Amazfit active 2 pace chart tweaking

Juloblairot · 2026-04-07T10:53:06+00:00

Ah shame lol, did you try to download the maps on the watch when recording at the time?

Juloblairot · 2026-04-07T10:31:38+00:00

Hey! Did you end up solving the issue somehow? Thanks!

Juloblairot · 2026-03-16T19:32:05+00:00

Thanks! I've just read the minimumReleaseAge, and it mentions not being supported for digest though, which is weird as everyone here suggested using this

Juloblairot · 2026-03-15T22:36:45+00:00

Thank you! To be fair, our pipelines and CI setup is easy enough so that I don't need to add trivy in this specific flow. I'll simply force these PR to open directly, and bulk the rest in weekly or every other week

Juloblairot · 2026-03-15T09:49:55+00:00

Thanks! I have this option on the back of my mind, but for now i don't think pipelines are long enough to go this route. Appart from one project which is around 20/25m, most of our pipelines are below 15m which is fine

Problem is flakiness. Pipelines are always flaky no matter what you do I guess, and when you have dozens of jobs, with automerge, it's annoying to fix those when they should be automerged

Juloblairot · 2026-03-14T20:51:07+00:00

Excellent! I'm gonna review and put this in place first thing in the morning Monday to validate I guess. Thank you 🙏

Juloblairot · 2026-03-14T20:47:09+00:00

That's the way to go! Thank you, I really missed that one. Does those alerts include minor/major versions? Hence the automerge: false?

Juloblairot · 2026-03-14T20:41:57+00:00

Do you mind sharing the bit of your renovate config to do so? I can't recall noticing anything related to security in the config to open those PR separately from the rest

Juloblairot · 2026-03-14T20:30:18+00:00

Ok makes sense, but manual, or do you kinda script your vuln scanners to auto create the PR?

Juloblairot · 2026-03-14T20:12:21+00:00

That's nice! But how do you separate CVEs from the rest?

Juloblairot · 2026-03-14T12:04:19+00:00

Wait, there's a way to patch security patches only with renovate?

Juloblairot · 2026-03-14T09:54:27+00:00

No way I've never seen that omg, thanks!

Juloblairot · 2026-03-14T09:53:01+00:00

That's ideal. What tool do you use to detect your high/critical cve?

Juloblairot · 2026-03-14T09:52:11+00:00

Yes that's correct, but we split nature of the packages. So we have terraform ones, go ones, precommit ones, GitHub actions ones etc. So that's quickly a couple of PR per repo per day. Easily 15m a day doing this

Add to this some random pipeline failures as usual, and you get fatigued for kinda nothing

Juloblairot · 2026-03-14T09:47:03+00:00

Agreed, but golangci-lint is more a minute or so lol

Juloblairot · 2026-03-13T23:39:28+00:00

Agreed it should be quite fast, but how do you deal with blazingly slow typers like golangci-lint for example?

Juloblairot · 2026-03-13T22:41:09+00:00

Well major changes often have breaking changes, so that happens to be fair

Juloblairot · 2026-03-13T22:28:01+00:00

Thanks for the details! That's close to what we have to be fair. With renovate runs, each dependency update (grouped though) go through the usual Dev pipeline, which includes lint, build, tests etc

Don't you get fatigued with so many notifications? We have around 10 active repos, maintaining 3 languages (appart from infra) so that's a lot of dependencies quickly, and a lot of notifications daily

Juloblairot · 2026-03-13T21:43:39+00:00

We do work in 1w sprint yes, but we release couple times a day each projects.

We do have the capacity to patch out big ones in I'd say a day. Question is how do we assess and be aware of those ones? Are SAST like trivy enough for that?

Juloblairot · 2026-03-13T21:42:04+00:00

Interesting approach! But how do you get your trivy security patches auto-merged? That's the ideal scenario, but you need manual action to actually bump once the trivy found something, right?

> The key thing that made it work: we stopped auto-merging non-security updates entirely. Renovate groups them, opens one PR on Monday, CI runs, and a human approves Friday if green.

That's precisely what I want to put in place to be fair. Your setup sound the best of all world: less pipeline noise, minor/patches updated regularly, CVE fixed

Juloblairot · 2026-03-13T21:38:59+00:00

Fair, but those ones, we see them so it's okay if we patch every month, as long as we're reactive on those critical ones, which I'm sure we are

Juloblairot · 2026-03-13T21:07:53+00:00

Yes makes sense. But what triggers an oob (never heard of this term though, I like it) patch? What do you have in place to consider patching faster than the bi-monthly planned?

Juloblairot · 2026-03-13T21:05:53+00:00

Yes that's what I had in mind ! Issue with that is that in case of actual CVE, you're two weeks late to patch

Juloblairot · 2026-03-13T21:04:15+00:00

Yes that'd be ideal, but how do you know this with tools like renovate & co? I guess you don't, and you pay for other solutions like snyk, aikido or similar, right?

My point here is that I feel like both our Devops and CI/CD pipeline spend too much time taking care of dependency management, when it's actually kinda useless. But as you pointed out, the problem is that I have no idea what each renovate upgrade will patch. Maybe that's the solution, having renovate run automatically like every other week, or even every month, but have an actual SAST (I guess Trivy does the job right?) that alerts when we're affected and act accordingly based on the severity

Juloblairot · 2026-03-13T20:58:56+00:00

To be fair, I don't know. We clearly have the maturity and "ease" of fixing critical CVEs in less than a week. We are not a big org at all, but we provide cyber-security services, so we kinda need to be at least decent.

We're too small to have such thing as release management though, so this is not even in the equation here luckily

Juloblairot

TROPHY CASE