chore: Disable dependabot on konflux.Dockerfile-s by msugakov · Pull Request #19802 · stackrox/stackrox

msugakov · 2026-04-02T15:57:11Z

Description

After noticing these PRs:

chore(deps): bump ubi9/ubi from 1fc04e8 to 9e6e193 in /operator #19784
chore(deps): bump ubi9/ubi-minimal from 69f5c98 to 83006d5 in /scanner/image/scanner #19785
chore(deps): bump ubi9/ubi-minimal from 69f5c98 to 83006d5 in /image/rhel #19786

We don't need Dependabot to bother about konflux.Dockerfile-s because these are maintained by MintMaker.

I don't know what's changed around dependabot that it began opening those.

Thread for discussion: https://redhat-internal.slack.com/archives/C05TS9N0S7L/p1775143800950659

Used this https://docs.github.com/en/code-security/reference/supply-chain-security/dependabot-options-reference?learn=dependency_version_updates&learnProduct=code-security#exclude-paths-

User-facing documentation

CHANGELOG.md is updated OR update is not needed
documentation PR is created and is linked above OR is not needed

Testing and quality

the change is production ready: the change is GA, or otherwise the functionality is gated by a feature flag
CI results are inspected

Automated testing

No change.

How I validated my change

GitHub seems to validate the file automatically. E.g. https://github.com/stackrox/stackrox/pull/19802/checks?check_run_id=69727150660

openshift-ci · 2026-04-02T15:57:16Z

Skipping CI for Draft Pull Request.
If you want CI signal for your change, please convert it to an actual PR.
You can still manually trigger a test run with /test all

sourcery-ai

Hey - I've left some high level feedback:

If the intent is to exclude all konflux*.Dockerfile files repo-wide, consider adding a single exclude-paths entry at the highest applicable Docker ecosystem configuration instead of repeating the same pattern across multiple directories to reduce duplication.
Double-check whether there are any konflux*.Dockerfile files outside the listed directories; if so and they should also be ignored by Dependabot, those paths or a broader glob may need to be added here as well.

Prompt for AI Agents

Please address the comments from this code review:

## Overall Comments
- If the intent is to exclude all `konflux*.Dockerfile` files repo-wide, consider adding a single `exclude-paths` entry at the highest applicable Docker ecosystem configuration instead of repeating the same pattern across multiple directories to reduce duplication.
- Double-check whether there are any `konflux*.Dockerfile` files outside the listed directories; if so and they should also be ignored by Dependabot, those paths or a broader glob may need to be added here as well.

Sourcery is free for open source - if you like our reviews please consider sharing them ✨

_{Help me be more useful! Please click 👍 or 👎 on each comment and I'll use the feedback to improve your reviews.}

coderabbitai · 2026-04-02T16:00:42Z

📝 Walkthrough

Walkthrough

This change adds exclusion patterns to Dependabot's Docker package ecosystem configuration, preventing updates for Dockerfile paths matching konflux*.Dockerfile across six target directories while maintaining existing update schedules and limits.

Changes

Cohort / File(s)	Summary
Dependabot Configuration `.github/dependabot.yaml`	Added `exclude-paths: [ '*/konflux.Dockerfile' ]` to six separate Docker update configurations covering `operator/`, `operator/tests/controller/metrics`, `image/rhel`, `image/postgres`, `scanner/image/scanner`, and `scanner/image/db` directories.

Estimated code review effort

🎯 1 (Trivial) | ⏱️ ~3 minutes

🚥 Pre-merge checks | ✅ 3

✅ Passed checks (3 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title clearly and concisely summarizes the main change: disabling Dependabot for konflux Dockerfiles, which matches the actual modification to the dependabot.yaml configuration.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Description check	✅ Passed	The pull request provides a detailed description with context, motivation, references to related PRs, links to documentation, and validation information. All required sections are addressed.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

📝 Generate docstrings

Create stacked PR
Commit on current branch

🧪 Generate unit tests (beta)

Create PR with unit tests
Commit unit tests in branch misha/disable-dependabot-on-konflux-dockerfiles

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

coderabbitai

🧹 Nitpick comments (1)

.github/dependabot.yaml (1)

284-284: Consider adding a one-line rationale comment next to the first exclusion.

This will make the Dependabot/Renovate ownership split explicit and reduce future confusion.

Suggested small clarification

   - package-ecosystem: 'docker'
     directory: 'operator/'
+    # konflux*.Dockerfile updates are handled by Renovate's dockerfile manager.
     exclude-paths: [ '**/konflux*.Dockerfile' ]

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In @.github/dependabot.yaml at line 284, Add a one-line YAML comment explaining
why the exclusion '**/konflux*.Dockerfile' exists next to the exclude-paths
entry to make the Dependabot/Renovate ownership split explicit; update the
exclude-paths: [ '**/konflux*.Dockerfile' ] line by appending a brief comment
(using #) that states the rationale (e.g., ownership split or handled by
Renovate) so future readers understand why this pattern is excluded.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Nitpick comments:
In @.github/dependabot.yaml:
- Line 284: Add a one-line YAML comment explaining why the exclusion
'**/konflux*.Dockerfile' exists next to the exclude-paths entry to make the
Dependabot/Renovate ownership split explicit; update the exclude-paths: [
'**/konflux*.Dockerfile' ] line by appending a brief comment (using #) that
states the rationale (e.g., ownership split or handled by Renovate) so future
readers understand why this pattern is excluded.

ℹ️ Review info

⚙️ Run configuration

Configuration used: Central YAML (base), Organization UI (inherited)

Review profile: CHILL

Plan: Pro

Run ID: 3bee062e-ca0d-4edf-8275-6eb8bcd8c0f5

📥 Commits

Reviewing files that changed from the base of the PR and between 7fd978b and df1c226.

📒 Files selected for processing (1)

.github/dependabot.yaml

github-actions · 2026-04-02T16:06:19Z

/konflux-retest central-db-on-push

codecov · 2026-04-02T16:06:41Z

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 49.60%. Comparing base (a73bc3a) to head (df1c226).
⚠️ Report is 31 commits behind head on master.

Additional details and impacted files

@@           Coverage Diff           @@
##           master   #19802   +/-   ##
=======================================
  Coverage   49.59%   49.60%           
=======================================
  Files        2763     2763           
  Lines      208167   208181   +14     
=======================================
+ Hits       103250   103262   +12     
- Misses      97252    97254    +2     
  Partials     7665     7665

Flag	Coverage Δ
go-unit-tests	`49.60% <ø> (+<0.01%)`	⬆️

Flags with carried forward coverage won't be shown. Click here to find out more.

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

github-actions · 2026-04-02T16:10:36Z

🚀 Build Images Ready

Images are ready for commit 9a74626. To use with deploy scripts:

export MAIN_IMAGE_TAG=4.11.x-573-g9a7462671d

github-actions · 2026-04-02T16:46:38Z

/konflux-retest operator-on-push

github-actions · 2026-04-02T16:53:52Z