fix: restrict Fedora to stable and group Go toolchain updates#776
Closed
raballew wants to merge 31 commits into
Closed
fix: restrict Fedora to stable and group Go toolchain updates#776raballew wants to merge 31 commits into
raballew wants to merge 31 commits into
Conversation
Add renovate.json to manage cross-module and cross-ecosystem dependency updates. The configuration groups Kubernetes dependencies (k8s.io/*, controller-runtime, cert-manager) across all Go modules, enables independent updates for unrelated Go dependencies, tracks Python packages via UV/pip ecosystem, monitors Docker base images, groups GitHub Actions by organization, and configures auto-merge for safe patch-level updates. Includes comprehensive test suite validating all functional requirements against the configuration. Generated-By: Forge/20260604_150734_114805_76f08a38 Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Both dependabot and Renovate were configured to manage the same ecosystems, which would produce competing PRs for every dependency update. Removing dependabot.yml leaves Renovate as the sole dependency management tool. Generated-By: Forge/20260604_150734_114805_76f08a38
The kubernetes groupName appeared in two separate rules with confusing interaction semantics. The first rule already sets automerge:false for all update types, making the second rule (which only covered minor/major) redundant. Generated-By: Forge/20260604_150734_114805_76f08a38
Docker image "patch" updates can include significant OS-layer changes that should not be auto-merged. Added an override rule that disables automerge for dockerfile and docker-compose managers. Generated-By: Forge/20260604_150734_114805_76f08a38
Verifies that the kubernetes group rule includes all three expected go.mod files so that removing a path would be caught by tests. Generated-By: Forge/20260604_150734_114805_76f08a38
…vate groupings Add three new package grouping rules to the Renovate configuration: - grpc-protobuf: groups grpcio, grpcio-tools, and protobuf Python packages for protocol compatibility - kubernetes-python: groups kubernetes and kubernetes-asyncio Python packages to keep sync and async clients aligned - golang-version: groups Go version directive updates across all go.mod files Includes 15 new tests covering all three grouping rules (existence, single-rule consolidation, package names, manager types, file coverage). Refs: jumpstarter-dev#732 Generated-By: Forge/20260604_155507_146627_86308ea7 Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Move kubernetes and golang-version rules after the patch automerge rule so their automerge:false correctly overrides the blanket patch automerge. Replace deprecated matchPackagePrefixes with matchPackageNames using glob patterns to avoid Renovate deprecation warnings. Generated-By: Forge/20260604_155507_146627_86308ea7
Add a test-config job to the lint workflow that runs pytest on tests/test_renovate_config.py when renovate.json or tests/ change. Without this, the config validation tests were never executed in CI. Generated-By: Forge/20260604_155507_146627_86308ea7
The plan previously stated dependabot.yml would remain for reference, but the implementation deletes it. Update the plan to match. Generated-By: Forge/20260604_155507_146627_86308ea7
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Add validate-renovate job to lint workflow using the official renovate-config-validator. Fix Python grpc group (replace unused grpcio-tools with grpcio-reflection). Add Go gRPC/protobuf group. Shorten all packageRule descriptions. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
…e images, and dev tools Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
…or e2e Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
…-version - Add go-deps-other group to catch ungrouped Go deps across all go.mod files - Fix golang-version rule matchDepTypes from "golang-version" (datasource) to "golang" (actual depType) - Track python/.python-version so Renovate can manage the Python runtime version Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Prevents CI Go version from drifting when go.mod is updated. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
- Add .go-version as single source of truth for Go toolchain version - Add custom regex manager to detect and update .go-version via Renovate - Group .go-version updates with go.mod directives in golang-version group - Point all CI workflows to .go-version instead of individual go.mod files Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
…-version - Add .py-version (3.12) as CI Python version reference without forcing it on developers - Add custom regex manager so Renovate can detect and update .py-version - Gitignore .python-version to prevent local dev tool interference - Untrack the previously committed python/.python-version Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Replace hardcoded Python versions and uv python pin commands with python-version-file pointing to .py-version across e2e, lint, and documentation workflows. python-tests keeps its multi-version matrix. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
- Pin ghcr.io/astral-sh/uv from latest to 0.4.4 in all Dockerfiles - Pin uv tool version from latest to 0.11.19 in lint and python-tests workflows - Pin registry.access.redhat.com/ubi9/ubi from latest to 9.5 - Pin mcr.microsoft.com/devcontainers/base from bookworm to 2.1.9-bookworm and update to current image path (was vscode/devcontainers/base) - Fix devcontainer Dockerfile to copy .py-version instead of removed python/.python-version Not pinnable (no semver tags available): - quay.io/devfile/base-developer-image:ubi9-latest - quay.io/jumpstarter-dev/jumpstarter-operator:latest Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Track ubi major version only (ubi9 -> ubi10). The regex matches ubi<major>-latest tags and ignores commit-hash tags. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Scans Dockerfiles, Containerfiles, and workflow files for :latest tags and version: latest inputs. Allowlists quay.io/jumpstarter-dev/ images since those are self-referencing project images, not external deps. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
…sions" This reverts commit 30201c0.
Centralizes Python version in devcontainer postStartCommand, e2e setup scripts, and compat test scripts to read from .py-version, preventing drift when Renovate updates the version file. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
The automerge patch rule was placed after kubernetes (automerge: false) and docker-base-images (automerge: false), causing last-match-wins to override their automerge: false with automerge: true on patch updates. Moving it earlier lets those rules correctly disable automerge. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Replace hardcoded Python and Go version requirements in README and installation docs with links to the version files, preventing the docs from becoming stale when versions are updated. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
The previous hardcoded v1.11.3+ was stale (actual minimum is 1.33 based on k8s.io/client-go v0.33.0). Link to go.mod so the requirement stays current when Renovate updates k8s.io dependencies. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Renovate will now create PRs to pin container image digests and GitHub Action versions to SHA digests, ensuring reproducible builds and preventing silent tag mutations. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Restrict Fedora Docker image to <=44 to prevent Renovate from proposing rawhide (Fedora 45). followTag does not work with Docker datasources since Docker tags have no dist-tag-to-version mapping like npm. Create a go-toolchain group that bundles Go version directives, .go-version, and the go-toolset Docker image so they update together. Add a versioning regex for go-toolset so only Go-version-style tags (1.x.y) are tracked instead of UBI build tags. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Member
Author
|
Recreating with synced fork |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
<=44to prevent Renovate from proposing rawhide (Fedora 45).followTagdoes not work with Docker datasources since Docker tags lack the dist-tag-to-version mapping that npm provides.go-toolchaingroup that bundles Go version directives,.go-version, and thego-toolsetDocker image so they update in a single PR.go-toolsetso only Go-version-style tags (1.x.y) are tracked instead of UBI build tags.Test plan
.go-version, Go version directives, andgo-toolsetimage updates into a singlego-toolchainPR🤖 Generated with Claude Code