovate.json now scopes Python managers and adds a
separate "npm-deps" group. This creates documentation drift where operators will expect one grouping
stream but will see different PR grouping behavior.
Code

renovate.json[R15-22]

+      "matchManagers": ["pip_requirements", "pip-compile", "pep621"],
      "matchPackagePatterns": ["*"],
      "groupName": "python-deps"
+    },
+    {
+      "matchManagers": ["npm"],
+      "matchPackagePatterns": ["*"],
+      "groupName": "npm-deps"
Relevance

⭐ Low

Similar “update docs snippet to match config” suggestion was definitely_rejected in PR #1118;
docs-sync not enforced.

PR-#1118
PR-#1109

ⓘ Recommendations generated based on similar findings in past PRs

Evidence
The repo docs explicitly embed a Renovate config snippet and describe single-stream grouping, but
the actual renovate.json in this PR now contains two scoped rules (python-deps and npm-deps), so the
documentation no longer matches behavior.

renovate.json[13-23]
docs/testing-and-maintenance.md[289-323]

Agent prompt
The issue below was found during a code review. Follow the provided context and guidance below and implement a solution

### Issue description
The documentation for Renovate configuration is now stale. `docs/testing-and-maintenance.md` shows the old `renovate.json` (single `python-deps` rule without `matchManagers`) and states that updates are grouped into a single `python-deps` stream, but the actual config now splits into `python-deps` and `npm-deps` and scopes the managers.

### Issue Context
This PR changed `renovate.json` packageRules to:
- Scope Python grouping by manager via `matchManagers`
- Add an `npm-deps` group

But the docs still show the pre-change config and behavior.

### Fix Focus Areas
- docs/testing-and-maintenance.md[289-323]
- (optional, if these are checked-in generated artifacts in this repo) docs/testing-and-maintenance.html[~549-566]
- (optional, if this is a checked-in generated artifact in this repo) docs/llms-full.txt[~7909-7926]

### Suggested fix
- Update the JSON snippet in `docs/testing-and-maintenance.md` to match the new `renovate.json` (include both packageRules and their group names).
- Update the explanatory bullets to mention the separate `npm-deps` group (and that Python grouping is now manager-scoped).
- If `docs/testing-and-maintenance.html` and `docs/llms-full.txt` are generated-and-committed, regenerate/update them to keep docs consistent.

ⓘ Copy this prompt and use it to remediate the issue with your preferred AI generation tools


Grey Divider

Qodo Logo

Update docs/testing-and-maintenance.md to match the current renovate.json
which now has two scoped rules (python-deps and npm-deps) instead of
a single unscoped rule.
@myakove

myakove commented Jun 29, 2026

Copy link
Copy Markdown
Collaborator Author

@qodo-code-review[bot]

The following review comments were reviewed and a decision was made:

renovate.json:15 (qodo bug) — Renovate docs out of date

Addressed: Fixed — updated docs/testing-and-maintenance.md to reflect the new two-group Renovate config (python-deps + npm-deps) with matchManagers scoping.

@qodo-code-review

Copy link
Copy Markdown

code-review[bot]

The following review comments were reviewed and a decision was made:

renovate.json:15 (qodo bug) — Renovate docs out of date

Addressed: Fixed — updated docs/testing-and-maintenance.md to reflect the new two-group Renovate config (python-deps + npm-deps) with matchManagers scoping.

Thanks — that’s correct.

  • finding 1 is already marked implemented.
  • The docs now reflect the two Renovate groups: python-deps and npm-deps, with matchManagers scoping.

@qodo-code-review

Copy link
Copy Markdown

Code review by qodo was updated up to the latest commit 010e7e4

Restrict npm package rule from matching all packages to only
@myk-org/pi-sidecar to avoid unintended transitive dep updates.
@qodo-code-review

Copy link
Copy Markdown

Code review by qodo was updated up to the latest commit ff78e99

@myakove myakove merged commit f3a9c08 into main Jun 29, 2026
8 of 10 checks passed
@myakove myakove deleted the ci/update-pi-sidecar-1.1.5 branch June 29, 2026 09:23
@myakove-bot

Copy link
Copy Markdown
Collaborator

New container for ghcr.io/myk-org/github-webhook-server:latest published

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants