ci: fix Renovate config blocking 8.9 image updates and address config debt

[eamonnmoloney]

Summary

Fixes Renovate not updating Camunda 8.9 image tags, resolves deprecated config warnings, and adds a CI guard to prevent recurrence.

Fixes

1. Alpha versioning regex blocking 8.9 GA updates (root cause)

The Renovate config forced an alpha-only versioning regex on all Camunda images in 8.9 files:

versioning: 'regex:^(?<major>\d+)(.(?<minor>\d+))(.(?<patch>\d+))(-(?<prerelease>alpha[1-9]))$'

This requires an -alpha[1-9] suffix. Since 8.9 went GA (chart version 14.3.0), releases use plain semver (8.9.44, 8.9.5), which don't match. Renovate silently skipped them.

Fix: Removed 8.9 from both alpha versioning rules. Moved 8.9 into the GA patch-only image update group (consistent with 8.3-8.8). 8.10 remains under alpha versioning.

Stale images this unblocks:

• camunda/console: 8.9.37 -> 8.9.44
• camunda/connectors-bundle: 8.9.3 -> 8.9.4
• camunda/optimize: 8.9.4 -> 8.9.5
• camunda/camunda: 8.9.4 -> 8.9.5

2. CI guard: alpha versioning consistency test

New Go test package at scripts/renovate-config-check/ that prevents this regression:

• TestAlphaVersioningConsistency -- parses renovate.json5, finds alpha versioning rules, cross-references against each chart's Chart.yaml version field. Fails if a GA chart is still in an alpha rule.
• TestGAChartsHavePatchUpdatesEnabled -- ensures every GA chart version is included in a Renovate image update group.

The renovate-config-check.yaml workflow now also triggers on Chart.yaml changes, so when a chart transitions from alpha to GA, CI immediately flags the stale Renovate rule.

3. Deprecated helmv3 -> helm migration

Renovate renamed the helmv3 manager/datasource to helm in v37+. The config still used the old name in matchManagers and matchDatasources, triggering the "Config Migration Needed" warning on the Dependency Dashboard.

Fix: Replaced all helmv3 references with helm.

4. Missing Elasticsearch version constraints for 8.8 and 8.9

Charts 8.3-8.7 all had allowedVersions for the ES Docker image tag, but 8.8 and 8.9 had none. Without a cap, Renovate could bump ES to 9.x when released.

Fix: Added allowedVersions: '~8.18.0' for both 8.8 and 8.9, consistent with the existing constraint pattern.

Not fixed here (requires Mend app admin)

registry.camunda.cloud package lookups all fail with "no-result" (enterprise images: console-sm, keycloak-ee, modeler-restapi, vendor-ee/postgresql, vendor-ee/elasticsearch). The hostRules in the config are correct -- the DISTRO_CAMUNDA_DOCKER_REGISTRY_PASSWORD secret likely needs to be verified/updated in the Mend Renovate App settings.

Open thread to fix the secret: https://camunda.slack.com/archives/C5AHF1D8T/p1779944595148519

After merge

1. Renovate detects outdated 8.9 images on next run -> creates update PR
2. Check values-latest.yaml files check starts passing -> unblocks automerge of other Renovate PRs (deps: update camunda-platform-images (patch) #6154)
3. "Config Migration Needed" warning clears from Dependency Dashboard
4. Future alpha->GA transitions caught immediately by CI

[Copilot]

Pull request overview

Removes alpha-only versioning constraints for chart 8.9 in Renovate config since 8.9 is now GA, and moves it into the GA patch-only image update group alongside 8.3–8.8. 8.10 remains under alpha versioning.

Changes:

• Removes 8.9 from the alpha versioning regex rule
• Adds 8.9 files to the GA patch/pin image update group
• Updates description of the alpha semver rule to only reference 8.10

[eamonnmoloney]

@bkenez I tested this Renovate config change on a fork before merge.

What I did:

• Created/used fork branch: eamonnmoloney/camunda-platform-helm:renovate-pr-6251
• Verified it matches this PR branch SHA: f409d4f2c1724e132e2dea1b9928d1ba6339b2c8
• Ran renovate-config-validator
• Ran the new Go checks from scripts/renovate-config-check
• Ran Renovate against the fork branch with RENOVATE_DRY_RUN=full

Results:

• renovate-config-validator passed.
• go test ./... in scripts/renovate-config-check passed.
• Renovate dry-run completed successfully against the fork branch.
• The dry-run detected the expected 8.9 Camunda image patch updates, including:
  • camunda/console -> 8.9.44
  • camunda/connectors-bundle -> 8.9.4
  • camunda/optimize -> 8.9.5
  • camunda/camunda -> 8.9.5

Notes:

• The registry.camunda.cloud lookup failures are not treated as a blocker for this PR, as those are already being handled separately through the IT Slack thread.
• For the fork dry-run I provided a dummy DISTRO_CAMUNDA_DOCKER_REGISTRY_PASSWORD just to satisfy Renovate config interpolation, so private registry lookups were expected to fail there.

[CLAassistant]

All committers have signed the CLA.

[bkenez]

There is a go.mod version mismatch: scripts/renovate-config-check/go.mod declares go 1.25.0 but .tool-versions pins golang 1.26.3. The setup-go step reads from go.mod, so CI installs a different version than the rest of the repo. Suggest bumping to match before merge. @eamonnmoloney

[eamonnmoloney]

@claude[agent] please do this "There is a go.mod version mismatch: scripts/renovate-config-check/go.mod declares go 1.25.0 but .tool-versions pins golang 1.26.3. The setup-go step reads from go.mod, so CI installs a different version than the rest of the repo. Suggest bumping to match before merge. @eamonnmoloney"

[Claude]

@claude[agent] please do this "There is a go.mod version mismatch: scripts/renovate-config-check/go.mod declares go 1.25.0 but .tool-versions pins golang 1.26.3. The setup-go step reads from go.mod, s...

Done. Updated scripts/renovate-config-check/go.mod from go 1.25.0 to go 1.26 to match .tool-versions. Commit: 757fcfc