From 25047ab2c36ce294e3d34cad1cb46ea70b053f4f Mon Sep 17 00:00:00 2001 From: kranurag7 Date: Mon, 26 Feb 2024 14:40:43 +0530 Subject: [PATCH] add renovate for bumping dependencies we want to use renovate for updating the dependencies in this repo. This commit adds renovate to this repo. update only patch kubernetes dependencies We should only update patch updates using renovate and minor one should be handled manually. terminate file with an extra line also udpates yamllint and all other yaml files. Signed-off-by: kranurag7 --- .github/renovate.json5 | 47 +++++++++++++ .github/renovate/approval.json5 | 11 +++ .github/renovate/commitMessage.json5 | 18 +++++ .github/renovate/golang.json5 | 45 +++++++++++++ .github/renovate/groups.json5 | 78 ++++++++++++++++++++++ .github/renovate/labels.json5 | 32 +++++++++ .github/renovate/regexManagers.json5 | 19 ++++++ .github/workflows/schedule-update-bot.yaml | 57 ++++++++++++++++ .hadolint.yaml | 2 +- .yamllint.yaml | 4 +- config/certmanager/certificate.yaml | 2 +- config/manager/credentials.yaml | 2 +- config/manager/kustomization.yaml | 2 +- 13 files changed, 313 insertions(+), 6 deletions(-) create mode 100644 .github/renovate.json5 create mode 100644 .github/renovate/approval.json5 create mode 100644 .github/renovate/commitMessage.json5 create mode 100644 .github/renovate/golang.json5 create mode 100644 .github/renovate/groups.json5 create mode 100644 .github/renovate/labels.json5 create mode 100644 .github/renovate/regexManagers.json5 create mode 100644 .github/workflows/schedule-update-bot.yaml diff --git a/.github/renovate.json5 b/.github/renovate.json5 new file mode 100644 index 000000000..dcd6b6bec --- /dev/null +++ b/.github/renovate.json5 @@ -0,0 +1,47 @@ +{ + extends: [ + ":dependencyDashboard", + ":semanticPrefixFixDepsChoreOthers", + ":autodetectRangeStrategy", + ":disableRateLimiting", + ":semanticCommits", + "helpers:pinGitHubActionDigests", + "github>whitesource/merge-confidence:beta", + "github>SovereignCloudStack/cluster-stack-operator//.github/renovate/commitMessage.json5", + "github>SovereignCloudStack/cluster-stack-operator//.github/renovate/approval.json5", + "github>SovereignCloudStack/cluster-stack-operator//.github/renovate/golang.json5", + "github>SovereignCloudStack/cluster-stack-operator//.github/renovate/groups.json5", + "github>SovereignCloudStack/cluster-stack-operator//.github/renovate/labels.json5", + "github>SovereignCloudStack/cluster-stack-operator//.github/renovate/regexManagers.json5" + ], + platform: "github", + baseBranches: ["main"], + onboarding: false, + requireConfig: "ignored", + timezone: "Europe/Berlin", + // repo config + repositories: ["SovereignCloudStack/cluster-stack-operator"], + ignorePaths: [ + "**/vendor/**", + "**/test/**", + "**/tests/**" + ], + username: "cluster-stack-bot[bot]", + gitAuthor: "cluster-stack-bot[bot] <143188378+cluster-stack-bot[bot]@users.noreply.github.com>", + // PR config + dependencyDashboardTitle: "Dependency Dashboard 🤖", + dependencyDashboardHeader: "", + prFooter: "", + suppressNotifications: ["prIgnoreNotification"], + rebaseWhen: "conflicted", + commitBodyTable: true, + prHourlyLimit: 1, + printConfig: true, + pruneStaleBranches: true, + allowPostUpgradeCommandTemplating: true, + separateMajorMinor: true, + separateMultipleMajor: true, + separateMinorPatch: true, + enabledManagers: ["dockerfile", "gomod", "github-actions", "regex"], + recreateClosed: true, +} diff --git a/.github/renovate/approval.json5 b/.github/renovate/approval.json5 new file mode 100644 index 000000000..757cfba88 --- /dev/null +++ b/.github/renovate/approval.json5 @@ -0,0 +1,11 @@ +{ + packageRules: [ + { + matchUpdateTypes: ["major", "minor"], + matchManagers: ["gomod"], + matchDepTypes: ["golang"], + description: "Ask for approval for golang updates", + dependencyDashboardApproval: true, + }, + ], +} diff --git a/.github/renovate/commitMessage.json5 b/.github/renovate/commitMessage.json5 new file mode 100644 index 000000000..d6234c348 --- /dev/null +++ b/.github/renovate/commitMessage.json5 @@ -0,0 +1,18 @@ +{ + "commitMessagePrefix": ":seedling: ", + "commitMessageTopic": "{{depName}}", + "commitMessageExtra": "to {{newVersion}}", + "commitMessageSuffix": "", + "group": { commitMessageTopic: "{{{groupName}}} group" }, + "packageRules": [ + { + "matchDatasources": ["helm"], + "commitMessageTopic": "chart {{depName}}" + }, + { + "matchDatasources": ["docker"], + "commitMessageTopic": "image {{depName}}", + "commitMessageExtra": "to {{#if isSingleVersion}}v{{{newVersion}}}{{else}}{{{newValue}}}{{/if}}" + } + ] +} diff --git a/.github/renovate/golang.json5 b/.github/renovate/golang.json5 new file mode 100644 index 000000000..657e09246 --- /dev/null +++ b/.github/renovate/golang.json5 @@ -0,0 +1,45 @@ +{ + golang: { + postUpdateOptions: ["gomodTidy", "gomodUpdateImportPaths"], + }, + // https://docs.renovatebot.com/configuration-options/#constraints + "constraints": { + "go": "1.21" + }, + packageRules: [ + { + description: "Disable Golang update for major and minor versions", + matchManagers: ["dockerfile"], + matchDepNames: ["docker.io/library/golang"], + matchUpdateTypes: ["major", "minor"], + enabled: false, + }, + { + description: "Disable slim-sprig", + matchManagers: ["gomod"], + matchDepNames: ["github.com/go-task/slim-sprig"], + matchPaths: ["hack/tools/**"], + enabled: false, + }, + { + description: "Disable update controller-tools", + matchManagers: ["gomod"], + matchDepNames: ["sigs.k8s.io/controller-runtime", "sigs.k8s.io/controller-tools", "github.com/google/go-github/v52"], + matchUpdateTypes: ["major", "minor"], + enabled: false, + }, + { + description: "Disable update k8s packages", + matchManagers: ["gomod"], + matchDepNames: ["k8s.io/api", "k8s.io/apimachinery", "k8s.io/apiserver", "k8s.io/client-go", "k8s.io/kubectl", "k8s.io/code-generator"], + matchUpdateTypes: ["patch"], + enabled: true, + }, + { + description: "Disable update cluster-api", + matchManagers: ["gomod"], + matchDepNames: ["sigs.k8s.io/cluster-api", "sigs.k8s.io/cluster-api/test", "sigs.k8s.io/cluster-api/hack/tools"], + enabled: false, + }, + ], +} diff --git a/.github/renovate/groups.json5 b/.github/renovate/groups.json5 new file mode 100644 index 000000000..8447bd998 --- /dev/null +++ b/.github/renovate/groups.json5 @@ -0,0 +1,78 @@ +{ + packageRules: [ + { + description: "Update Builder Image", + groupName: "Builder Image", + groupSlug: "cso-builder-image", + commitMessageTopic: "Builder Image group", + matchPaths: ["images/builder/**"], + separateMajorMinor: false, + separateMultipleMajor: false, + separateMinorPatch: false, + schedule: ["on the first day of the month"], + }, + { + description: "Update Cso Image", + groupName: "Cso Image", + matchManagers: ["dockerfile", "regex"], + separateMajorMinor: false, + separateMultipleMajor: false, + separateMinorPatch: false, + matchPaths: ["images/cso/**"], + commitMessageTopic: "Cso Image group", + groupSlug: "cso-manager-image", + schedule: ["on monday"], + }, + { + description: "Update Makefile", + groupName: "Makefile", + matchManagers: ["regex"], + separateMajorMinor: false, + separateMultipleMajor: false, + separateMinorPatch: false, + matchFiles: ["Makefile"], + commitMessageTopic: "Makefile group", + groupSlug: "makefile", + }, + { + description: "Update Github Actions", + groupName: "github-actions", + matchManagers: ["github-actions"], + matchUpdateTypes: ["major", "minor", "patch", "digest", "pin", "pinDigest"], + pinDigests: true, + commitMessageTopic: "Github Actions group", + groupSlug: "github-actions", + schedule: ["on monday"], + }, + { + description: "Update Bot Schedule", + matchManagers: ["github-actions"], + matchUpdateTypes: ["major", "minor", "patch"], + matchPackageNames: ["renovatebot/github-action"], + schedule: ["on the first day of the month"], + }, + { + description: "Update Go Dev Dependencies", + groupName: "Update Go Dev Dependencies", + matchManagers: ["gomod"], + matchPaths: ["hack/tools/**"], + commitMessageTopic: "Go Dev Dependencies group", + groupSlug: "golang-devs-deps", + }, + { + description: "Update Golang Dependencies", + groupName: "Update Golang Dependencies", + matchManagers: ["gomod"], + ignorePaths: ["hack/tools/**"], + commitMessageTopic: "Golang Dependencies group", + groupSlug: "golang-deps", + }, + { + description: "disable update of cso builder image", + matchManagers: ["github-actions"], + matchUpdateTypes: ["major", "minor", "patch"], + matchPackageNames: ["ghcr.io/sovereigncloudstack/cso-builder"], + enabled: false, + }, + ] +} diff --git a/.github/renovate/labels.json5 b/.github/renovate/labels.json5 new file mode 100644 index 000000000..216100d2d --- /dev/null +++ b/.github/renovate/labels.json5 @@ -0,0 +1,32 @@ +{ + "packageRules": [ + { + "matchUpdateTypes": ["major"], + "labels": ["type/major"] + }, + { + "matchUpdateTypes": ["minor"], + "labels": ["type/minor"] + }, + { + "matchUpdateTypes": ["patch"], + "labels": ["type/patch"] + }, + { + "matchDatasources": ["helm"], + "addLabels": ["update/helm"] + }, + { + "matchDatasources": ["docker"], + "addLabels": ["update/container"] + }, + { + "matchManagers": ["github-actions"], + "addLabels": ["update/github-action"] + }, + { + "matchDatasources": ["go"], + "addLabels": ["update/go"] + } + ] + } diff --git a/.github/renovate/regexManagers.json5 b/.github/renovate/regexManagers.json5 new file mode 100644 index 000000000..1f7345348 --- /dev/null +++ b/.github/renovate/regexManagers.json5 @@ -0,0 +1,19 @@ +{ + "regexManagers": [ + { + "fileMatch": [".yaml$", ".yml$", "Makefile", "(^|/|\.)Dockerfile$", "(^|/)Dockerfile[^/]*$"], + "matchStrings": [ + ".*(@|=|==|:\\s)(?[v0-9.-]+)\\s#\\supdate: datasource=(?.*?) depName=(?.*?)( extractVersion=(?.+?))?( versioning=(?.*?))?\\s" + ], + "extractVersionTemplate":"{{#if extractVersion}}{{{extractVersion}}}{{/if}}", + "versioningTemplate": "{{#if versioning}}{{{versioning}}}{{else}}semver{{/if}}" + }, + { + "fileMatch": ["(^|/|\.)Dockerfile$", "(^|/)Dockerfile[^/]*$"], + "matchStrings": [ + "#\\s*update:\\s*datasource=(?.*?) depName=(?.*?)( versioning=(?.*?))?\\sENV .*?_VERSION=\"(?.*)\"\\s" + ], + "versioningTemplate": "{{#if versioning}}{{{versioning}}}{{else}}semver{{/if}}" + }, + ] +} diff --git a/.github/workflows/schedule-update-bot.yaml b/.github/workflows/schedule-update-bot.yaml new file mode 100644 index 000000000..2feff468e --- /dev/null +++ b/.github/workflows/schedule-update-bot.yaml @@ -0,0 +1,57 @@ +name: Schedule - Update Bot +on: # yamllint disable-line rule:truthy + workflow_dispatch: + inputs: + dryRun: + description: "Dry-Run" + default: "false" + required: false + logLevel: + description: "Log-Level" + default: "debug" + required: false + schedule: + - cron: "0 11 * * *" + push: + branches: + - main + paths: + - ".github/renovate.json5" + - ".github/renovate/**.json5" +env: + LOG_LEVEL: info + DRY_RUN: false + RENOVATE_CONFIG_FILE: .github/renovate.json5 +# yamllint disable rule:line-length +jobs: + update-bot: + if: github.repository == 'SovereignCloudStack/cluster-stack-operator' + name: Renovate + runs-on: ubuntu-latest + steps: + - name: Checkout + uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 + + - name: Generate Token + uses: actions/create-github-app-token@f4c6bf6752984b3a29fcc135a5e70eb792c40c6b # v1 + id: generate-token + with: + app-id: ${{ secrets.SCS_APP_ID }} + private-key: ${{ secrets.SCS_APP_PRIVATE_KEY }} + + - name: Override default config from dispatch variables + run: | + echo "DRY_RUN=${{ github.event.inputs.dryRun || env.DRY_RUN }}" >> "$GITHUB_ENV" + echo "LOG_LEVEL=${{ github.event.inputs.logLevel || env.LOG_LEVEL }}" >> "$GITHUB_ENV" + + - name: Renovate + uses: renovatebot/github-action@f9c81dddc9b589e4e6ae0326d1e36f6bc415d230 # v39.2.4 + env: + RENOVATE_HOST_RULES: '[{"hostType": "docker", "matchHost": "ghcr.io", "username": "${{ github.actor }}", "password": "${{ secrets.GITHUB_TOKEN }}" }]' + RENOVATE_ALLOWED_POST_UPGRADE_COMMANDS: '[".*"]' + BUILDER_IMAGE: 'ghcr.io/sovereigncloudstack/cso' + RENOVATE_POST_UPGRADE_TASKS: '{ commands: ["BUILD_IMAGE_TOKEN=${{ secrets.GITHUB_TOKEN }} BUILD_IMAGE_USER=${{ github.actor }} CI=true ./hack/upgrade-builder-image.sh"], fileFilters: ["Makefile", ".github/**/*.yml", ".github/**/*.yaml"], executionMode: "branch"}' + with: + configurationFile: ${{ env.RENOVATE_CONFIG_FILE }} + token: "x-access-token:${{ steps.generate-token.outputs.token }}" + mount-docker-socket: "true" diff --git a/.hadolint.yaml b/.hadolint.yaml index f7f27d05a..59dc7ca08 100644 --- a/.hadolint.yaml +++ b/.hadolint.yaml @@ -4,4 +4,4 @@ ignored: [] no-color: false no-fail: false strict-labels: false -disable-ignore-pragma: false \ No newline at end of file +disable-ignore-pragma: false diff --git a/.yamllint.yaml b/.yamllint.yaml index 164f56052..6f654c168 100644 --- a/.yamllint.yaml +++ b/.yamllint.yaml @@ -10,7 +10,7 @@ rules: spaces: 2 indent-sequences: consistent line-length: disable - new-line-at-end-of-file: disable + new-line-at-end-of-file: enable truthy: disable document-start: false comments: @@ -26,4 +26,4 @@ ignore: - _artifacts - config/crd/**/*.yaml - config/rbac/**/*.yaml - - config/webhook/**/*.yaml \ No newline at end of file + - config/webhook/**/*.yaml diff --git a/config/certmanager/certificate.yaml b/config/certmanager/certificate.yaml index e894ada3b..c5a164c8a 100644 --- a/config/certmanager/certificate.yaml +++ b/config/certmanager/certificate.yaml @@ -25,4 +25,4 @@ spec: secretName: cso-webhook-server-cert # this secret will not be prefixed, since it's not managed by kustomize subject: organizations: - - k8s-sig-cluster-lifecycle \ No newline at end of file + - k8s-sig-cluster-lifecycle diff --git a/config/manager/credentials.yaml b/config/manager/credentials.yaml index dec755958..c8211f0a3 100644 --- a/config/manager/credentials.yaml +++ b/config/manager/credentials.yaml @@ -8,4 +8,4 @@ data: git-provider: ${GIT_PROVIDER_B64:=""} git-org-name: ${GIT_ORG_NAME_B64:=""} git-repo-name: ${GIT_REPOSITORY_NAME_B64:=""} - git-access-token: ${GIT_ACCESS_TOKEN_B64:=""} \ No newline at end of file + git-access-token: ${GIT_ACCESS_TOKEN_B64:=""} diff --git a/config/manager/kustomization.yaml b/config/manager/kustomization.yaml index d23523982..d797a472c 100644 --- a/config/manager/kustomization.yaml +++ b/config/manager/kustomization.yaml @@ -1,3 +1,3 @@ resources: - manager.yaml -- credentials.yaml \ No newline at end of file +- credentials.yaml