Replace Dependabot with Renovate for cross-ecosystem dependency grouping

[raballew]

Summary

• Replaces .github/dependabot.yml with renovate.json to solve cross-module dependency coupling
• Groups tightly coupled dependencies into single PRs (Kubernetes Go libs across all go.mod files, grpcio/protobuf, kubernetes/kubernetes-asyncio Python packages)
• Adds Go version tracking across modules and auto-merge for safe patch updates

Motivation

Dependabot treats each (ecosystem, directory) pair independently, so it frequently proposes incompatible Kubernetes dependency bumps across controller/go.mod and controller/deploy/operator/go.mod. Renovate's packageRules with matchFileNames solves this by grouping them into a single PR.

Test plan

• Install Renovate GitHub App on the repo
• Verify onboarding PR is created with expected dependency dashboard
• Confirm no duplicate PRs from Dependabot (dependabot.yml removed)

[coderabbitai]

Note

Reviews paused

It looks like this branch is under active development. To avoid overwhelming you with review comments due to an influx of new commits, CodeRabbit has automatically paused this review. You can configure this behavior by changing the reviews.auto_review.auto_pause_after_reviewed_commits setting.

Use the following commands to manage reviews:

• @coderabbitai resume to resume automatic reviews.
• @coderabbitai review to trigger a single review.

Use the checkboxes below for quick actions:

• ▶️ Resume reviews
• 🔍 Trigger review

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: 96e6d903-3f8c-42b2-8dd7-f7fcf6332320

📥 Commits

Reviewing files that changed from the base of the PR and between badaa8a and 4fe6bf5.

📒 Files selected for processing (5)

• .github/workflows/python-tests.yaml
• README.md
• python/docs/source/conf.py
• python/docs/source/getting-started/installation/packages.md
• renovate.json

✅ Files skipped from review due to trivial changes (1)

• README.md

🚧 Files skipped from review as they are similar to previous changes (2)

• .github/workflows/python-tests.yaml
• renovate.json

---

📝 Walkthrough

Walkthrough

This PR removes Dependabot, adds a top-level Renovate configuration with custom managers and extensive packageRules, introduces .go-version and .py-version, updates CI/workflows and devcontainer/scripts to read those anchors, and pins container/tool image tags.

Changes

Renovate Dependency Manager Migration

Layer / File(s)	Summary
Renovate configuration foundation renovate.json	Top-level Renovate config with schema, extends, timezone/schedule, ignore globs, and customManagers mapping .go-version/.py-version to golang-version/python-version datasources.
Renovate package grouping and versioning rules renovate.json	Extensive packageRules grouping GitHub Actions, Docker images, Go/Python ecosystems (gRPC/protobuf, Kubernetes, testing libs), custom image versioning rules, and automerge policies.
Repository version anchors and lint validation .go-version, .py-version, .gitignore, .github/workflows/lint.yaml	Add .go-version (1.24.0) and .py-version (3.12), ignore .python-version, and extend lint workflow with Renovate path detection and conditional validate-renovate; Go/Python setup now reads version-file anchors.
CI workflows: version sourcing .github/workflows/e2e.yaml, .github/workflows/build-images.yaml, .github/workflows/documentation.yaml, .github/workflows/python-tests.yaml, .github/workflows/release-operator-installer.yaml	Workflows updated to use actions/setup-go with go-version-file: .go-version and astral-sh/setup-uv with python-version-file: .py-version; uv action pinned where applicable.
Container and devcontainer version pinning .devcontainer/Dockerfile, python/.devfile/Containerfile, python/.devfile/Containerfile.client, python/Dockerfile, .devcontainer/devcontainer.json	Pin uv/uvx images to 0.4.4, update devcontainer base to mcr.microsoft.com/devcontainers/base:2.1.9-bookworm, and change devcontainer postStart to pin Python from repository .py-version.
E2E scripts and docs alignment e2e/..., e2e/lib/install.sh, README.md, python/docs/*	E2E scripts and install utilities now read .py-version for Python installs/venvs; Sphinx conf.py reads pyproject.toml and install.sh to populate requires_python and stable_branch; docs use these substitutions.

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~20 minutes

Possibly related PRs

• jumpstarter-dev/jumpstarter#776: Overlaps devcontainer Python pinning and .python-version handling.
• jumpstarter-dev/jumpstarter#693: Related documentation workflow (linkcheck) uv-based Python setup changes.

Suggested labels

backport release-0.7

Suggested reviewers

• kirkbrauer
• mangelajo
• NickCao

Poem

🐰 I hopped from Dependabot to Renovate's lair,
Anchors for Go and Python held with care,
Workflows now read versions from files we keep,
Containers pinned tight so builds stay neat,
A carrot-coded change — reproducible pair! 🥕✨

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title accurately and specifically describes the main change: replacing Dependabot with Renovate for improved dependency grouping across the codebase.
Description check	✅ Passed	The description clearly explains the motivation, changes made, and testing plan for the pull request, directly relating to the changeset modifications.
Docstring Coverage	✅ Passed	Docstring coverage is 100.00% which is sufficient. The required threshold is 80.00%.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[raballew]

Running this on a somewhat recent main would yield the following PRs:

  GitHub Actions (6 PRs)
  - fix(deps): update github-actions-official — renovate/github-actions-official
  - fix(deps): update github-actions-official (major) — renovate/major-github-actions-official
  - fix(deps): update github-actions-astral — renovate/github-actions-astral
  - fix(deps): update astral-sh/setup-uv action to v8 (major) — renovate/major-github-actions-astral
  - fix(deps): update github-actions-other — renovate/github-actions-other
  - fix(deps): update github-actions-other (major) — renovate/major-github-actions-other

  Go modules (5 PRs)
  - fix(deps): update go-deps-other — renovate/go-deps-other
  - fix(deps): update grpc-protobuf-go — renovate/grpc-protobuf-go
  - fix(deps): update kubernetes — renovate/kubernetes
  - fix(deps): update golang-x — renovate/golang-x
  - fix(deps): update module github.com/onsi/gomega to v1.41.0 — renovate/go-testing

  Docker/container images (2 PRs)
  - chore(deps): update docker-base-images — renovate/docker-base-images
  - chore(deps): update docker-base-images (major) — renovate/major-docker-base-images

  Python (4 PRs)
  - chore(deps): update python-dev-tools — renovate/python-dev-tools
  - chore(deps): update dependency sphinx to v9 (major) — renovate/major-python-dev-tools
  - fix(deps): update dependency pysnmp to v7.1.27 — renovate/pysnmp-7.x
  - fix(deps): update dependency opendal to >=0.47.2,<0.48 — renovate/opendal-0.x

  Cross-language (2 PRs)
  - fix(deps): update dependency semver to v3 — renovate/semver-3.x
  - chore(deps): update python docker tag to v3.14 — renovate/python-3.x

[coderabbitai]

Actionable comments posted: 2

🧹 Nitpick comments (1)

.github/workflows/lint.yaml (1)

106-113: 💤 Low value

Consider hardening checkout for consistency with security best practices.

Static analysis flags this checkout for missing persist-credentials: false and using an unpinned tag (@v4) instead of a commit hash. However, this is consistent with all other checkout actions in this workflow (lines 26, 50, 69, 82, 95, 118).

Since this job only validates configuration and doesn't need git credentials after checkout, adding persist-credentials: false would be a good security hygiene improvement. If you decide to address this, consider applying it workflow-wide for consistency.

Optional: Add persist-credentials: false

   validate-renovate:
     needs: changes
     if: needs.changes.outputs.renovate == 'true'
     runs-on: ubuntu-latest
     steps:
       - uses: actions/checkout@v4
+        with:
+          persist-credentials: false
       - name: Validate Renovate config
         run: npx --yes --package renovate -- renovate-config-validator

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/lint.yaml around lines 106 - 113, The validate-renovate
job's checkout step (the actions/checkout@v4 usage within the validate-renovate
job) should set persist-credentials: false to avoid leaving Git credentials in
the workspace after checkout; update the checkout step to include
persist-credentials: false and, for consistency/security, consider applying the
same change to the other checkout steps (and optionally pin actions/checkout to
a specific commit SHA across the workflow if you want stronger immutability).

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@python/.python-version`:
- Line 1: Remove the hardcoded "3.12" and instead read the canonical interpreter
version from python/.python-version and reuse it across devcontainer and e2e
scripts: update .devcontainer/devcontainer.json (postStartCommand) and the e2e
scripts (e2e/lib/install.sh, e2e/setup-e2e.sh, e2e/compat/setup.sh) to read the
version string from python/.python-version into a variable and use that variable
when installing or pinning Python so all places derive the version from the
single source of truth.

In `@renovate.json`:
- Around line 185-192: The "Auto-merge patch updates" rule currently sets
matchUpdateTypes: ["patch"] with automerge: true and is placed after the
kubernetes and docker-base-images rules so its later precedence overrides their
automerge: false; to fix, move the rule block containing matchUpdateTypes,
automerge and automergeType so it appears before the kubernetes and
docker-base-images rules or modify its scope (e.g., add matchPackageNames or
excludePackageNames) to explicitly exclude the kubernetes and docker-base-images
sets; keep the golang-version rule after this patch rule as-is.

---

Nitpick comments:
In @.github/workflows/lint.yaml:
- Around line 106-113: The validate-renovate job's checkout step (the
actions/checkout@v4 usage within the validate-renovate job) should set
persist-credentials: false to avoid leaving Git credentials in the workspace
after checkout; update the checkout step to include persist-credentials: false
and, for consistency/security, consider applying the same change to the other
checkout steps (and optionally pin actions/checkout to a specific commit SHA
across the workflow if you want stronger immutability).

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: 2690be36-76f6-4bdf-9365-84fc3c0f6f86

📥 Commits

Reviewing files that changed from the base of the PR and between c141332 and ee1fc58.

📒 Files selected for processing (4)

• .github/dependabot.yml
• .github/workflows/lint.yaml
• python/.python-version
• renovate.json

💤 Files with no reviewable changes (1)

• .github/dependabot.yml

[coderabbitai]

Actionable comments posted: 2

♻️ Duplicate comments (1)

renovate.json (1)

218-225: ⚠️ Potential issue | 🟠 Major | 🏗️ Heavy lift

Fix automerge precedence for patch updates.

The patch automerge rule (lines 218-225) comes after both the kubernetes rule (line 157, automerge: false) and the docker-base-images rule (line 204, automerge: false). Due to Renovate's last-rule-wins precedence, this patch rule will override their automerge: false settings for patch-level updates, causing unintended auto-merges.

Move this rule before the kubernetes and docker-base-images rules, or add exclusions to prevent it from applying to those dependency groups.

📋 Suggested fix: Reorder rules to preserve automerge: false intent

Move the patch automerge rule to appear before line 139 (before the kubernetes rule), or add explicit exclusions:

   },
+  {
+    "description": "Auto-merge patch updates",
+    "matchUpdateTypes": [
+      "patch"
+    ],
+    "automerge": true,
+    "automergeType": "pr"
+  },
   {
     "description": "Group Go Kubernetes and controller dependencies",

And remove the rule from its current position (lines 218-225).

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@renovate.json` around lines 218 - 225, The "Auto-merge patch updates" rule
(the object with "matchUpdateTypes": ["patch"] and "automerge": true) is placed
after the kubernetes rule and docker-base-images rule which both set
"automerge": false, so Renovate's last-rule-wins causes unintended auto-merges;
fix it by moving the patch automerge rule to appear before the kubernetes rule
(the kubernetes rule that sets "automerge": false) and before the
docker-base-images rule, or alternatively add explicit exclusions to the patch
rule to omit the kubernetes and docker-base-images groups (e.g., exclude by
their groupName or package names) so the patch rule cannot override their
"automerge": false settings.

🧹 Nitpick comments (3)

.github/workflows/lint.yaml (1)

107-114: 💤 Low value

Consider pinning the renovate version for reproducibility.

The npx --yes --package renovate command installs the latest version of renovate each time. Pinning to a specific version would make validation more deterministic and reproducible across runs.

📌 Optional: pin renovate version

     - name: Validate Renovate config
-      run: npx --yes --package renovate -- renovate-config-validator
+      run: npx --yes --package renovate@39 -- renovate-config-validator

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/lint.yaml around lines 107 - 114, The renovate validation
step (job validate-renovate, step "Validate Renovate config") currently installs
the latest Renovate via npx --package renovate; change this to pin a specific
Renovate version (e.g. npx --yes --package renovate@<version>
renovate-config-validator) so the validation is deterministic — update the run
command to reference renovate@<semver> and document or bump the pinned version
when Renovate upgrades are required.

.github/workflows/e2e.yaml (1)

148-150: ⚡ Quick win

Consider pinning the uv version for consistency across workflows.

This workflow doesn't specify a version parameter for setup-uv, while lint.yaml and python-tests.yaml pin to 0.11.19. Pinning to a consistent version across all workflows would improve reproducibility.

🔧 Suggested fix: pin uv version

     - name: Install uv
       uses: astral-sh/setup-uv@v7
       with:
+        version: "0.11.19"
         python-version-file: .py-version

Apply the same change to the other setup-uv steps in this workflow at lines 191-193, 263-265, and 293-295.

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/e2e.yaml around lines 148 - 150, Pin the
astral-sh/setup-uv action to a specific version by adding a version input (e.g.,
version: "0.11.19") to the setup steps that use `uses: astral-sh/setup-uv@v7` so
the workflow matches `lint.yaml` and `python-tests.yaml`; update all occurrences
of the `uses: astral-sh/setup-uv@v7` step in this file (the ones that currently
only supply `python-version-file`) to include the `version` field with the
chosen pinned value for consistency and reproducibility.

.github/workflows/documentation.yaml (1)

51-52: ⚡ Quick win

Consider aligning uv version with other workflows.

This workflow pins uv to 0.11.6, while lint.yaml and python-tests.yaml use 0.11.19. Aligning to a single uv version across all workflows would improve consistency and reduce potential behavioral differences.

🔧 Suggested fix: align uv version

       - name: Install uv
         uses: astral-sh/setup-uv@803947b9bd8e9f986429fa0c5a41c367cd732b41 # v7.2.1
         with:
-          version: "0.11.6"
+          version: "0.11.19"
           python-version-file: .py-version

Apply the same change to the other setup-uv steps in this workflow at lines 87-88 and 108-109.

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/documentation.yaml around lines 51 - 52, Update the pinned
uv version in this workflow's setup step(s): find the steps named "setup-uv"
(look for the step key or the action that uses setup-uv) and change the YAML key
"version: \"0.11.6\"" to "version: \"0.11.19\"" for each occurrence in this file
so it matches the uv version used in lint.yaml and python-tests.yaml.

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In @.devcontainer/Dockerfile:
- Line 1: Replace mutable image tags with immutable sha256 digests for both base
and multi-stage source images: change the FROM reference to the
mcr.microsoft.com/devcontainers/base image to use its pinned digest instead of
:2.1.9-bookworm and replace the COPY --from=ghcr.io/astral-sh/uv:0.4.4 source
with that image's digest, ensuring reproducible builds; to find the correct
digests run a registry manifest/pull (e.g. docker pull <image:tag> then docker
inspect or use registry API) and update the Dockerfile image references to the
returned image@sha256:<digest> form.

In `@python/Dockerfile`:
- Line 14: The second COPY re-pulls the image instead of using the build-stage
alias; change the COPY source from the explicit image reference
"ghcr.io/astral-sh/uv:0.4.4" to the existing build stage alias "uv" so both COPY
instructions reference the same stage (i.e., use COPY --from=uv /uv /uvx /bin/),
ensuring no extra pull and consistent artifacts from the uv stage.

---

Duplicate comments:
In `@renovate.json`:
- Around line 218-225: The "Auto-merge patch updates" rule (the object with
"matchUpdateTypes": ["patch"] and "automerge": true) is placed after the
kubernetes rule and docker-base-images rule which both set "automerge": false,
so Renovate's last-rule-wins causes unintended auto-merges; fix it by moving the
patch automerge rule to appear before the kubernetes rule (the kubernetes rule
that sets "automerge": false) and before the docker-base-images rule, or
alternatively add explicit exclusions to the patch rule to omit the kubernetes
and docker-base-images groups (e.g., exclude by their groupName or package
names) so the patch rule cannot override their "automerge": false settings.

---

Nitpick comments:
In @.github/workflows/documentation.yaml:
- Around line 51-52: Update the pinned uv version in this workflow's setup
step(s): find the steps named "setup-uv" (look for the step key or the action
that uses setup-uv) and change the YAML key "version: \"0.11.6\"" to "version:
\"0.11.19\"" for each occurrence in this file so it matches the uv version used
in lint.yaml and python-tests.yaml.

In @.github/workflows/e2e.yaml:
- Around line 148-150: Pin the astral-sh/setup-uv action to a specific version
by adding a version input (e.g., version: "0.11.19") to the setup steps that use
`uses: astral-sh/setup-uv@v7` so the workflow matches `lint.yaml` and
`python-tests.yaml`; update all occurrences of the `uses: astral-sh/setup-uv@v7`
step in this file (the ones that currently only supply `python-version-file`) to
include the `version` field with the chosen pinned value for consistency and
reproducibility.

In @.github/workflows/lint.yaml:
- Around line 107-114: The renovate validation step (job validate-renovate, step
"Validate Renovate config") currently installs the latest Renovate via npx
--package renovate; change this to pin a specific Renovate version (e.g. npx
--yes --package renovate@<version> renovate-config-validator) so the validation
is deterministic — update the run command to reference renovate@<semver> and
document or bump the pinned version when Renovate upgrades are required.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: dfa18ab6-2e29-4bea-89ea-d015c6d1bf84

📥 Commits

Reviewing files that changed from the base of the PR and between 58baefc and c0f3876.

📒 Files selected for processing (14)

• .devcontainer/Dockerfile
• .github/workflows/build-images.yaml
• .github/workflows/documentation.yaml
• .github/workflows/e2e.yaml
• .github/workflows/lint.yaml
• .github/workflows/python-tests.yaml
• .github/workflows/release-operator-installer.yaml
• .gitignore
• .go-version
• .py-version
• python/.devfile/Containerfile
• python/.devfile/Containerfile.client
• python/Dockerfile
• renovate.json

💤 Files with no reviewable changes (1)

• .py-version

✅ Files skipped from review due to trivial changes (4)

• .go-version
• .github/workflows/release-operator-installer.yaml
• python/.devfile/Containerfile
• .gitignore

[raballew]

All versions (mostly containerimages) in python/docs yaml in md files can not be addressed by this PR, it requires that #704 lands where yaml is included from dedicated files which renovate can pick up.

[raballew]

@mangelajo i have address your review feedback. if you are okay with this PR, i would go ahead and install the renovate app

[raballew]

Follow-up: Python version matrix simplification

The test matrix currently covers Python 3.11, 3.12, and 3.13. Once RHEL 9 support is dropped, this should be simplified:

• Update requires-python from >=3.11 to >=3.12 (RHEL 10 floor)
• Update the test matrix to ["3.12", "3.13", "3.14"] (RHEL 10 through latest Fedora)
• Update .py-version if needed

This would drop RHEL 9 appstream users (3.11) but aligns with RHEL 10 as the minimum supported platform. The decision depends on when the project is ready to drop RHEL 9 support.

[raballew]

@kirkbrauer is okay with this based on a chat with him. merging and adding renovate bot.