Skip to content

Commit

Permalink
chore(deps): ensure a dependency workflow checks all upstream resourc…
Browse files Browse the repository at this point in the history
…es and dependencies (#1042)

* Deletes dependabot and adds renovate
  • Loading branch information
CollectiveUnicorn authored Sep 18, 2024
1 parent 84a6d70 commit c37c698
Show file tree
Hide file tree
Showing 2 changed files with 260 additions and 16 deletions.
16 changes: 0 additions & 16 deletions .github/dependabot.yml

This file was deleted.

260 changes: 260 additions & 0 deletions .github/renovate.json5
Original file line number Diff line number Diff line change
@@ -0,0 +1,260 @@
{
"enabled": true,
"forkProcessing": "enabled",
"$schema": "https://docs.renovatebot.com/renovate-schema.json",
"extends": [
"config:best-practices",
":semanticCommits",
":semanticCommitTypeAll(chore)"
],
// Disable reviewers getting added by renovate to limit notification noise
"reviewersFromCodeOwners": false,
"timezone": "America/New_York",
"rebaseStalePrs": true,
"dependencyDashboard": true,
"dependencyDashboardTitle": "Renovate Dashboard 🤖",
"rebaseWhen": "conflicted",
"commitBodyTable": true,
"suppressNotifications": ["prIgnoreNotification"],
"pre-commit": {
"enabled": true
},
"helm-values": {
"fileMatch": [".*\\.ya?ml$"]
},
"kubernetes": {
"fileMatch": [".*\\.ya?ml$"],
"ignorePaths": [
".github"
]
},
"labels": ["dependencies", "tech-debt"],
"hostRules": [
{
"matchHost": "registry1.dso.mil",
"hostType": "docker",
"description": "Encrypted creds for registry1, scoped to this Github org using: https://docs.renovatebot.com/getting-started/migrating-secrets/#migrate-your-secrets-in-encrypted-form",
"username": "{{ secrets.IRONBANK_USERNAME }}",
"password": "{{ secrets.IRONBANK_PASSWORD }}"
},
{
"matchHost": "cgr.dev",
"description": "Encrypted creds for cgr.dev, scoped to this Github org using: https://docs.renovatebot.com/getting-started/migrating-secrets/#migrate-your-secrets-in-encrypted-form",
"username": "{{ secrets.CHAINGUARD_USERNAME }}",
"password": "{{ secrets.CHAINGUARD_PASSWORD }}"
},
{
"matchHost": "ghcr.io",
"hostType": "docker",
"description": "Encrypted creds for ghcr.io, scoped to this Github org using: https://docs.renovatebot.com/getting-started/migrating-secrets/#migrate-your-secrets-in-encrypted-form",
"username": "renovate",
"password": "{{ secrets.DEFENSEUNICORNS_PACKAGE_READ_PAT }}"
}
],
"regexManagers": [
// Matches github-tags pointing to items in githubusercontent (i.e. https://github.com/defenseunicorns/uds-core/blob/e45de0e5917a2ca6c3e30e593e2d9a8d393849a9/.vscode/settings.json#L12)
{
"fileMatch": [".*(\\.ya?ml|\\.json)$"],
"matchStrings": [
// Test: https://regex101.com/r/r1nWoZ/1
"https:\\/\\/raw\\.githubusercontent\\.com\\/(?<depName>[^\\/]+\\/[^\\/]+)\\/(?<currentValue>[^\\/]+)"
],
"versioningTemplate": "semver-coerced",
"datasourceTemplate": "github-tags"
},
// Matches github-tags pointing to items in github.com/<org>/<repo>/raw/<tag> (i.e. https://github.com/defenseunicorns/uds-package-postgres-operator/blob/c88f9fd47c2fbc85e86c86c26b2d6948f6220898/zarf.yaml#L17)
{
"fileMatch": [".*(\\.ya?ml|\\.json)$"],
"matchStrings": [
// Test: https://regex101.com/r/huQrD4/1
"https:\\/\\/github\\.com\\/(?<depName>[^\\/]+\\/[^\\/]+)\\/raw\\/(?<currentValue>[^\\/]+)"
],
"versioningTemplate": "semver-coerced",
"datasourceTemplate": "github-tags"
},
// Matches github-tags pointing to items in github.com/<org>/<repo>/releases/download/<tag> (i.e. https://github.com/defenseunicorns/zarf/blob/c8abe31a5c4bbed933d692fcdeeefdc4b31701a5/packages/distros/k3s/zarf.yaml#L17)
{
"fileMatch": [".*(\\.ya?ml|\\.json)$"],
"matchStrings": [
// Test: https://regex101.com/r/oGP4dI/1
"https:\\/\\/github\\.com\\/(?<depName>[^\\/]+\\/[^\\/]+)\\/releases\\/download\\/(?<currentValue>[^\\/]+)"
],
"versioningTemplate": "semver-coerced",
"datasourceTemplate": "github-tags"
},
// Matches npm modules in npm install commands (i.e. https://github.com/defenseunicorns/uds-core/blob/f8e65159873f87be5912b73cc6f0a5ff26b7bed0/.github/workflows/commitlint.yaml#L26)
{
"fileMatch": [".*(\\.ya?ml|\\.json)$"],
"matchStrings": [
// Test: https://regex101.com/r/321nL5/1
"npm install ([\\w\\- ]+ )?(?<depName>@?[^\\s]*?)@(?<currentValue>[^\\s]+)"
],
"datasourceTemplate": "npm"
},
// Matches specified datasources where a colon separates the version on the following line (i.e. https://github.com/defenseunicorns/zarf/blob/7e91d3b9823b52fe6d0f563d692c8af57faa6005/examples/big-bang/zarf.yaml#L5)
{
"fileMatch": [".*\\.ya?ml$"],
"matchStrings": [
// Test: https://regex101.com/r/d9t0lt/1
"# renovate: datasource=(?<datasource>.*?) depName=(?<depName>.*?)( versioning=(?<versioning>.*?))?( extractVersion=(?<extractVersion>.*?))?( registryUrl=(?<registryUrl>.*?))?\\s.*:\\s*['\"]?(?<currentValue>[v0-9].*?)['\"]?(\\s|$)"
],
"versioningTemplate": "{{#if versioning}}{{{versioning}}}{{else}}semver-coerced{{/if}}",
"extractVersionTemplate": "{{#if extractVersion}}{{{extractVersion}}}{{else}}^(?<version>.*)${{/if}}"
},
// Matches specified datasources where an environment variable separates the version on the following line (i.e. https://github.com/defenseunicorns/uds-common/blob/ce3ba974ef3ff88058809f4b9a78da281a65ffa0/.github/actions/setup/action.yaml#L9)
{
"fileMatch": [".*\\.ya?ml$", ".*\\.sh$", ".*\\.?Dockerfile$"],
"matchStrings": [
// Test: https://regex101.com/r/b53bEF/2
"# renovate: datasource=(?<datasource>.*?) depName=(?<depName>.*?)( versioning=(?<versioning>.*?))?( extractVersion=(?<extractVersion>.*?))?( registryUrl=(?<registryUrl>.*?))?\\s.*[A-Z]+=['\"]?(?<currentValue>[v0-9].*?)['\"]?(\\s|$)"
],
"versioningTemplate": "{{#if versioning}}{{{versioning}}}{{else}}semver-coerced{{/if}}",
"extractVersionTemplate": "{{#if extractVersion}}{{{extractVersion}}}{{else}}^(?<version>.*)${{/if}}"
},
// Matches specified datasources for brew where an @ separates the version on the following line (i.e. https://github.com/defenseunicorns/uds-core/blob/5a2666f6a5ba89686c6dc1fecb0db98512b1b9f8/.github/actions/setup/action.yaml#L32)
{
"fileMatch": [".*\\.ya?ml$"],
"matchStrings": [
// Test: https://regex101.com/r/p3Cpjx/1
"# renovate: datasource=(?<datasource>.*?) depName=(?<depName>.*?)( versioning=(?<versioning>.*?))?\\s.*brew.*@\\s*['\"]?(?<currentValue>[v0-9].*?)['\"]?(\\s|$)"
],
"versioningTemplate": "{{#if versioning}}{{{versioning}}}{{else}}semver-coerced{{/if}}",
"extractVersionTemplate": "^v(?<version>.*)$"
},
// Matches images where you need to override the image reference in a Helm Value (i.e. https://github.com/defenseunicorns/uds-capability-rook-ceph/blob/f190c32688e80ad72df6389bcb150b35d779d0f0/values/cluster-values.yaml#L3-L4)
{
"fileMatch": ["\\.*\\.ya?ml$"],
"matchStrings": [
// Test: https://regex101.com/r/k5ebjz/1
"# renovate: image=(?<depName>.*?)\\s*image:\\s.*:(?<currentValue>[^\\s\"]*)",
],
"datasourceTemplate": "docker"
},
// Matches individual images in a `zarf.yaml`'s `images:` section that are tagged with a version (allowing for # renovate overrides)
{
"fileMatch": [ "(^|/)zarf\\.ya?ml$" ],
"matchStrings": [
// Test: https://regex101.com/r/Bd8IBp/1
"- ['\"]?(?<depName>[^\"'\\s]+):(?<currentValue>[^\"'\\s]+)['\"]?( # renovate:( versioning=(?<versioning>.*?))?( extractVersion=(?<extractVersion>.*?))?)?(\\s|$)"
],
"versioningTemplate": "{{#if versioning}}{{{versioning}}}{{else}}docker{{/if}}",
"extractVersionTemplate": "{{#if extractVersion}}{{{extractVersion}}}{{else}}^(?<version>.*)${{/if}}",
"datasourceTemplate": "docker"
},
// Matches individual helm repo charts in a `zarf.yaml`'s `charts:` section that specify `version` then `url`
{
"fileMatch": [ "(^|/)zarf\\.ya?ml$" ],
"matchStringsStrategy": "recursive",
"matchStrings": [
// Match the chart section. Test: https://regex101.com/r/1DL0tI/3
"(?m)charts:(.|\\n)*?(^\\s{4}[\\w:]+|\\n$|^\\s{2}-)",
// Match a chart entry. Test: https://regex101.com/r/ibpxYd/1
"(?m)name:(.|\\n)+?(^\\s{4}[\\w\\-:]+|\\n$|^\\s{2}-|^\\s{6}-)",
// Match the parts of a chart entry. Test: https://regex101.com/r/tVVHYS/1
"(?m)name: [\"']?(?<depName>.+?)[\"']?$(.|\\n)*?version: [\"']?(?<currentValue>.+?)[\"']?$(.|\\n)*?url: [\"']?(?<registryUrl>(https|http|file):\\/\\/.+?)[\"']?$"
],
"datasourceTemplate": "helm"
},
// Matches individual helm repo charts in a `zarf.yaml`'s `charts:` section that specify `url` then `version`
{
"fileMatch": [ "(^|/)zarf.yaml$" ],
"matchStringsStrategy": "recursive",
"matchStrings": [
// Match the chart section. Test: https://regex101.com/r/1DL0tI/3
"(?m)charts:(.|\\n)*?(^\\s{4}[\\w:]+|\\n$|^\\s{2}-)",
// Match a chart entry. Test: https://regex101.com/r/ibpxYd/1
"(?m)name:(.|\\n)+?(^\\s{4}[\\w\\-:]+|\\n$|^\\s{2}-|^\\s{6}-)",
// Match the parts of a chart entry. Test: https://regex101.com/r/ehfBW6/1
"(?m)name: [\"']?(?<depName>.+?)[\"']?$(.|\\n)*?url: [\"']?(?<registryUrl>(https|http|file):\\/\\/.+?)[\"']?$(.|\\n)*?version: [\"']?(?<currentValue>.+?)[\"']?$"
],
"datasourceTemplate": "helm"
},
// Matches individual helm git charts in a `zarf.yaml`'s `charts:` section that specify `version` then `url`
{
"fileMatch": [ "(^|/)zarf\\.ya?ml$" ],
"matchStringsStrategy": "recursive",
"matchStrings": [
// Match the chart section. Test: https://regex101.com/r/1DL0tI/3
"(?m)charts:(.|\\n)*?(^\\s{4}[\\w:]+|\\n$|^\\s{2}-)",
// Match a chart entry. Test: https://regex101.com/r/ibpxYd/1
"(?m)name:(.|\\n)+?(^\\s{4}[\\w\\-:]+|\\n$|^\\s{2}-|^\\s{6}-)",
// Match the parts of a chart entry. Test: https://regex101.com/r/PIIH1p/1
"(?m)name:(.|\\n)*?version: [\"']?(?<currentValue>.+?)[\"']?$(.|\\n)*?url: [\"']?(?<depName>.+?\\.git)[\"']?$"
],
"datasourceTemplate": "git-tags",
// Match the version from the tag. Test: https://regex101.com/r/dzQZiE/1
"versioningTemplate": "regex:^v?(?<major>\\d+)\\.(?<minor>\\d+)\\.(?<patch>\\d+)(-[\\w\\.]+\\.(?<build>\\d+))?"
},
// Matches individual helm git charts in a `zarf.yaml`'s `charts:` section that specify `url` then `version`
{
"fileMatch": [ "(^|/)zarf.yaml$" ],
"matchStringsStrategy": "recursive",
"matchStrings": [
// Match the chart section. Test: https://regex101.com/r/1DL0tI/3
"(?m)charts:(.|\\n)*?(^\\s{4}[\\w:]+|\\n$|^\\s{2}-)",
// Match a chart entry. Test: https://regex101.com/r/ibpxYd/1
"(?m)name:(.|\\n)+?(^\\s{4}[\\w\\-:]+|\\n$|^\\s{2}-|^\\s{6}-)",
// Match the parts of a chart entry. Test: https://regex101.com/r/m71Sn5/1
"(?m)name:(.|\\n)*?url: [\"']?(?<depName>.+?\\.git)[\"']?$(.|\\n)*?version: [\"']?(?<currentValue>.+?)[\"']?$"
],
"datasourceTemplate": "git-tags",
// Match the version from the tag. Test: https://regex101.com/r/dzQZiE/1
"versioningTemplate": "regex:^v?(?<major>\\d+)\\.(?<minor>\\d+)\\.(?<patch>\\d+)(-[\\w\\.]+\\.(?<build>\\d+))?"
},
// Matches individual helm oci charts in a `zarf.yaml`'s `charts:` section that specify `version` then `url`
{
"fileMatch": [ "(^|/)zarf\\.ya?ml$" ],
"matchStringsStrategy": "recursive",
"matchStrings": [
// Match the chart section. Test: https://regex101.com/r/1DL0tI/3
"(?m)charts:(.|\\n)*?(^\\s{4}[\\w:]+|\\n$|^\\s{2}-)",
// Match a chart entry. Test: https://regex101.com/r/ibpxYd/1
"(?m)name:(.|\\n)+?(^\\s{4}[\\w\\-:]+|\\n$|^\\s{2}-|^\\s{6}-)",
// Match the parts of a chart entry. Test: https://regex101.com/r/gYGkgq/1
"(?m)name:(.|\\n)*?version: [\"']?(?<currentValue>.+?)[\"']?$(.|\\n)*?url: [\"']?oci:\\/\\/(?<depName>.+?)[\"']?$"
],
"datasourceTemplate": "docker"
},
// Matches individual helm oci charts in a `zarf.yaml`'s `charts:` section that specify `url` then `version`
{
"fileMatch": [ "(^|/)zarf.yaml$" ],
"matchStringsStrategy": "recursive",
"matchStrings": [
// Match the chart section. Test: https://regex101.com/r/1DL0tI/3
"(?m)charts:(.|\\n)*?(^\\s{4}[\\w:]+|\\n$|^\\s{2}-)",
// Match a chart entry. Test: https://regex101.com/r/ibpxYd/1
"(?m)name:(.|\\n)+?(^\\s{4}[\\w\\-:]+|\\n$|^\\s{2}-|^\\s{6}-)",
// Match the parts of a chart entry. Test: https://regex101.com/r/VDMzhy/1
"(?m)name:(.|\\n)*?url: [\"']?oci:\\/\\/(?<depName>.+?)[\"']?$(.|\\n)*?version: [\"']?(?<currentValue>.+?)[\"']?$"
],
"datasourceTemplate": "docker"
},
// Matches individual kustomizations in a `zarf.yaml`'s `manifests:` section using a github url with a ref
{
"fileMatch": [ "(^|/)zarf\\.ya?ml$" ],
"matchStringsStrategy": "recursive",
"matchStrings": [
// Match the manifests section. Test: https://regex101.com/r/BCfsGu/1
"(?m)manifests:(.|\\n)*?(^\\s{4}[\\w:]+|\\n$|^\\s{2}-)",
// Match a manifests entry. Test: https://regex101.com/r/UjQa51/1
"(?m)name:(.|\\n)+?(^\\s{4}[\\w\\-:]+|\\n$|^\\s{2}-|^\\s{6}-)",
// Match the parts of a chart entry. Test: https://regex101.com/r/cumJ2Y/1
"(?m)name:(.|\\n)*?kustomizations:(.|\n)*?- [\"']?github.com\\/(?<depName>.+?)\\/\\/.*\\?ref=(?<currentValue>.+?)[\"']?$"
],
"versioningTemplate": "semver-coerced",
"datasourceTemplate": "github-tags"
},
// Matches oci packages in a `uds-bundle.yaml`'s `zarf-packages:` section that specify `repository` then `ref`
{
"fileMatch": [ "(^|/)uds-bundle.yaml$" ],
"matchStringsStrategy": "recursive",
"matchStrings": [
// Match the parts of a chart entry. Test: https://regex101.com/r/IFgEw0/1
"(?m)repository: [\"']?(?<depName>.+?)[\"']?$(.)*(\n.*){0,2}ref: [\"']?(?<currentValue>.+?)[\"']?$"
],
"datasourceTemplate": "docker",
// Match versioning used on UDS packages. Test: https://regex101.com/r/BGkYHX/4
"versioningTemplate": "regex:^v?(?<major>\\d+)(\\.(?<minor>\\d+))?(\\.(?<patch>\\d+))?(-uds\\.(?<build>\\d))?(-(?<compatibility>\\w+)?)?(.*?)?$"
}
]
}

0 comments on commit c37c698

Please sign in to comment.