From d8474b85eec282ab8fef3b48423ec8be6f139c29 Mon Sep 17 00:00:00 2001
From: "renovate[bot]" <29139614+renovate[bot]@users.noreply.github.com>
Date: Fri, 4 Oct 2024 17:21:48 +0000
Subject: [PATCH 1/4] Add renovate.json

---
 renovate.json | 6 ++++++
 1 file changed, 6 insertions(+)
 create mode 100644 renovate.json

diff --git a/renovate.json b/renovate.json
new file mode 100644
index 0000000000000..5db72dd6a94fc
--- /dev/null
+++ b/renovate.json
@@ -0,0 +1,6 @@
+{
+  "$schema": "https://docs.renovatebot.com/renovate-schema.json",
+  "extends": [
+    "config:recommended"
+  ]
+}

From d72075759b68d462a0c3f32bc0e6a7c985984f1b Mon Sep 17 00:00:00 2001
From: Julio <gonzalez.julio8959@gmail.com>
Date: Fri, 4 Oct 2024 19:17:13 +0000
Subject: [PATCH 2/4] chore(ci): add renovate for golangci-lint, go and node
 version

---
 .github/dependabot.yml                |  3 +-
 .github/workflows/ci-build.yaml       |  3 ++
 .github/workflows/image.yaml          |  2 +
 .github/workflows/release.yaml        |  2 +
 .github/workflows/update-go.yaml      | 42 --------------------
 .github/workflows/update-node.yaml    | 42 --------------------
 Makefile                              |  8 ----
 hack/installers/install-lint-tools.sh |  5 ++-
 hack/update-go.sh                     | 38 ------------------
 hack/update-node.sh                   | 33 ----------------
 renovate.json                         |  6 ---
 renovate.json5                        | 57 +++++++++++++++++++++++++++
 12 files changed, 69 insertions(+), 172 deletions(-)
 delete mode 100644 .github/workflows/update-go.yaml
 delete mode 100644 .github/workflows/update-node.yaml
 delete mode 100755 hack/update-go.sh
 delete mode 100755 hack/update-node.sh
 delete mode 100644 renovate.json
 create mode 100644 renovate.json5

diff --git a/.github/dependabot.yml b/.github/dependabot.yml
index 56b7ce0e23f5d..7bb87b76e46f6 100644
--- a/.github/dependabot.yml
+++ b/.github/dependabot.yml
@@ -33,8 +33,7 @@ updates:
       interval: "daily"
     ignore:
       # We use consistent go and node versions across a lot of different files, and updating via dependabot would cause
-      # drift among those files.
-      # Use `make update-go` and `make update-node` to update these versions.
+      # drift among those files, instead we let renovate bot handle them.
       - dependency-name: "library/golang"
       - dependency-name: "library/node"
 
diff --git a/.github/workflows/ci-build.yaml b/.github/workflows/ci-build.yaml
index 3ec2a9ea36fb0..19ab1e8e3beeb 100644
--- a/.github/workflows/ci-build.yaml
+++ b/.github/workflows/ci-build.yaml
@@ -13,6 +13,7 @@ on:
 
 env:
   # Golang version to use across CI steps
+  # renovate: datasource=golang-version packageName=golang
   GOLANG_VERSION: '1.23.1'
 
 concurrency:
@@ -110,6 +111,7 @@ jobs:
       - name: Run golangci-lint
         uses: golangci/golangci-lint-action@971e284b6050e8a5849b72094c50ab08da042db8 # v6.1.1
         with:
+          # renovate: datasource=gomod packageName=golangci/golangci-lint extractVersion=^v(?<version>.+)$
           version: v1.61.0
           args: --verbose
 
@@ -305,6 +307,7 @@ jobs:
       - name: Setup NodeJS
         uses: actions/setup-node@0a44ba7841725637a19e28fa30b79a866c81b0a6 # v4.0.4
         with:
+          # renovate: datasource=node-version packageName=node
           node-version: '22.8.0'
       - name: Restore node dependency cache
         id: cache-dependencies
diff --git a/.github/workflows/image.yaml b/.github/workflows/image.yaml
index 9f7628a61c04d..e7e9e77b7a7ab 100644
--- a/.github/workflows/image.yaml
+++ b/.github/workflows/image.yaml
@@ -52,6 +52,7 @@ jobs:
     uses: ./.github/workflows/image-reuse.yaml
     with:
       # Note: cannot use env variables to set go-version (https://docs.github.com/en/actions/using-workflows/reusing-workflows#limitations)
+      # renovate: datasource=golang-version packageName=golang
       go-version: 1.23.1
       platforms: ${{ needs.set-vars.outputs.platforms }}
       push: false
@@ -68,6 +69,7 @@ jobs:
       quay_image_name: quay.io/argoproj/argocd:latest
       ghcr_image_name: ghcr.io/argoproj/argo-cd/argocd:${{ needs.set-vars.outputs.image-tag }}
       # Note: cannot use env variables to set go-version (https://docs.github.com/en/actions/using-workflows/reusing-workflows#limitations)
+      # renovate: datasource=golang-version packageName=golang
       go-version: 1.23.1
       platforms: ${{ needs.set-vars.outputs.platforms }}
       push: true
diff --git a/.github/workflows/release.yaml b/.github/workflows/release.yaml
index a127c0d746d22..43aa01735b7f2 100644
--- a/.github/workflows/release.yaml
+++ b/.github/workflows/release.yaml
@@ -10,6 +10,7 @@ on:
 permissions: {}
 
 env:
+  # renovate: datasource=golang-version packageName=golang
   GOLANG_VERSION: '1.23.1' # Note: go-version must also be set in job argocd-image.with.go-version
 
 jobs:
@@ -23,6 +24,7 @@ jobs:
     with:
       quay_image_name: quay.io/argoproj/argocd:${{ github.ref_name }}
       # Note: cannot use env variables to set go-version (https://docs.github.com/en/actions/using-workflows/reusing-workflows#limitations)
+      # renovate: datasource=golang-version packageName=golang
       go-version: 1.23.1
       platforms: linux/amd64,linux/arm64,linux/s390x,linux/ppc64le
       push: true
diff --git a/.github/workflows/update-go.yaml b/.github/workflows/update-go.yaml
deleted file mode 100644
index ef4edac0a87d3..0000000000000
--- a/.github/workflows/update-go.yaml
+++ /dev/null
@@ -1,42 +0,0 @@
-# Update golang version on a daily basis and open a PR.
-name: Update Go
-on:
-  schedule:
-    - cron: '0 0 * * *'
-
-permissions:
-  contents: read
-
-jobs:
-  update-go:
-    permissions:
-      contents: write
-      pull-requests: write
-    if: github.repository == 'argoproj/argo-cd'
-    runs-on: ubuntu-latest
-    steps:
-    - name: Checkout code
-      uses: actions/checkout@d632683dd7b4114ad314bca15554477dd762a938 # v4.2.0
-      with:
-        token: ${{ secrets.GITHUB_TOKEN }}
-    - uses: imjasonh/setup-crane@31b88efe9de28ae0ffa220711af4b60be9435f6e # v0.4
-    - name: Update Go
-      env:
-        GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-      run: |
-        make update-go
-        
-        # If there are no changes, quit early.
-        if [[ -z $(git status -s) ]]; then
-          echo "No changes detected"
-          exit 0
-        fi
-        
-        pr_branch="update-go-$(echo $RANDOM | md5sum | head -c 20)"
-        git checkout -b "$pr_branch"
-        git config --global user.email 'ci@argoproj.com'
-        git config --global user.name 'CI'
-        git add .
-        git commit -m "[Bot] chore(dep): Update Go" --signoff
-        git push --set-upstream origin "$pr_branch"
-        gh pr create -B master -H "$pr_branch" --title '[Bot] chore(dep): Update Go' --body ''
diff --git a/.github/workflows/update-node.yaml b/.github/workflows/update-node.yaml
deleted file mode 100644
index 3a641b1d5a82c..0000000000000
--- a/.github/workflows/update-node.yaml
+++ /dev/null
@@ -1,42 +0,0 @@
-# Update Node version on a daily basis and open a PR.
-name: Update Node
-on:
-  schedule:
-    - cron: '0 0 * * *'
-
-permissions:
-  contents: read
-
-jobs:
-  update-node:
-    permissions:
-      contents: write
-      pull-requests: write
-    if: github.repository == 'argoproj/argo-cd'
-    runs-on: ubuntu-latest
-    steps:
-      - name: Checkout code
-        uses: actions/checkout@d632683dd7b4114ad314bca15554477dd762a938 # v4.2.0
-        with:
-          token: ${{ secrets.GITHUB_TOKEN }}
-      - uses: imjasonh/setup-crane@31b88efe9de28ae0ffa220711af4b60be9435f6e # v0.4
-      - name: Update Node
-        env:
-          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-        run: |
-          make update-node
-          
-          # If there are no changes, quit early.
-          if [[ -z $(git status -s) ]]; then
-            echo "No changes detected"
-            exit 0
-          fi
-          
-          pr_branch="update-node-$(echo $RANDOM | md5sum | head -c 20)"
-          git checkout -b "$pr_branch"
-          git config --global user.email 'ci@argoproj.com'
-          git config --global user.name 'CI'
-          git add .
-          git commit -m "[Bot] chore(dep): Update Node" --signoff
-          git push --set-upstream origin "$pr_branch"
-          gh pr create -B master -H "$pr_branch" --title '[Bot] chore(dep): Update Node' --body ''
diff --git a/Makefile b/Makefile
index d6c097a87cfe3..d6f8cdf62d5d8 100644
--- a/Makefile
+++ b/Makefile
@@ -631,14 +631,6 @@ snyk-non-container-tests:
 snyk-report:
 	./hack/snyk-report.sh $(target_branch)
 
-.PHONY: update-go
-update-go:
-	./hack/update-go.sh
-
-.PHONY: update-node
-update-node:
-	./hack/update-node.sh
-
 .PHONY: help
 help:
 	@echo 'Note: Generally an item w/ (-local) will run inside docker unless you use the -local variant'
diff --git a/hack/installers/install-lint-tools.sh b/hack/installers/install-lint-tools.sh
index e00ccda637517..639c432b684a4 100755
--- a/hack/installers/install-lint-tools.sh
+++ b/hack/installers/install-lint-tools.sh
@@ -1,4 +1,7 @@
 #!/bin/bash
 set -eux -o pipefail
 
-GO111MODULE=on go install github.com/golangci/golangci-lint/cmd/golangci-lint@v1.61.0
+# renovate: datasource=gomod packageName=golangci/golangci-lint
+GOLANGCI_LINT_VERSION=1.61.0
+
+GO111MODULE=on go install "github.com/golangci/golangci-lint/cmd/golangci-lint@${GOLANGCI_LINT_VERSION}"
diff --git a/hack/update-go.sh b/hack/update-go.sh
deleted file mode 100755
index 08ea85d7d2f2c..0000000000000
--- a/hack/update-go.sh
+++ /dev/null
@@ -1,38 +0,0 @@
-#!/usr/bin/env bash
-
-# This script is used to update the Go version in the project.
-# We use this because Dependabot doesn't support updating the Go version in all the places we use Go.
-
-set -e
-
-echo "Getting latest Go version..."
-
-# Get the current stable Go version. This assumes the JSON is sorted newest-to-oldest.
-GO_VERSION=$(curl -s https://go.dev/dl/?mode=json | jq 'map(select(.stable == true))[0].version' -r)
-
-# Make sure the version number is semver.
-if [[ ! "$GO_VERSION" =~ ^go[0-9]+\.[0-9]+\.[0-9]+$ ]]; then
-  echo "Failed to get the latest Go version."
-  exit 1
-fi
-
-# Remove the 'go' prefix from the version number.
-GO_VERSION=${GO_VERSION#go}
-
-# Get the digest of the Go image.
-DIGEST=$(crane digest "docker.io/library/golang:$GO_VERSION")
-
-echo "Updating to Go version $GO_VERSION with digest $DIGEST..."
-
-# Replace the Go image in the Dockerfile.
-sed -r -i.bak "s/docker\.io\/library\/golang:[0-9.]+@sha256:[0-9a-f]+/docker.io\/library\/golang:$GO_VERSION@$DIGEST/" Dockerfile test/container/Dockerfile test/remote/Dockerfile
-rm Dockerfile.bak test/container/Dockerfile.bak test/remote/Dockerfile.bak
-
-# Update the go version in ci-build.yaml, image.yaml, and release.yaml.
-sed -r -i.bak "s/go-version: [0-9.]+/go-version: $GO_VERSION/" .github/workflows/ci-build.yaml .github/workflows/image.yaml .github/workflows/release.yaml
-rm .github/workflows/ci-build.yaml.bak .github/workflows/image.yaml.bak .github/workflows/release.yaml.bak
-
-# Repeat for env var instead of go-version.
-sed -r -i.bak "s/GOLANG_VERSION: '[0-9.]+'/GOLANG_VERSION: '$GO_VERSION'/" .github/workflows/ci-build.yaml .github/workflows/image.yaml .github/workflows/release.yaml
-rm .github/workflows/ci-build.yaml.bak .github/workflows/image.yaml.bak .github/workflows/release.yaml.bak
-
diff --git a/hack/update-node.sh b/hack/update-node.sh
deleted file mode 100755
index 42cfffad84fba..0000000000000
--- a/hack/update-node.sh
+++ /dev/null
@@ -1,33 +0,0 @@
-#!/usr/bin/env bash
-
-# This script is used to update the node version in the project.
-# We use this because Dependabot doesn't support updating the Node version in all the places we use Node.
-
-set -e
-
-echo "Getting latest Node version..."
-
-# Get the current LTS node version. This assumes the JSON is sorted newest-to-oldest.
-NODE_VERSION=$(curl -s https://nodejs.org/download/release/index.json | jq '.[0].version' -r)
-
-# Make sure the version number is semver with a preceding 'v'.
-if [[ ! "$NODE_VERSION" =~ ^v[0-9]+\.[0-9]+\.[0-9]+$ ]]; then
-  echo "Failed to get the latest Node version."
-  exit 1
-fi
-
-# Strip the preceding 'v' from the version number.
-NODE_VERSION=${NODE_VERSION#v}
-
-# Get the manifest SHA of the library/node image.
-DIGEST=$(crane digest "docker.io/library/node:$NODE_VERSION")
-
-echo "Updating to Node version $NODE_VERSION with digest $DIGEST..."
-
-# Replace the node image in the Dockerfiles.
-sed -r -i.bak "s/docker\.io\/library\/node:[0-9.]+@sha256:[0-9a-f]+/docker.io\/library\/node:$NODE_VERSION@$DIGEST/" Dockerfile ui-test/Dockerfile test/container/Dockerfile
-rm Dockerfile.bak ui-test/Dockerfile.bak test/container/Dockerfile.bak
-
-# Replace node version in ci-build.yaml.
-sed -r -i.bak "s/node-version: '[0-9.]+'/node-version: '$NODE_VERSION'/" .github/workflows/ci-build.yaml
-rm .github/workflows/ci-build.yaml.bak
diff --git a/renovate.json b/renovate.json
deleted file mode 100644
index 5db72dd6a94fc..0000000000000
--- a/renovate.json
+++ /dev/null
@@ -1,6 +0,0 @@
-{
-  "$schema": "https://docs.renovatebot.com/renovate-schema.json",
-  "extends": [
-    "config:recommended"
-  ]
-}
diff --git a/renovate.json5 b/renovate.json5
new file mode 100644
index 0000000000000..3ff7612cac9df
--- /dev/null
+++ b/renovate.json5
@@ -0,0 +1,57 @@
+{
+  "$schema": "https://docs.renovatebot.com/renovate-schema.json",
+  "dependencyDashboard": false,
+  "dependencyDashboardApproval": false, // set to true to ask an approval before creating a PR.
+  "dependencyDashboardOSVVulnerabilitySummary": "all",
+  "osvVulnerabilityAlerts": true,
+  "reviewersFromCodeOwners": true,
+  // "timezone": "Europe/Paris", // used by features like scheduling...
+  "extends": [
+    // "schedule:nonOfficeHours", // https://docs.renovatebot.com/presets-schedule/#schedulenonofficehours
+    "config:best-practices",
+    "security:openssf-scorecard",
+    "mergeConfidence:all-badges",
+    "regexManagers:dockerfileVersions", // https://docs.renovatebot.com/presets-customManagers/#custommanagersdockerfileversions
+    // TODO change shared presets with a repo like `argoproj/renovate-presets`
+    "github>ggjulio/renovate-presets//fix/openssf-merge-confidence-columns.json5",
+    "github>ggjulio/renovate-presets//custom-managers/shell.json5",
+    "github>ggjulio/renovate-presets//custom-managers/yaml.json5",
+  ],
+  "packageRules": [
+    // Prefer presets over creating rules in that file as it we become hard to read.
+    {
+      "description": "Disable all updates to avoid conflicts with dependabot, then enable what we want",
+      "matchPackageNames": [
+        "*"
+      ],
+      "enabled": false
+    },
+    {
+      "description": "Add label dependencies to all PRs",
+      "matchPackageNames": ["*"],
+      "labels": ["dependencies"]
+    },
+    {
+      "description": "Enable golang-version",
+      "matchDatasources": ["golang-version"],
+      "addLabels": ["go"],
+      "enabled": true
+    },
+    {
+      "description": "Enable node-version",
+      "matchDatasources": ["node-version"],
+      "addLabels": ["javascript"],
+      "enabled": true
+    },
+    {
+      "description": "Reduce noise by automerging pkgs that are safe to merge, TBD",
+      // Just an example, multiple match fields can be used to reduce the scope of this rule (matchFileNames, matchManagers, matchPackageNames...)
+      "matchUpdateTypes": [
+        "patch",
+        "pin",
+        "digest"
+      ],
+      "automerge": false // change to true ?
+    }
+  ]
+}
\ No newline at end of file

From 1d8c30a07720aa45d132b4a43dfcb9306ec0fa43 Mon Sep 17 00:00:00 2001
From: Julio <gonzalez.julio8959@gmail.com>
Date: Fri, 4 Oct 2024 19:19:30 +0000
Subject: [PATCH 3/4] set basebranch to current branch

---
 renovate.json5 | 1 +
 1 file changed, 1 insertion(+)

diff --git a/renovate.json5 b/renovate.json5
index 3ff7612cac9df..c37113fe75cf8 100644
--- a/renovate.json5
+++ b/renovate.json5
@@ -1,5 +1,6 @@
 {
   "$schema": "https://docs.renovatebot.com/renovate-schema.json",
+  "baseBranches": [ "dev"], // just to test without poluting my fork
   "dependencyDashboard": false,
   "dependencyDashboardApproval": false, // set to true to ask an approval before creating a PR.
   "dependencyDashboardOSVVulnerabilitySummary": "all",

From e47297e517dcb6e2f77ef427afd3c065bf6b6682 Mon Sep 17 00:00:00 2001
From: Julio <gonzalez.julio8959@gmail.com>
Date: Fri, 4 Oct 2024 19:19:48 +0000
Subject: [PATCH 4/4] try lint tools

---
 .github/workflows/ci-build.yaml       | 2 +-
 hack/installers/install-lint-tools.sh | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/.github/workflows/ci-build.yaml b/.github/workflows/ci-build.yaml
index 19ab1e8e3beeb..7a54f6b308dbe 100644
--- a/.github/workflows/ci-build.yaml
+++ b/.github/workflows/ci-build.yaml
@@ -112,7 +112,7 @@ jobs:
         uses: golangci/golangci-lint-action@971e284b6050e8a5849b72094c50ab08da042db8 # v6.1.1
         with:
           # renovate: datasource=gomod packageName=golangci/golangci-lint extractVersion=^v(?<version>.+)$
-          version: v1.61.0
+          version: v1.60.0
           args: --verbose
 
   test-go:
diff --git a/hack/installers/install-lint-tools.sh b/hack/installers/install-lint-tools.sh
index 639c432b684a4..1a78fcec61825 100755
--- a/hack/installers/install-lint-tools.sh
+++ b/hack/installers/install-lint-tools.sh
@@ -2,6 +2,6 @@
 set -eux -o pipefail
 
 # renovate: datasource=gomod packageName=golangci/golangci-lint
-GOLANGCI_LINT_VERSION=1.61.0
+GOLANGCI_LINT_VERSION=1.60.0
 
 GO111MODULE=on go install "github.com/golangci/golangci-lint/cmd/golangci-lint@${GOLANGCI_LINT_VERSION}"