Merge pull request #37 from upbound/bump-deps

Bump dependencies

Author: jeanduplessis

.github/renovate.json5

@@ -1,139 +1,137 @@
 {
-  "$schema": "https://docs.renovatebot.com/renovate-schema.json",
-  "extends": [
-    "config:base"
+  $schema: 'https://docs.renovatebot.com/renovate-schema.json',
+  extends: [
+    'config:recommended',
+    'helpers:pinGitHubActionDigests',
+    ':semanticCommits',
   ],
-// The maximum number of PRs to be created in parallel
-  "prConcurrentLimit": 5,
-// The branches renovate should target
-  "baseBranches": ["main"],
-  "ignorePaths": ["design/**"],
-  "postUpdateOptions": ["gomodTidy"],
-// By default renovate will auto detect whether semantic commits have been used
-// in the recent history and comply with that, we explicitly disable it
-  "semanticCommits": "disabled",
-// All PRs should have a label
-  "labels": ["automated"],
-  "regexManagers": [
+  rebaseWhen: 'conflicted',
+  prConcurrentLimit: 5,
+  baseBranches: [
+    'main',
+  ],
+  ignorePaths: [
+    'design/**',
+  ],
+  postUpdateOptions: [
+    'gomodTidy',
+  ],
+  labels: [
+    'automated',
+  ],
+  customManagers: [
+    {
+      customType: 'regex',
+      description: 'Bump Go version used in workflows',
+      fileMatch: [
+        '^\\.github\\/workflows\\/[^/]+\\.ya?ml$',
+      ],
+      matchStrings: [
+        "GO_VERSION: '(?<currentValue>.*?)'\\n",
+      ],
+      datasourceTemplate: 'golang-version',
+      depNameTemplate: 'golang',
+    },
+    {
+      customType: 'regex',
+      description: 'Bump golangci-lint version in workflows and the Makefile',
+      fileMatch: [
+        '^\\.github\\/workflows\\/[^/]+\\.ya?ml$',
+        '^Makefile$',
+      ],
+      matchStrings: [
+        "GOLANGCI_VERSION: 'v(?<currentValue>.*?)'\\n",
+        'GOLANGCILINT_VERSION = (?<currentValue>.*?)\\n',
+      ],
+      datasourceTemplate: 'github-tags',
+      depNameTemplate: 'golangci/golangci-lint',
+      extractVersionTemplate: '^v(?<version>.*)$',
+    },
     {
-// We want a PR to bump Go versions used through env variables in any Github
-// Actions, taking it from the official Github repository.
-      "fileMatch": ["^\\.github\\/workflows\\/[^/]+\\.ya?ml$"],
-      "matchStrings": [
-        "GO_VERSION: '(?<currentValue>.*?)'\\n"
-      ],
-      "datasourceTemplate": "golang-version",
-      "depNameTemplate": "golang"
-    }, {
-// We want a PR to bump golangci-lint versions used through env variables in
-// any Github Actions, taking it from the official Github repository tags.
-      "fileMatch": ["^\\.github\\/workflows\\/[^/]+\\.ya?ml$"],
-      "matchStrings": [
-        "GOLANGCI_VERSION: '(?<currentValue>.*?)'\\n"
-      ],
-      "datasourceTemplate": "github-tags",
-      "depNameTemplate": "golangci/golangci-lint"
-    }
+      customType: 'regex',
+      description: 'Bump helm version in the Makefile',
+      fileMatch: [
+        '^Makefile$',
+      ],
+      matchStrings: [
+        'HELM3_VERSION = (?<currentValue>.*?)\\n',
+      ],
+      datasourceTemplate: 'github-tags',
+      depNameTemplate: 'helm/helm',
+    },
+    {
+      customType: 'regex',
+      description: 'Bump kind version in the Makefile',
+      fileMatch: [
+        '^Makefile$',
+      ],
+      matchStrings: [
+        'KIND_VERSION = (?<currentValue>.*?)\\n',
+      ],
+      datasourceTemplate: 'github-tags',
+      depNameTemplate: 'kubernetes-sigs/kind',
+    },
   ],
-// PackageRules disabled below should be enabled in case of vulnerabilities
-  "vulnerabilityAlerts": {
-    "enabled": true
+  vulnerabilityAlerts: {
+    enabled: true,
   },
-  "packageRules": [
+  osvVulnerabilityAlerts: true,
+  packageRules: [
+    {
+      description: 'Only get Docker image updates every 2 weeks to reduce noise',
+      matchDatasources: [
+        'docker',
+      ],
+      schedule: [
+        'every 2 week on monday',
+      ],
+      enabled: true,
+    },
+    {
+      description: 'Ignore k8s.io/client-go older versions, they switched to semantic version and old tags are still available in the repo',
+      matchDatasources: [
+        'go',
+      ],
+      matchDepNames: [
+        'k8s.io/client-go',
+      ],
+      allowedVersions: '<1.0',
+    },
     {
-// We need to ignore k8s.io/client-go older versions as they switched to
-// semantic version and old tags are still available in the repo.
-      "matchDatasources": [
-        "go"
-      ],
-      "matchDepNames": [
-        "k8s.io/client-go"
-      ],
-      "allowedVersions": "<1.0"
-    }, {
-// We want a single PR for all the patches bumps of kubernetes related
-// dependencies, as most of the times these are all strictly related.
-      "matchDatasources": [
-        "go"
-      ],
-      "groupName": "kubernetes patches",
-      "matchUpdateTypes": [
-        "patch",
-        "digest"
-      ],
-      "matchPackagePrefixes": [
-        "k8s.io",
-        "sigs.k8s.io"
-      ]
-    }, {
-// We want dedicated PRs for each minor and major bumps to kubernetes related
-// dependencies.
-      "matchDatasources": [
-        "go"
-      ],
-      "matchUpdateTypes": [
-        "major",
-        "minor"
-      ],
-      "matchPackagePrefixes": [
-        "k8s.io",
-        "sigs.k8s.io"
-      ]
-    }, {
-// We want dedicated PRs for each bump to non-kubernetes Go dependencies, but
-// only if there are known vulnerabilities in the current version.
-      "matchDatasources": [
-        "go"
-      ],
-      "matchPackagePatterns": [
-        "*"
-      ],
-      "enabled": false,
-      "excludePackagePrefixes": [
-        "k8s.io",
-        "sigs.k8s.io"
-      ],
-      "matchUpdateTypes": [
-        "major",
-      ],
-    }, {
-// We want a single PR for all minor and patch bumps to non-kubernetes Go
-// dependencies, but only if there are known vulnerabilities in the current
-// version.
-      "matchDatasources": [
-        "go"
-      ],
-      "matchPackagePatterns": [
-        "*"
-      ],
-      "enabled": false,
-      "excludePackagePrefixes": [
-        "k8s.io",
-        "sigs.k8s.io"
-      ],
-      "matchUpdateTypes": [
-        "minor",
-        "patch",
-        "digest"
-      ],
-      "groupName": "all non-major go dependencies"
-    }, {
-// We want a single PR for all minor and patch bumps of Github Actions
-      "matchDepTypes": [
-        "action"
-      ],
-      "matchUpdateTypes": [
-        "minor",
-        "patch"
-      ],
-      "groupName": "all non-major github action",
-      "pinDigests": true
-    },{
-// We want dedicated PRs for each major bump to Github Actions
-      "matchDepTypes": [
-        "action"
-      ],
-      "pinDigests": true
-    }
-  ]
+      description: 'Ignore k8s dependencies, should be updated on crossplane-runtime',
+      matchDatasources: [
+        'go',
+      ],
+      enabled: false,
+      matchPackageNames: [
+        'k8s.io{/,}**',
+        'sigs.k8s.io{/,}**',
+      ],
+    },
+    {
+      description: 'Only get dependency digest updates every month to reduce noise, except crossplane-runtime',
+      matchDatasources: [
+        'go',
+      ],
+      matchUpdateTypes: [
+        'digest',
+      ],
+      extends: [
+        'schedule:monthly',
+      ],
+      matchPackageNames: [
+        '!github.com/crossplane/crossplane-runtime',
+      ],
+    },
+    {
+      description: "Ignore oss-fuzz, it's not using tags, we'll stick to master",
+      matchDepTypes: [
+        'action',
+      ],
+      matchDepNames: [
+        'google/oss-fuzz',
+      ],
+      enabled: false,
+    },
+  ],
 }

.github/workflows/ci.yml

@@ -13,7 +13,7 @@ on:
   workflow_dispatch: {}
 
 env:
-  GO_VERSION: "1.22"
+  GO_VERSION: "1.23.7"
 
 jobs:
   detect-noop:

.github/workflows/uptest-trigger.yaml

@@ -9,22 +9,35 @@ on:
     types: [created]
 
 env:
-  GO_VERSION: "1.22"
+  GO_VERSION: "1.23.7"
 
 jobs:
-  debug:
+  check-permissions:
     runs-on: ubuntu-latest
+    outputs:
+      permission: ${{ steps.check-permissions.outputs.permission }}
     steps:
-      - name: Debug
+      - name: Get Commenter Permissions
+        id: check-permissions
         run: |
           echo "Trigger keyword: '/test-examples'"
           echo "Go version: ${{ env.GO_VERSION }}"
-          echo "github.event.comment.author_association: ${{ github.event.comment.author_association }}"
+
+          REPO=${{ github.repository }}
+          COMMENTER=${{ github.event.comment.user.login }}
+
+          # Fetch the commenter's repo-level permission grant
+          GRANTED=$(curl -s -H "Authorization: Bearer ${{ secrets.GITHUB_TOKEN }}" \
+            -H "Accept: application/vnd.github.v3+json" \
+            "https://api.github.com/repos/$REPO/collaborators/$COMMENTER/permission" | jq -r .permission)
+
+          # Make it accessible in the workflow via a job output -- cannot use env
+          echo "User $COMMENTER has $GRANTED permissions"
+          echo "permission=$GRANTED" >> "$GITHUB_OUTPUT"
 
   get-example-list:
-    if: ${{ (github.event.comment.author_association == 'OWNER' || github.event.comment.author_association == 'MEMBER' ) &&
-      github.event.issue.pull_request &&
-      contains(github.event.comment.body, '/test-examples' ) }}
+    needs: check-permissions
+    if: ${{ (needs.check-permissions.outputs.permission == 'admin' || needs.check-permissions.outputs.permission == 'write') && github.event.issue.pull_request != null && contains(github.event.comment.body, '/test-examples')}}
     runs-on: ubuntu-latest
     outputs:
       example_list: ${{ steps.get-example-list-name.outputs.example-list }}
@@ -79,12 +92,11 @@ jobs:
             -f context="Uptest-${{ steps.get-example-list-name.outputs.example-hash }}"
 
   uptest:
-    if: ${{ (github.event.comment.author_association == 'OWNER' || github.event.comment.author_association == 'MEMBER' ) &&
-      github.event.issue.pull_request &&
-      contains(github.event.comment.body, '/test-examples' ) }}
+    needs:
+      - check-permissions
+      - get-example-list
+    if: ${{ (needs.check-permissions.outputs.permission == 'admin' || needs.check-permissions.outputs.permission == 'write') && github.event.issue.pull_request != null && contains(github.event.comment.body, '/test-examples')}}
     runs-on: ubuntu-latest
-    needs: get-example-list
-
     steps:
       - name: Cleanup Disk
         uses: jlumbroso/free-disk-space@54081f138730dfa15788a46383842cd2f914a1be # v1.3.1

Makefile

@@ -10,6 +10,7 @@ PLATFORMS ?= linux_amd64 linux_arm64
 -include build/makelib/output.mk
 
 # Setup Go
+GO_REQUIRED_VERSION ?= 1.23.7
 NPROCS ?= 1
 # GOLANGCILINT_VERSION is inherited from build submodule by default.
 # Uncomment below if you need to override the version.
@@ -26,14 +27,14 @@ GO111MODULE = on
 
 # Uncomment below to override the versions from the build module
 # KIND_VERSION = v0.15.0
-UP_VERSION = v0.33.0
-# UP_CHANNEL = stable
+UP_VERSION = v0.38.0
+UP_CHANNEL = stable
 UPTEST_VERSION = v1.1.2
 CROSSPLANE_VERSION = 1.17.1
 -include build/makelib/k8s_tools.mk
 
 # Setup Images
-REGISTRY_ORGS ?= xpkg.upbound.io/upboundcare
+REGISTRY_ORGS ?= xpkg.upbound.io/upbound
 IMAGES = provider-opentofu
 -include build/makelib/imagelight.mk
 
@@ -59,10 +60,10 @@ submodules:
 # ====================================================================================
 # Setup XPKG
 
-XPKG_REG_ORGS ?= xpkg.upbound.io/upboundcare
+XPKG_REG_ORGS ?= xpkg.upbound.io/upbound
 # NOTE(hasheddan): skip promoting on xpkg.upbound.io as channel tags are
 # inferred.
-XPKG_REG_ORGS_NO_PROMOTE ?= xpkg.upbound.io/upboundcare
+XPKG_REG_ORGS_NO_PROMOTE ?= xpkg.upbound.io/upbound
 XPKGS = provider-opentofu
 -include build/makelib/xpkg.mk
 

examples/install.yaml

@@ -13,6 +13,6 @@ kind: Provider
 metadata:
   name: crossplane-provider-opentofu
 spec:
-  package: xpkg.upbound.io/upboundcare/provider-opentofu:v0.2.0
+  package: xpkg.upbound.io/upbound/provider-opentofu:v0.2.2
   controllerConfigRef:
     name: opentofu-config