Supply-Chain & Dependency Automation
The estate's automation backbone: one centralized Renovate runner keeping every repo current, and a sanitized public-mirror pipeline that scrubs private repositories and force-pushes public GitHub mirrors behind a hard verification gate.
View Code on GitHubSanitized mirror pipeline
Two automations keep the estate healthy and shareable: a central dependency brain and a fail-closed publishing pipeline. Together with the CI component hub they form deliberate βtwin hubsβ β one owns CI job logic, this one owns dependency policy, and neither depends on the other at runtime.
One dependency brain
A single Renovate project autodiscovers every repo in the group and runs nightly with one token, one schedule, and one warm package cache. Policy lives in a shared preset each repo extends, with modular presets layered on top β one teaches Renovate to track tool versions declared as Dockerfile arguments, another groups and soaks CI-component pin bumps. Risk tiers are explicit: digest, pin, and stable-patch updates auto-merge after CI passes and a soak window elapses; minor and major updates wait for review. The commands downstream repos may run after an upgrade are allow-listed on the runner itself β a trust boundary consumers canβt widen from their own config.
Publishing private work safely
The mirror pipeline is what makes this portfolio possible. A shared sanitization base defines the identity, domain, and token replacements plus protective exclude lists; each repo extends it with a union-only merge, so a child config can add protections but never remove one. After rewriting, a verifier scans the result for dozens of sensitive terms and forbidden file patterns and hard-fails the pipeline if a single one survives β nothing reaches GitHub unless the gate is fully green. What youβre reading on these mirrors passed through exactly this machinery.
Key Technical Highlights
- One runner for the estate: A single autodiscover Renovate project with a shared preset (plus modular presets every repo composes) replaces per-repo jobs β one schedule, one token, one warm cache.
- Low-risk auto-merge: Digest and pin updates, and patch updates on stable packages, merge themselves once CI is green and their soak window passes; minor and major updates stay under human review.
- Layered sanitization: A shared sanitize base (identity, domain, and token replacements plus protective exclude lists) is extended per repo with a union-only merge β a child config can only add protections, never remove one.
- Fail-closed mirror gate: Before any public push, a verifier hard-fails if a single sensitive term survives (names, private domains, token prefixes) β so the private repositories become public mirrors safely and automatically.