All projects

Supply-Chain & Dependency Automation

RenovateAutomationSecurityPython

The estate's automation backbone: one centralized Renovate runner keeping every repo current, and a sanitized public-mirror pipeline that scrubs private repositories and force-pushes public GitHub mirrors behind a hard verification gate.

View Code on GitHub

Sanitized mirror pipeline

Diagram: Sanitized mirror pipeline

Two automations keep the estate healthy and shareable: a central dependency brain and a fail-closed publishing pipeline. Together with the CI component hub they form deliberate β€œtwin hubs” β€” one owns CI job logic, this one owns dependency policy, and neither depends on the other at runtime.

One dependency brain

A single Renovate project autodiscovers every repo in the group and runs nightly with one token, one schedule, and one warm package cache. Policy lives in a shared preset each repo extends, with modular presets layered on top β€” one teaches Renovate to track tool versions declared as Dockerfile arguments, another groups and soaks CI-component pin bumps. Risk tiers are explicit: digest, pin, and stable-patch updates auto-merge after CI passes and a soak window elapses; minor and major updates wait for review. The commands downstream repos may run after an upgrade are allow-listed on the runner itself β€” a trust boundary consumers can’t widen from their own config.

Publishing private work safely

The mirror pipeline is what makes this portfolio possible. A shared sanitization base defines the identity, domain, and token replacements plus protective exclude lists; each repo extends it with a union-only merge, so a child config can add protections but never remove one. After rewriting, a verifier scans the result for dozens of sensitive terms and forbidden file patterns and hard-fails the pipeline if a single one survives β€” nothing reaches GitHub unless the gate is fully green. What you’re reading on these mirrors passed through exactly this machinery.

Key Technical Highlights

  • One runner for the estate: A single autodiscover Renovate project with a shared preset (plus modular presets every repo composes) replaces per-repo jobs β€” one schedule, one token, one warm cache.
  • Low-risk auto-merge: Digest and pin updates, and patch updates on stable packages, merge themselves once CI is green and their soak window passes; minor and major updates stay under human review.
  • Layered sanitization: A shared sanitize base (identity, domain, and token replacements plus protective exclude lists) is extended per repo with a union-only merge β€” a child config can only add protections, never remove one.
  • Fail-closed mirror gate: Before any public push, a verifier hard-fails if a single sensitive term survives (names, private domains, token prefixes) β€” so the private repositories become public mirrors safely and automatically.

Central dependency-update flow

Diagram: Central dependency-update flow
One nightly run discovers every repo, applies one shared policy, and lets low-risk updates merge themselves after a soak window.

Technologies

RenovateGitLab CIPythongitleaks