build: Renovate changes

Ensures that the core configuration focuses on keeping the development
branch updated, while also proposing security fixes for backporting
branches.

The core configuration is scheduled for Tuesdays and Thursdays only. The
backporting schedule is disabled, as its execution closes open PRs by a
separate configuration (e.g. the core config).

Signed-off-by: Paulo Gomes <[email protected]>

Author: pjbgf

.github/renovate.json

@@ -11,6 +11,7 @@
   "prHourlyLimit": 4,
   "packageRules": [
     {
+      "description": "Constraint k8s versions",
       "matchBaseBranches": [
         "main"
       ],
@@ -23,13 +24,31 @@
       "allowedVersions": "<0.33.0"
     },
     {
+      "description": "Disable non-security bumps for backporting branches",
       "enabled": false,
       "matchBaseBranches": [
         "release/v1.1", 
         "release/v1.2", 
         "release/v1.3",
         "release/v1.4"
       ]
+    },
+    {
+      "description": "Ensure CA bumps are enabled for backporting branches",
+      "enabled": true,
+      "matchBaseBranches": [
+        "release/v1.1", 
+        "release/v1.2", 
+        "release/v1.3",
+        "release/v1.4"
+      ],
+      "matchPackageNames": [
+        "golang.org/x/crypto/x509roots/fallback"
+      ],
+      "matchUpdateTypes": [
+        "patch",
+        "digest"
+      ]
     }
   ],
   "vulnerabilityAlerts": {

.github/workflows/renovate-vault-backports.yml

@@ -12,10 +12,6 @@ on:
         required: false
         default: "false"
         type: string
-  schedule:
-    # For backport/release branches, runs twice every other day in
-    # the last third of the month.
-    - cron: '30 4,6 21-31/2 * 2-4'
 
 permissions:
   contents: read

.github/workflows/renovate-vault.yml

@@ -13,17 +13,16 @@ on:
         default: "false"
         type: string
   schedule:
-    # For main branche, runs twice every other day in the first two
-    # thirds of the month.
-    - cron: '30 4,6 1-20/2 * 2-4'
+    # Runs twice on Tuesdays to Thursdays.
+    - cron: '30 4,6 * * 2-4'
 
 permissions:
   contents: read
   id-token: write
 
 jobs:
   call-workflow:
-    uses: rancher/renovate-config/.github/workflows/renovate-vault.yml@custom-config
+    uses: rancher/renovate-config/.github/workflows/renovate-vault.yml@release
     with:
       logLevel: ${{ inputs.logLevel || 'info' }}
       overrideSchedule: ${{ github.event.inputs.overrideSchedule == 'true' && '{''schedule'':null}' || '' }}