Merge pull request #723 from pjbgf/renovate-changes

pjbgf · web-flow · commit 77cdb0e45745 · 2025-03-11T08:14:56.000Z
Renovate changes
diff --git a/.github/renovate-backports.json b/.github/renovate-backports.json
@@ -0,0 +1,133 @@
+{
+  "extends": [
+    "github>rancher/renovate-config#release"
+  ],
+  "baseBranches": [
+    "release/v1.1",
+    "release/v1.2", 
+    "release/v1.3",
+    "release/v1.4"
+  ],
+  "ignoreDeps":[
+    "github.com/rancher/lasso"
+  ],
+  "prHourlyLimit": 10,
+  "packageRules": [
+    {
+      "matchBaseBranches": [
+        "release/v1.4"
+      ],
+      "matchDepNames": [
+        "k8s.io/api",
+        "k8s.io/apiextensions-apiserver",
+        "k8s.io/apimachinery",
+        "k8s.io/client-go"
+      ],
+      "allowedVersions": "<0.33.0"
+    },
+    {
+      "matchBaseBranches": [
+        "release/v1.3"
+      ],
+      "matchDepNames": [
+        "k8s.io/api",
+        "k8s.io/apiextensions-apiserver",
+        "k8s.io/apimachinery",
+        "k8s.io/client-go"
+      ],
+      "allowedVersions": "<0.32.0"
+    },
+    {
+      "matchBaseBranches": [
+        "release/v1.4"
+      ],
+      "matchDepNames": [
+        "github.com/rancher/security-scan"
+      ],
+      "allowedVersions": "<v0.7.0"
+    },
+    {
+      "matchBaseBranches": [
+        "release/v1.3"
+      ],
+      "matchDepNames": [
+        "github.com/rancher/security-scan"
+      ],
+      "allowedVersions": "<v0.6.0"
+    },
+    {
+      "matchBaseBranches": ["release/v1.2"],
+      "matchDepNames": [
+        "k8s.io/api",
+        "k8s.io/apiextensions-apiserver",
+        "k8s.io/apimachinery",
+        "k8s.io/client-go"
+      ],
+      "allowedVersions": "<0.31.0"
+    },
+    {
+      "matchBaseBranches": ["release/v1.2"],
+      "matchDepNames": [
+        "github.com/rancher/security-scan"
+      ],
+      "allowedVersions": "<v0.5.0"
+    },
+    {
+      "matchBaseBranches": ["release/v1.1"],
+      "matchDepNames": [
+        "k8s.io/api",
+        "k8s.io/apiextensions-apiserver",
+        "k8s.io/apimachinery",
+        "k8s.io/client-go"
+      ],
+      "allowedVersions": "<0.31.0"
+    },
+    {
+      "matchBaseBranches": ["release/v1.1"],
+      "matchDepNames": [
+        "github.com/rancher/security-scan"
+      ],
+      "allowedVersions": "<v0.4.0"
+    },
+    {
+      "matchBaseBranches": ["release/v1.3"],
+      "matchDepNames": [
+        "github.com/prometheus-operator/prometheus-operator/pkg/client",
+        "github.com/prometheus-operator/prometheus-operator/pkg/apis/monitoring"
+      ],
+      "allowedVersions": "<v0.79.0"
+    },
+    {
+      "matchBaseBranches": [
+        "release/v1.1",
+        "release/v1.2"
+      ],
+      "matchDepNames": [
+        "github.com/prometheus-operator/prometheus-operator/pkg/client",
+        "github.com/prometheus-operator/prometheus-operator/pkg/apis/monitoring"
+      ],
+      "allowedVersions": "<v0.75.0"
+    },
+    {
+      "matchBaseBranches": [
+        "release/v1.1",
+        "release/v1.2",
+        "release/v1.3"
+      ],
+      "matchDepNames": [
+        "github.com/urfave/cli"
+      ],
+      "allowedVersions": "<v2.0.0"
+    },
+    {
+      "matchBaseBranches": [
+        "release/v1.1",
+        "release/v1.2"
+      ],
+      "matchDepNames": [
+        "github.com/rancher/wrangler"
+      ],
+      "allowedVersions": "<v3.0.1"
+    }
+  ]
+}
diff --git a/.github/renovate.json b/.github/renovate.json
@@ -3,21 +3,17 @@
     "github>rancher/renovate-config#release"
   ],
   "baseBranches": [
-    "main", 
-    "release/v1.1", 
-    "release/v1.2", 
-    "release/v1.3",
-    "release/v1.4"
+    "main"
   ],
   "ignoreDeps":[
     "github.com/rancher/lasso"
   ],
   "prHourlyLimit": 4,
   "packageRules": [
     {
+      "description": "Constraint k8s versions",
       "matchBaseBranches": [
-        "main",
-        "release/v1.4"
+        "main"
       ],
       "matchDepNames": [
         "k8s.io/api",
@@ -28,108 +24,35 @@
       "allowedVersions": "<0.33.0"
     },
     {
+      "description": "Disable non-security bumps for backporting branches",
+      "enabled": false,
       "matchBaseBranches": [
-        "release/v1.3"
-      ],
-      "matchDepNames": [
-        "k8s.io/api",
-        "k8s.io/apiextensions-apiserver",
-        "k8s.io/apimachinery",
-        "k8s.io/client-go"
-      ],
-      "allowedVersions": "<0.32.0"
-    },
-    {
-      "matchBaseBranches": [
+        "release/v1.1", 
+        "release/v1.2", 
+        "release/v1.3",
         "release/v1.4"
-      ],
-      "matchDepNames": [
-        "github.com/rancher/security-scan"
-      ],
-      "allowedVersions": "<v0.7.0"
+      ]
     },
     {
+      "description": "Ensure CA bumps are enabled for backporting branches",
+      "enabled": true,
       "matchBaseBranches": [
-        "release/v1.3"
-      ],
-      "matchDepNames": [
-        "github.com/rancher/security-scan"
-      ],
-      "allowedVersions": "<v0.6.0"
-    },
-    {
-      "matchBaseBranches": ["release/v1.2"],
-      "matchDepNames": [
-        "k8s.io/api",
-        "k8s.io/apiextensions-apiserver",
-        "k8s.io/apimachinery",
-        "k8s.io/client-go"
-      ],
-      "allowedVersions": "<0.31.0"
-    },
-    {
-      "matchBaseBranches": ["release/v1.2"],
-      "matchDepNames": [
-        "github.com/rancher/security-scan"
-      ],
-      "allowedVersions": "<v0.5.0"
-    },
-    {
-      "matchBaseBranches": ["release/v1.1"],
-      "matchDepNames": [
-        "k8s.io/api",
-        "k8s.io/apiextensions-apiserver",
-        "k8s.io/apimachinery",
-        "k8s.io/client-go"
-      ],
-      "allowedVersions": "<0.31.0"
-    },
-    {
-      "matchBaseBranches": ["release/v1.1"],
-      "matchDepNames": [
-        "github.com/rancher/security-scan"
-      ],
-      "allowedVersions": "<v0.4.0"
-    },
-    {
-      "matchBaseBranches": ["release/v1.3"],
-      "matchDepNames": [
-        "github.com/prometheus-operator/prometheus-operator/pkg/client",
-        "github.com/prometheus-operator/prometheus-operator/pkg/apis/monitoring"
-      ],
-      "allowedVersions": "<v0.79.0"
-    },
-    {
-      "matchBaseBranches": [
-        "release/v1.1",
-        "release/v1.2"
-      ],
-      "matchDepNames": [
-        "github.com/prometheus-operator/prometheus-operator/pkg/client",
-        "github.com/prometheus-operator/prometheus-operator/pkg/apis/monitoring"
-      ],
-      "allowedVersions": "<v0.75.0"
-    },
-    {
-      "matchBaseBranches": [
-        "release/v1.1",
-        "release/v1.2",
-        "release/v1.3"
-      ],
-      "matchDepNames": [
-        "github.com/urfave/cli"
-      ],
-      "allowedVersions": "<v2.0.0"
-    },
-    {
-      "matchBaseBranches": [
-        "release/v1.1",
-        "release/v1.2"
+        "release/v1.1", 
+        "release/v1.2", 
+        "release/v1.3",
+        "release/v1.4"
       ],
-      "matchDepNames": [
-        "github.com/rancher/wrangler"
+      "matchPackageNames": [
+        "golang.org/x/crypto/x509roots/fallback"
       ],
-      "allowedVersions": "<v3.0.1"
+      "matchUpdateTypes": [
+        "patch",
+        "digest"
+      ]
     }
-  ]
+  ],
+  "vulnerabilityAlerts": {
+    "enabled": true
+  },
+  "osvVulnerabilityAlerts": true
 }
diff --git a/.github/workflows/renovate-vault-backports.yml b/.github/workflows/renovate-vault-backports.yml
@@ -0,0 +1,27 @@
+name: Renovate
+on:
+  workflow_dispatch:
+    inputs:
+      logLevel:
+        description: "Override default log level"
+        required: false
+        default: "info"
+        type: string
+      overrideSchedule:
+        description: "Override all schedules"
+        required: false
+        default: "false"
+        type: string
+
+permissions:
+  contents: read
+  id-token: write
+
+jobs:
+  call-workflow:
+    uses: rancher/renovate-config/.github/workflows/renovate-vault.yml@release
+    with:
+      logLevel: ${{ inputs.logLevel || 'info' }}
+      overrideSchedule: ${{ github.event.inputs.overrideSchedule == 'true' && '{''schedule'':null}' || '' }}
+      renovateConfig: .github/renovate-backports.json
+    secrets: inherit
diff --git a/.github/workflows/renovate-vault.yml b/.github/workflows/renovate-vault.yml
@@ -12,9 +12,9 @@ on:
         required: false
         default: "false"
         type: string
-  # Run twice in the early morning (UTC) for initial and follow up steps (create pull request and merge)
   schedule:
-    - cron: '30 4,6 * * *'
+    # Runs twice on Tuesdays to Thursdays.
+    - cron: '30 4,6 * * 2-4'
 
 permissions:
   contents: read
@@ -26,4 +26,5 @@ jobs:
     with:
       logLevel: ${{ inputs.logLevel || 'info' }}
       overrideSchedule: ${{ github.event.inputs.overrideSchedule == 'true' && '{''schedule'':null}' || '' }}
+      renovateConfig: .github/renovate-backports.json
     secrets: inherit
