Skip to content

ci: add renovate config#98

Merged
sydorovdmytro merged 2 commits into
mainfrom
devops-969/add-renovate-config
Jun 8, 2026
Merged

ci: add renovate config#98
sydorovdmytro merged 2 commits into
mainfrom
devops-969/add-renovate-config

Conversation

@sydorovdmytro

@sydorovdmytro sydorovdmytro commented Jun 4, 2026

Copy link
Copy Markdown
Contributor

Closes DEVOPS-969

Summary

  • Onboard Renovate for this public Go API/library, covering go.mod, GitHub Actions, and the pinned code-generator tools in the Justfile.
  • Conservative policy: Go patch updates grouped, the k8s.io/sigs.k8s.io ecosystem grouped so it moves in lockstep; majors and minors stay individual PRs for review.
  • Add the validate-renovate CI caller workflow so config edits are validated on every PR.

Coverage

Dependency surface Manager
go.mod requires (26 deps incl. go directive, k8s.io/*, sigs.k8s.io/*, stripe-go, x/*, protobuf) built-in gomod (+ gomodTidy)
.github/workflows/*.yaml uses: actions (checkout, setup-go, golangci-lint-action) + the new validate-renovate pin built-in github-actions (digests pinned via helpers:pinGitHubActionDigests)
go-version: "1.22" in go.yml setup-go step built-in github-actions (native go-version detection)
go run k8s.io/code-generator/cmd/deepcopy-gen@v0.28.1 in Justfile custom regex manager (datasource go)
go run k8s.io/kube-openapi/cmd/openapi-gen@v0.0.0-... in Justfile custom regex manager (datasource go)

The two Justfile tool pins use depNames k8s.io/code-generator and k8s.io/kube-openapi, so they group under k8s-go-deps alongside the matching go.mod entries.

Deliberately not managed

  • go run github.com/dkorunic/betteralign/cmd/betteralign@latest (Justfile) — pinned to @latest, not a fixed version, so there is nothing for Renovate to bump. Left as-is.
  • No replace directives, no vendor/, no Dockerfiles, no Terraform, no Helm charts, no .tool-versions, no proto/buf toolchain, no dependabot.yml — none exist in this repo, so no managers or removals were needed.

Test plan

  • renovate-config-validator renovate.json — passed ("Config validated successfully").
  • Custom regex managers verified with python3's re module against the real files — each matchString matches exactly once:
    • deepcopy-gen pattern -> 1 match (v0.28.1)
    • openapi-gen pattern -> 1 match (v0.0.0-20260127142750-a19766b6e2d4)
  • LOG_LEVEL=debug renovate --platform=local --dry-run=extract — 7 package files found across managers: github-actions (4 workflow files, incl. go-version + validate-renovate digest), gomod (go.mod, 26 deps), regex (2 Justfile tool pins). Every ecosystem from the inventory is covered.
  • actionlint on the new workflow — 0 findings.
  • zizmor on the new workflow — 0 findings (reusable workflow pinned to SHA b52efbd927586ea78282073f79d2423e552c9f62 for validate-renovate/v1).

Post-merge checklist

  • Dependency Dashboard issue appears and the first run resolves all managers (gomod, github-actions, 2x regex).
  • Existing GitHub security alerts start getting security-labeled PRs (bypass the weekly schedule).

@sydorovdmytro sydorovdmytro merged commit b7019d4 into main Jun 8, 2026
3 checks passed
@sydorovdmytro sydorovdmytro deleted the devops-969/add-renovate-config branch June 8, 2026 13:11
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@Piotr1215 Piotr1215 Piotr1215 approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@sydorovdmytro @Piotr1215