ROSA-745: per-repo dependency automation config

[MitaliBhalla]

Summary

ROSA-745 phase 2 — per-repo dependency automation (not on boilerplate).

Draft — for team review before merge. Depends on DPP branch protection (openshift/release#80263) for required checks.

Test plan

• Confirm Dependabot/MintMaker opens PRs after merge
• Patch/minor updates merge when required prow/Konflux checks pass
• Major updates stay manual

Summary by CodeRabbit

• Chores
  • Updated Dependabot configuration to check for Go module dependencies on a weekly schedule instead of daily.

[openshift-ci-robot]

@MitaliBhalla: This pull request references ROSA-745 which is a valid jira issue.

Warning: The referenced jira issue has an invalid target version for the target branch this PR targets: expected the initiative to target the "5.0.0" version, but no target version was set.

Details

In response to this:

Summary

ROSA-745 phase 2 — per-repo dependency automation (not on boilerplate).

Draft — for team review before merge. Depends on DPP branch protection (openshift/release#80263) for required checks.

Test plan

• Confirm Dependabot/MintMaker opens PRs after merge
• Patch/minor updates merge when required prow/Konflux checks pass
• Major updates stay manual

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[coderabbitai]

Walkthrough

The Dependabot configuration for Go modules was updated to reduce update frequency from daily to weekly. Additional configuration fields for open pull request limits and dependency grouping patterns for AWS SDK, Kubernetes, and OpenShift packages were added to the gomod update settings.

Changes

Dependabot Configuration Update

Layer / File(s)	Summary
Go Module Update Schedule and Grouping Configuration .github/dependabot.yml	The gomod package ecosystem update schedule switched from daily to weekly. Explicit open-pull-requests-limit and groups entries were added to organize dependency updates for AWS SDK, Kubernetes, and OpenShift packages separately.

Estimated code review effort

🎯 1 (Trivial) | ⏱️ ~3 minutes

🚥 Pre-merge checks | ✅ 15

✅ Passed checks (15 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title references ROSA-745 and describes per-repo dependency automation config, which aligns with the PR's objective to implement phase 2 of ROSA-745 for per-repo dependency automation.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Stable And Deterministic Test Names	✅ Passed	All Ginkgo test names in the PR use stable, static strings with no dynamic content like pod names, timestamps, UUIDs, node names, or IP addresses. Test names are descriptive and deterministic acros...
Test Structure And Quality	✅ Passed	The custom check applies to Ginkgo test code quality, but this PR only modifies .github/dependabot.yml (Dependabot configuration), not test code. The check is not applicable.
Microshift Test Compatibility	✅ Passed	This PR only modifies .github/dependabot.yml (dependency automation configuration). No new Ginkgo e2e tests are added, so the MicroShift test compatibility check is not applicable.
Single Node Openshift (Sno) Test Compatibility	✅ Passed	This PR modifies only .github/dependabot.yml (a configuration file) and adds no Ginkgo e2e tests. The SNO Test Compatibility check only applies when new tests are added; it does not apply here.
Topology-Aware Scheduling Compatibility	✅ Passed	PR modifies only .github/dependabot.yml (CI/CD automation config), not deployment manifests, operator code, or controllers. No scheduling constraints are introduced.
Ote Binary Stdout Contract	✅ Passed	PR only modifies .github/dependabot.yml (Dependabot config file). OTE Binary Stdout Contract check applies only to Go source code, test suites, and logging—none of which are changed here.
Ipv6 And Disconnected Network Test Compatibility	✅ Passed	This PR modifies only .github/dependabot.yml, a configuration file with no Ginkgo e2e tests. The custom check applies only to new test additions, which are not present.
No-Weak-Crypto	✅ Passed	PR only modifies .github/dependabot.yml (Dependabot configuration). No cryptographic code, MD5/SHA1/DES/RC4/3DES/Blowfish/ECB patterns, custom crypto, or secret comparisons present.
Container-Privileges	✅ Passed	No container/K8s manifests with privilege escalation found. This is a Go CLI tool repo with only Dependabot config and GitHub Actions workflow changes—no containers or K8s manifests present.
No-Sensitive-Data-In-Logs	✅ Passed	The .github/dependabot.yml configuration file contains no passwords, tokens, API keys, PII, or other sensitive data that could expose security risks through logging.
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[openshift-ci]

Skipping CI for Draft Pull Request.
If you want CI signal for your change, please convert it to an actual PR.
You can still manually trigger a test run with /test all

[openshift-ci]

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by: MitaliBhalla
Once this PR has been reviewed and has the lgtm label, please assign typeid for approval. For more information see the Code Review Process.

The full list of commands accepted by this bot can be found here.

Details

Needs approval from an approver in each of these files:

• OWNERS

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In @.github/dependabot.yml:
- Around line 8-24: The dependabot config's allow list currently limits updates
to only the two OpenShift packages, making the "aws-sdk" and "kubernetes" groups
unreachable; fix by either removing the top-level allow block (so groups
aws-sdk, kubernetes, openshift are evaluated), or if you want to keep allow,
remove the unused "aws-sdk" and "kubernetes" group entries, or expand the allow
list to include the specific AWS and Kubernetes dependencies you want Dependabot
to update (update the "allow" entries or adjust "groups" patterns accordingly).

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Repository: openshift/coderabbit/.coderabbit.yaml

Review profile: CHILL

Plan: Enterprise

Run ID: 65a235ff-960e-4fe1-b170-47c04dfde7bf

📥 Commits

Reviewing files that changed from the base of the PR and between 0f7bc39 and e675d6a.

📒 Files selected for processing (1)

• .github/dependabot.yml

[coderabbitai]

⚠️ Potential issue | 🔴 Critical | ⚡ Quick win

The allow list conflicts with the groups configuration—aws-sdk and kubernetes groups are unreachable.

Dependabot's allow field restricts updates to only the listed dependencies. Currently, only two OpenShift packages are allowed:

• github.com/openshift/osd-network-verifier
• github.com/openshift/backplane-cli

This means:

• The aws-sdk group (line 15-17) will never trigger updates because no AWS SDK dependencies are in the allow list.
• The kubernetes group (line 18-21) will never trigger updates because no k8s.io or sigs.k8s.io dependencies are in the allow list.
• Only the openshift group could match the two allowed dependencies.

Action required: Either:

1. Remove the allow block entirely to enable updates for all dependencies (recommended if you want AWS SDK and Kubernetes updates), OR
2. Remove the unused aws-sdk and kubernetes groups if they're not needed, OR
3. Expand the allow list to include specific AWS and Kubernetes dependencies that should be updated.

♻️ Option 1: Remove allow block to enable all dependency updates

     labels:
       - "area/dependency"
       - "ok-to-test"
-    allow:
-      - dependency-name: "github.com/openshift/osd-network-verifier"
-      - dependency-name: "github.com/openshift/backplane-cli"
     schedule:
       interval: 'weekly'

♻️ Option 2: Remove unused groups

     open-pull-requests-limit: 10
     groups:
-      aws-sdk:
-        patterns:
-          - "github.com/aws/aws-sdk-go-v2*"
-      kubernetes:
-        patterns:
-          - "k8s.io/*"
-          - "sigs.k8s.io/*"
       openshift:
         patterns:
           - "github.com/openshift/*"

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	allow:
	- dependency-name: "github.com/openshift/osd-network-verifier"
	- dependency-name: "github.com/openshift/backplane-cli"
	schedule:
	interval: 'daily'
	interval: 'weekly'
	open-pull-requests-limit: 10
	groups:
	aws-sdk:
	patterns:
	- "github.com/aws/aws-sdk-go-v2*"
	kubernetes:
	patterns:
	- "k8s.io/*"
	- "sigs.k8s.io/*"
	openshift:
	patterns:
	- "github.com/openshift/*"
	schedule:
	interval: 'weekly'
	open-pull-requests-limit: 10
	groups:
	aws-sdk:
	patterns:
	- "github.com/aws/aws-sdk-go-v2*"
	kubernetes:
	patterns:
	- "k8s.io/*"
	- "sigs.k8s.io/*"
	openshift:
	patterns:
	- "github.com/openshift/*"

Suggested change

	allow:
	- dependency-name: "github.com/openshift/osd-network-verifier"
	- dependency-name: "github.com/openshift/backplane-cli"
	schedule:
	interval: 'daily'
	interval: 'weekly'
	open-pull-requests-limit: 10
	groups:
	aws-sdk:
	patterns:
	- "github.com/aws/aws-sdk-go-v2*"
	kubernetes:
	patterns:
	- "k8s.io/*"
	- "sigs.k8s.io/*"
	openshift:
	patterns:
	- "github.com/openshift/*"
	allow:
	- dependency-name: "github.com/openshift/osd-network-verifier"
	- dependency-name: "github.com/openshift/backplane-cli"
	schedule:
	interval: 'weekly'
	open-pull-requests-limit: 10
	groups:
	openshift:
	patterns:
	- "github.com/openshift/*"

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/dependabot.yml around lines 8 - 24, The dependabot config's allow
list currently limits updates to only the two OpenShift packages, making the
"aws-sdk" and "kubernetes" groups unreachable; fix by either removing the
top-level allow block (so groups aws-sdk, kubernetes, openshift are evaluated),
or if you want to keep allow, remove the unused "aws-sdk" and "kubernetes" group
entries, or expand the allow list to include the specific AWS and Kubernetes
dependencies you want Dependabot to update (update the "allow" entries or adjust
"groups" patterns accordingly).