add renovate for bumping dependencies

we want to use renovate for updating the
dependencies in this repo. This commit adds
renovate to this repo.

update only patch kubernetes dependencies

We should only update patch updates using renovate
and minor one should be handled manually.

terminate file with an extra line

also udpates yamllint and all other yaml files.

Signed-off-by: kranurag7 <anurag.kumar@syself.com>

.github/renovate.json5

@@ -0,0 +1,47 @@
+{
+  extends: [
+    ":dependencyDashboard",
+    ":semanticPrefixFixDepsChoreOthers",
+    ":autodetectRangeStrategy",
+    ":disableRateLimiting",
+    ":semanticCommits",
+    "helpers:pinGitHubActionDigests",
+    "github>whitesource/merge-confidence:beta",
+    "github>SovereignCloudStack/cluster-stack-operator//.github/renovate/commitMessage.json5",
+    "github>SovereignCloudStack/cluster-stack-operator//.github/renovate/approval.json5",
+    "github>SovereignCloudStack/cluster-stack-operator//.github/renovate/golang.json5",
+    "github>SovereignCloudStack/cluster-stack-operator//.github/renovate/groups.json5",
+    "github>SovereignCloudStack/cluster-stack-operator//.github/renovate/labels.json5",
+    "github>SovereignCloudStack/cluster-stack-operator//.github/renovate/regexManagers.json5"
+  ],
+  platform: "github",
+  baseBranches: ["main"],
+  onboarding: false,
+  requireConfig: "ignored",
+  timezone: "Europe/Berlin",
+  // repo config
+  repositories: ["SovereignCloudStack/cluster-stack-operator"],
+  ignorePaths: [
+    "**/vendor/**",
+    "**/test/**",
+    "**/tests/**"
+  ],
+  username: "cluster-stack-bot[bot]",
+  gitAuthor: "cluster-stack-bot[bot] <143188378+cluster-stack-bot[bot]@users.noreply.github.com>",
+  // PR config
+  dependencyDashboardTitle: "Dependency Dashboard 🤖",
+  dependencyDashboardHeader: "",
+  prFooter: "",
+  suppressNotifications: ["prIgnoreNotification"],
+  rebaseWhen: "conflicted",
+  commitBodyTable: true,
+  prHourlyLimit: 1,
+  printConfig: true,
+  pruneStaleBranches: true,
+  allowPostUpgradeCommandTemplating: true,
+  separateMajorMinor: true,
+  separateMultipleMajor: true,
+  separateMinorPatch: true,
+  enabledManagers: ["dockerfile", "gomod", "github-actions", "regex"],
+  recreateClosed: true,
+}

.github/renovate/approval.json5

@@ -0,0 +1,11 @@
+{
+  packageRules: [
+    {
+      matchUpdateTypes: ["major", "minor"],
+      matchManagers: ["gomod"],
+      matchDepTypes: ["golang"],
+      description: "Ask for approval for golang updates",
+      dependencyDashboardApproval: true,
+    },
+  ],
+}

.github/renovate/commitMessage.json5

@@ -0,0 +1,18 @@
+{
+  "commitMessagePrefix": ":seedling: ",
+  "commitMessageTopic": "{{depName}}",
+  "commitMessageExtra": "to {{newVersion}}",
+  "commitMessageSuffix": "",
+  "group": { commitMessageTopic: "{{{groupName}}} group" },
+  "packageRules": [
+    {
+      "matchDatasources": ["helm"],
+      "commitMessageTopic": "chart {{depName}}"
+    },
+    {
+      "matchDatasources": ["docker"],
+      "commitMessageTopic": "image {{depName}}",
+      "commitMessageExtra": "to {{#if isSingleVersion}}v{{{newVersion}}}{{else}}{{{newValue}}}{{/if}}"
+    }
+  ]
+}

.github/renovate/golang.json5

@@ -0,0 +1,45 @@
+{
+  golang: {
+    postUpdateOptions: ["gomodTidy", "gomodUpdateImportPaths"],
+  },
+  // https://docs.renovatebot.com/configuration-options/#constraints
+  "constraints": {
+    "go": "1.21"
+  },
+  packageRules: [
+    {
+      description: "Disable Golang update for major and minor versions",
+      matchManagers: ["dockerfile"],
+      matchDepNames: ["docker.io/library/golang"],
+      matchUpdateTypes: ["major", "minor"],
+      enabled: false,
+    },
+    {
+      description: "Disable slim-sprig",
+      matchManagers: ["gomod"],
+      matchDepNames: ["github.com/go-task/slim-sprig"],
+      matchPaths: ["hack/tools/**"],
+      enabled: false,
+    },
+    {
+      description: "Disable update controller-tools",
+      matchManagers: ["gomod"],
+      matchDepNames: ["sigs.k8s.io/controller-runtime", "sigs.k8s.io/controller-tools", "github.com/google/go-github/v52"],
+      matchUpdateTypes: ["major", "minor"],
+      enabled: false,
+    },
+    {
+      description: "Disable update k8s packages",
+      matchManagers: ["gomod"],
+      matchDepNames: ["k8s.io/api", "k8s.io/apimachinery", "k8s.io/apiserver", "k8s.io/client-go", "k8s.io/kubectl", "k8s.io/code-generator"],
+      matchUpdateTypes: ["patch"],
+      enabled: true,
+    },
+    {
+      description: "Disable update cluster-api",
+      matchManagers: ["gomod"],
+      matchDepNames: ["sigs.k8s.io/cluster-api", "sigs.k8s.io/cluster-api/test", "sigs.k8s.io/cluster-api/hack/tools"],
+      enabled: false,
+    },
+  ],
+}

.github/renovate/groups.json5

@@ -0,0 +1,78 @@
+{
+  packageRules: [
+    {
+      description: "Update Builder Image",
+      groupName: "Builder Image",
+      groupSlug: "cso-builder-image",
+      commitMessageTopic: "Builder Image group",
+      matchPaths: ["images/builder/**"],
+      separateMajorMinor: false,
+      separateMultipleMajor: false,
+      separateMinorPatch: false,
+      schedule: ["on the first day of the month"],
+    },
+    {
+      description: "Update Cso Image",
+      groupName: "Cso Image",
+      matchManagers: ["dockerfile", "regex"],
+      separateMajorMinor: false,
+      separateMultipleMajor: false,
+      separateMinorPatch: false,
+      matchPaths: ["images/cso/**"],
+      commitMessageTopic: "Cso Image group",
+      groupSlug: "cso-manager-image",
+      schedule: ["on monday"],
+    },
+    {
+      description: "Update Makefile",
+      groupName: "Makefile",
+      matchManagers: ["regex"],
+      separateMajorMinor: false,
+      separateMultipleMajor: false,
+      separateMinorPatch: false,
+      matchFiles: ["Makefile"],
+      commitMessageTopic: "Makefile group",
+      groupSlug: "makefile",
+    },
+    {
+      description: "Update Github Actions",
+      groupName: "github-actions",
+      matchManagers: ["github-actions"],
+      matchUpdateTypes: ["major", "minor", "patch", "digest", "pin", "pinDigest"],
+      pinDigests: true,
+      commitMessageTopic: "Github Actions group",
+      groupSlug: "github-actions",
+      schedule: ["on monday"],
+    },
+    {
+      description: "Update Bot Schedule",
+      matchManagers: ["github-actions"],
+      matchUpdateTypes: ["major", "minor", "patch"],
+      matchPackageNames: ["renovatebot/github-action"],
+      schedule: ["on the first day of the month"],
+    },
+    {
+      description: "Update Go Dev Dependencies",
+      groupName: "Update Go Dev Dependencies",
+      matchManagers: ["gomod"],
+      matchPaths: ["hack/tools/**"],
+      commitMessageTopic: "Go Dev Dependencies group",
+      groupSlug: "golang-devs-deps",
+    },
+    {
+      description: "Update Golang Dependencies",
+      groupName: "Update Golang Dependencies",
+      matchManagers: ["gomod"],
+      ignorePaths: ["hack/tools/**"],
+      commitMessageTopic: "Golang Dependencies group",
+      groupSlug: "golang-deps",
+    },
+    {
+      description: "disable update of cso builder image",
+      matchManagers: ["github-actions"],
+      matchUpdateTypes: ["major", "minor", "patch"],
+      matchPackageNames: ["ghcr.io/sovereigncloudstack/cso-builder"],
+      enabled: false,
+    },
+  ]
+}

.github/renovate/labels.json5

@@ -0,0 +1,32 @@
+{
+    "packageRules": [
+      {
+        "matchUpdateTypes": ["major"],
+        "labels": ["type/major"]
+      },
+      {
+        "matchUpdateTypes": ["minor"],
+        "labels": ["type/minor"]
+      },
+      {
+        "matchUpdateTypes": ["patch"],
+        "labels": ["type/patch"]
+      },
+      {
+        "matchDatasources": ["helm"],
+        "addLabels": ["update/helm"]
+      },
+      {
+        "matchDatasources": ["docker"],
+        "addLabels": ["update/container"]
+      },
+      {
+        "matchManagers": ["github-actions"],
+        "addLabels": ["update/github-action"]
+      },
+      {
+        "matchDatasources": ["go"],
+        "addLabels": ["update/go"]
+      }
+    ]
+  }

.github/renovate/regexManagers.json5

@@ -0,0 +1,19 @@
+{
+  "regexManagers": [
+    {
+      "fileMatch": [".yaml$", ".yml$", "Makefile", "(^|/|\.)Dockerfile$", "(^|/)Dockerfile[^/]*$"],
+      "matchStrings": [
+        ".*(@|=|==|:\\s)(?<currentValue>[v0-9.-]+)\\s#\\supdate: datasource=(?<datasource>.*?) depName=(?<depName>.*?)( extractVersion=(?<extractVersion>.+?))?( versioning=(?<versioning>.*?))?\\s"
+      ],
+      "extractVersionTemplate":"{{#if extractVersion}}{{{extractVersion}}}{{/if}}",
+      "versioningTemplate": "{{#if versioning}}{{{versioning}}}{{else}}semver{{/if}}"
+    },
+    {
+      "fileMatch": ["(^|/|\.)Dockerfile$", "(^|/)Dockerfile[^/]*$"],
+      "matchStrings": [
+        "#\\s*update:\\s*datasource=(?<datasource>.*?) depName=(?<depName>.*?)( versioning=(?<versioning>.*?))?\\sENV .*?_VERSION=\"(?<currentValue>.*)\"\\s"
+      ],
+      "versioningTemplate": "{{#if versioning}}{{{versioning}}}{{else}}semver{{/if}}"
+    },
+  ]
+}

.github/workflows/schedule-update-bot.yaml

@@ -0,0 +1,57 @@
+name: Schedule - Update Bot
+on: # yamllint disable-line rule:truthy
+  workflow_dispatch:
+    inputs:
+      dryRun:
+        description: "Dry-Run"
+        default: "false"
+        required: false
+      logLevel:
+        description: "Log-Level"
+        default: "debug"
+        required: false
+  schedule:
+    - cron: "0 11 * * *"
+  push:
+    branches:
+      - main
+    paths:
+      - ".github/renovate.json5"
+      - ".github/renovate/**.json5"
+env:
+  LOG_LEVEL: info
+  DRY_RUN: false
+  RENOVATE_CONFIG_FILE: .github/renovate.json5
+# yamllint disable rule:line-length
+jobs:
+  update-bot:
+    if: github.repository == 'SovereignCloudStack/cluster-stack-operator'
+    name: Renovate
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout
+        uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
+
+      - name: Generate Token
+        uses: actions/create-github-app-token@f4c6bf6752984b3a29fcc135a5e70eb792c40c6b # v1
+        id: generate-token
+        with:
+          app-id: ${{ secrets.SCS_APP_ID }}
+          private-key: ${{ secrets.SCS_APP_PRIVATE_KEY }}
+
+      - name: Override default config from dispatch variables
+        run: |
+          echo "DRY_RUN=${{ github.event.inputs.dryRun || env.DRY_RUN }}" >> "$GITHUB_ENV"
+          echo "LOG_LEVEL=${{ github.event.inputs.logLevel || env.LOG_LEVEL }}" >> "$GITHUB_ENV"
+
+      - name: Renovate
+        uses: renovatebot/github-action@f9c81dddc9b589e4e6ae0326d1e36f6bc415d230 # v39.2.4
+        env:
+          RENOVATE_HOST_RULES: '[{"hostType": "docker", "matchHost": "ghcr.io", "username": "${{ github.actor }}", "password": "${{ secrets.GITHUB_TOKEN }}" }]'
+          RENOVATE_ALLOWED_POST_UPGRADE_COMMANDS: '[".*"]'
+          BUILDER_IMAGE: 'ghcr.io/sovereigncloudstack/cso'
+          RENOVATE_POST_UPGRADE_TASKS: '{ commands: ["BUILD_IMAGE_TOKEN=${{ secrets.GITHUB_TOKEN }} BUILD_IMAGE_USER=${{ github.actor }} CI=true ./hack/upgrade-builder-image.sh"], fileFilters: ["Makefile", ".github/**/*.yml", ".github/**/*.yaml"], executionMode: "branch"}'
+        with:
+          configurationFile: ${{ env.RENOVATE_CONFIG_FILE }}
+          token: "x-access-token:${{ steps.generate-token.outputs.token }}"
+          mount-docker-socket: "true"

.github/workflows/test.yml

@@ -64,4 +64,4 @@ jobs:
           GIT_REPOSITORY_NAME: cluster-stacks
           GO111MODULE: "on"
           GIT_ACCESS_TOKEN: ${{ secrets.GIT_ACCESS_TOKEN }}
-        run: make test-integration-workloadcluster
+        run: make test-integration-workloadcluster

.hadolint.yaml

@@ -4,4 +4,4 @@ ignored: []
 no-color: false
 no-fail: false
 strict-labels: false
-disable-ignore-pragma: false
+disable-ignore-pragma: false

.yamllint.yaml

@@ -10,7 +10,7 @@ rules:
     spaces: 2
     indent-sequences: consistent
   line-length: disable
-  new-line-at-end-of-file: disable
+  new-line-at-end-of-file: enable
   truthy: disable
   document-start: false
   comments:
@@ -26,4 +26,4 @@ ignore:
   - _artifacts
   - config/crd/**/*.yaml
   - config/rbac/**/*.yaml
-  - config/webhook/**/*.yaml
+  - config/webhook/**/*.yaml

config/certmanager/certificate.yaml

@@ -25,4 +25,4 @@ spec:
   secretName: cso-webhook-server-cert  # this secret will not be prefixed, since it's not managed by kustomize
   subject:
     organizations:
-    - k8s-sig-cluster-lifecycle
+    - k8s-sig-cluster-lifecycle

config/manager/credentials.yaml

@@ -8,4 +8,4 @@ data:
   git-provider: ${GIT_PROVIDER_B64:=""}
   git-org-name: ${GIT_ORG_NAME_B64:=""}
   git-repo-name: ${GIT_REPOSITORY_NAME_B64:=""}
-  git-access-token: ${GIT_ACCESS_TOKEN_B64:=""}
+  git-access-token: ${GIT_ACCESS_TOKEN_B64:=""}

config/manager/kustomization.yaml

@@ -1,3 +1,3 @@
 resources:
 - manager.yaml
-- credentials.yaml
+- credentials.yaml