chore: Configure Renovate (#36)

.github/renovate.json

@@ -0,0 +1,77 @@
+{
+    "$schema": "https://docs.renovatebot.com/renovate-schema.json",
+    "dependencyDashboard": true,
+    "extends": [
+        "config:best-practices"
+    ],
+    "ignoreDeps": [
+        "tektronix/python-package-ci-cd"
+    ],
+    "ignorePaths": [
+        "**/requirements.txt"
+    ],
+    "packageRules": [
+        {
+            "addLabels": [
+                "docker",
+                "dependencies"
+            ],
+            "additionalBranchPrefix": "docker-deps/",
+            "description": "Add docker and dependencies labels to Docker dependency updates",
+            "matchManagers": [
+                "dockerfile"
+            ],
+            "semanticCommitScope": "docker-deps"
+        },
+        {
+            "addLabels": [
+                "gh-actions",
+                "dependencies"
+            ],
+            "additionalBranchPrefix": "gh-actions-deps/",
+            "description": "Add gh-actions and dependencies labels to GitHub Action dependency updates",
+            "matchManagers": [
+                "github-actions"
+            ],
+            "semanticCommitScope": "gh-actions-deps"
+        },
+        {
+            "addLabels": [
+                "python",
+                "dependencies"
+            ],
+            "additionalBranchPrefix": "python-deps/",
+            "description": "Add python and dependencies labels to Python dependency updates",
+            "matchManagers": [
+                "poetry",
+                "pip_requirements"
+            ],
+            "semanticCommitScope": "python-deps"
+        },
+        {
+            "description": "Group together all python-semantic-release dependencies",
+            "groupName": "python-semantic-release dependencies",
+            "matchPackagePatterns": [
+                "^python-semantic-release*"
+            ]
+        },
+        {
+            "commitMessageSuffix": " for the {{depTypes}} group(s)",
+            "description": "Add commit suffix for the dependency group in pyproject.toml",
+            "matchDepTypes": [
+                "*"
+            ],
+            "matchFileNames": [
+                "pyproject.toml"
+            ],
+            "matchManagers": [
+                "poetry"
+            ],
+            "matchPackageNames": [
+                "*"
+            ]
+        }
+    ],
+    "platformCommit": "enabled",
+    "prHourlyLimit": 5
+}

.github/workflows/_reusable-enforce-community-standards.yml

@@ -18,7 +18,7 @@ jobs:
           - .github/ISSUE_TEMPLATE/bug_report.@(yml|yaml)
           - .github/ISSUE_TEMPLATE/feature_request.@(yml|yaml)
           - .github/PULL_REQUEST_TEMPLATE.md
-          - .github/dependabot.@(yml|yaml)
+          - .github/@(dependabot.@(yml|yaml)|renovate.json)
           - .github/workflows/codeql-analysis.@(yml|yaml)
     steps:
       - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332  # v4.1.7

.github/workflows/_reusable-sbom-scan.yml

@@ -24,7 +24,7 @@ jobs:
         with:
           format: spdx-json
           output-file: ${{ github.event.repository.name }}-sbom.spdx.json
-      - uses: actions/attest-build-provenance@6149ea5740be74af77f260b9db67e633f6b0a9a1
+      - uses: actions/attest-build-provenance@6149ea5740be74af77f260b9db67e633f6b0a9a1  # v1.4.2
         if: ${{ !(github.event.pull_request.head.repo.fork || github.event.workflow_call.pull_request.head.repo.fork) && github.actor != 'dependabot[bot]' }}
         with:
           subject-path: ${{ github.event.repository.name }}-sbom.spdx.json

.github/workflows/_reusable-test-docs.yml

@@ -44,12 +44,11 @@ jobs:
         run: python -m pip install tox
       - name: Test
         run: tox -ve ${{ matrix.tox-env }}
-      - uses: thedoctor0/zip-release@b57d897cb5d60cb78b51a507f63fa184cfe35554  # v0.7.6
+      - uses: vimtor/action-zip@1379ea20d4c5705669ba81fd626dd01b1c738f26  # v1.2
         if: ${{ !cancelled() }}
         with:
-          type: zip
-          filename: ${{ matrix.tox-env }}_results.zip
-          path: .results_${{ matrix.tox-env }}/
+          dest: ${{ matrix.tox-env }}_results.zip
+          files: .results_${{ matrix.tox-env }}/
       - uses: actions/upload-artifact@50769540e7f4bd5e21e526ee35c689e35e0d6874  # v4.4.0
         if: ${{ !cancelled() }}
         with:

.github/workflows/_reusable-update-python-and-pre-commit-dependencies.yml

@@ -62,7 +62,6 @@ jobs:
   update-python-and-pre-commit-deps:
     name: Update python linters and pre-commit dependencies
     runs-on: ubuntu-latest
-    if: ${{ github.actor == 'dependabot[bot]' && contains(github.head_ref, '/pip/') }}
     permissions:
       contents: write
     steps:
@@ -102,7 +101,7 @@ jobs:
           export-dependency-groups: ${{ inputs.export-dependency-groups }}
       - uses: stefanzweifel/git-auto-commit-action@8621497c8c39c72f3e2a999a26b4ca1b5058a842  # v5.0.1
         with:
-          commit_message: 'chore: Update python linters and pre-commit dependencies.'
+          commit_message: 'chore: Update dependencies.'
           commit_user_name: ${{ inputs.commit-user-name }}
           commit_user_email: ${{ inputs.commit-user-email }}
           commit_author: ${{ inputs.commit-user-name }} <${{ inputs.commit-user-email }}>

.github/workflows/codeql-analysis.yml

@@ -3,6 +3,7 @@ name: CodeQL
 on:
   push:
     branches: [main]
+  merge_group:
   pull_request:
     branches: [main]
   schedule:

.github/workflows/dependency-review.yml

@@ -1,6 +1,7 @@
 ---
 name: Pull Request Dependency Review
 on:
+  merge_group:
   pull_request:
     branches: [main]
 permissions:
@@ -11,7 +12,7 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332  # v4.1.7
-      - uses: actions/dependency-review-action@5a2ce3f5b92ee19cbb1541a4984c76d921601d7c
+      - uses: actions/dependency-review-action@5a2ce3f5b92ee19cbb1541a4984c76d921601d7c  # v4.3.4
         with:
           fail-on-severity: low
           comment-summary-in-pr: on-failure

.github/workflows/enforce-community-standards.yml

@@ -3,6 +3,7 @@ name: Enforce Open Source Community Standards
 on:
   push:
     branches: [main]
+  merge_group:
   pull_request:
     branches: [main]
 jobs:

.github/workflows/sbom-scan.yml

@@ -3,6 +3,7 @@ name: Create & Scan SBOM
 on:
   push:
     branches: [main]
+  merge_group:
   pull_request:
     branches: [main]
   release:

.github/workflows/test-actions.yml

@@ -3,6 +3,7 @@ name: Test repository Actions
 on:
   push:
     branches: [main]
+  merge_group:
   pull_request:
     branches: [main]
 # Cancel running jobs for the same workflow and branch.
@@ -52,7 +53,7 @@ jobs:
           previous-changelog-filepath: python_semantic_release_templates/.testing_previous_changelog_for_template.md
           previous-release-notes-filepath: python_semantic_release_templates/.testing_previous_release_notes_for_template.md
       - name: Get Job Summary
-        uses: austenstone/job-summary@67b7e1f68ee55e44d073ab7354e7b580cd09567c
+        uses: austenstone/job-summary@67b7e1f68ee55e44d073ab7354e7b580cd09567c  # v2.0
         id: job-summary
         with:
           name: temp_job_summary
@@ -124,8 +125,10 @@ jobs:
           update-pre-commit: true
           run-pre-commit: true
           dependency-dict: '{"dev": ["pyright"]}'
-          pre-commit-hook-skip-list: remove-tabs,forbid-tabs,check-readthedocs,check-dependabot,check-github-actions,check-github-workflows,commitizen,blacken-docs,yamlfix,hadolint,mdformat,markdown-link-check,check-poetry,toml-sort-fix,pyright,poetry-audit,ruff,ruff-format,docformatter
-          export-dependency-groups: udd:actions/update_development_dependencies,cutv:actions/create_unique_testpypi_version,fci:actions/find_unreleased_changelog_items,tests
+          pre-commit-hook-skip-list: remove-tabs,forbid-tabs,check-readthedocs,check-dependabot,check-github-actions,check-github-workflows,commitizen,blacken-docs,yamlfix,hadolint,mdformat,markdown-link-check,check-poetry,toml-sort-fix,pyright,poetry-audit,ruff,ruff-format,docformatter,renovate-config-validator
+          export-dependency-groups: |
+            update_development_dependencies:actions/update_development_dependencies,
+            tests
   test-fetch_pr_number:
     runs-on: ubuntu-latest
     steps:

.github/workflows/test-code.yml

@@ -3,6 +3,7 @@ name: Test code
 on:
   push:
     branches: [main]
+  merge_group:
   pull_request:
     branches: [main]
 # Cancel running jobs for the same workflow and branch.

.github/workflows/test-docs.yml

@@ -3,6 +3,7 @@ name: Test docs
 on:
   push:
     branches: [main]
+  merge_group:
   pull_request:
     branches: [main]
 concurrency:

.github/workflows/update-python-dependencies.yml

@@ -0,0 +1,54 @@
+---
+name: Update python dependencies
+on:
+  merge_group:
+  pull_request:
+    branches: [main]
+jobs:
+  determine-dependency-groups:
+    if: ${{ github.actor == 'renovate[bot]' && contains(github.head_ref, '/python-deps/') }}
+    runs-on: ubuntu-latest
+    outputs:
+      export-groups: ${{ steps.set-output.outputs.export-groups }}
+    steps:
+      - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332  # v4.1.7
+      - name: Get commit message
+        id: get-commit-message
+        run: |
+          commit_message="$(git log -1 --pretty=%B)"
+          echo "commit-message=$commit_message" >> "$GITHUB_OUTPUT"
+      - name: Determine the groups that will need to be exported
+        id: set-output
+        run: |
+          commit_message="${{ steps.get-commit-message.outputs.commit-message }}"
+          export_groups=""
+          if [[ "$commit_message" == *"update_development_dependencies"* ]]; then
+            export_groups+="update_development_dependencies:actions/update_development_dependencies,"
+          fi
+          if [[ "$commit_message" == *"create_unique_testpypi_version"* ]]; then
+            export_groups+="create_unique_testpypi_version:actions/create_unique_testpypi_version,"
+          fi
+          if [[ "$commit_message" == *"find_unreleased_changelog_items"* ]]; then
+            export_groups+="find_unreleased_changelog_items:actions/find_unreleased_changelog_items,"
+          fi
+          if [[ "$commit_message" == *"tests"* ]]; then
+            export_groups+="tests,"
+          fi
+          if [[ "$commit_message" == *"docs"* ]]; then
+            export_groups+="docs:doc_config,"
+          fi
+          echo "export-groups=$export_groups" >> "$GITHUB_OUTPUT"
+  update-python-and-pre-commit-deps:
+    if: ${{ github.actor == 'renovate[bot]' && contains(github.head_ref, '/python-deps/') }}
+    needs: determine-dependency-groups
+    uses: ./.github/workflows/_reusable-update-python-and-pre-commit-dependencies.yml
+    with:
+      commit-user-name: ${{ vars.TEK_OPENSOURCE_NAME }}
+      commit-user-email: ${{ vars.TEK_OPENSOURCE_EMAIL }}
+      export-dependency-groups: ${{ needs.determine-dependency-groups.outputs.export-groups }}
+    permissions:
+      contents: write
+    secrets:
+      checkout-token: ${{ secrets.TEK_OPENSOURCE_TOKEN }}
+      gpg-signing-key-private: ${{ secrets.TEK_OPENSOURCE_GPG_SIGNING_KEY_PRIVATE }}
+      gpg-signing-key-passphrase: ${{ secrets.TEK_OPENSOURCE_GPG_SIGNING_KEY_PASSPHRASE }}

.pre-commit-config.yaml

@@ -3,7 +3,7 @@ default_install_hook_types: [pre-commit, commit-msg]
 default_stages: [pre-commit]
 ci:
   autofix_prs: false
-  autoupdate_schedule: quarterly
+  autoupdate_schedule: weekly
   skip: [check-poetry, pyright, poetry-audit, markdown-link-check]
 repos:
   - repo: https://github.com/pre-commit/pre-commit-hooks
@@ -32,6 +32,10 @@ repos:
     hooks:
       - id: remove-tabs
       - id: forbid-tabs
+  - repo: https://github.com/renovatebot/pre-commit-hooks
+    rev: 5b7fd349cf98e23c7d57839c7883f378d994d831  # frozen: 38.64.2
+    hooks:
+      - id: renovate-config-validator
   - repo: https://github.com/python-jsonschema/check-jsonschema
     rev: 5c70e3d884fdbe99af42f2714a444e39f321498d  # frozen: 0.29.2
     hooks:
@@ -118,7 +122,7 @@ repos:
         always_run: true
         args: [audit, --json, --ignore-code=CVE-2019-8341]
   - repo: https://github.com/astral-sh/ruff-pre-commit
-    rev: 24d039e647a08707e6cb31e75e01844eeff925e7  # frozen: v0.6.2
+    rev: f1ebc5730d98440041cc43e4d69829ad598ae1e7  # frozen: v0.6.3
     hooks:
       - id: ruff
         args: [--fix, --exit-non-zero-on-fix]

CHANGELOG.md

@@ -18,6 +18,15 @@ Valid subsections within a version are:
 
 Things to be included in the next release go here.
 
+### Added
+
+- Added the ability for the `update_development_dependencies` action to accept a comma-separated, multiline string
+
+### Changed
+
+- Changed the `_reusable-update-python-and-pre-commit-dependencies.yml` workflow to no longer only work on PRs from Dependabot, users will now need to apply any conditional login in the calling workflow.
+- Updated the `_reusable-update-python-and-pre-commit-dependencies.yml` workflow to allow using [`renovate`](https://docs.renovatebot.com/) instead of Dependabot to update dependencies.
+
 ---
 
 ## v1.2.0 (2024-08-30)

actions/create_unique_testpypi_version/requirements.txt

@@ -9,7 +9,7 @@ packaging==24.1 ; python_version >= "3.12" and python_version < "3.13"
 poetry-core==1.9.0 ; python_version >= "3.12" and python_version < "3.13"
 pydantic==2.8.2 ; python_version >= "3.12" and python_version < "3.13"
 pydantic-core==2.20.1 ; python_version >= "3.12" and python_version < "3.13"
-pypi-simple==1.6.0 ; python_version >= "3.12" and python_version < "3.13"
+pypi-simple==1.5.0 ; python_version >= "3.12" and python_version < "3.13"
 requests==2.32.3 ; python_version >= "3.12" and python_version < "3.13"
 soupsieve==2.6 ; python_version >= "3.12" and python_version < "3.13"
 tomli==2.0.1 ; python_version >= "3.12" and python_version < "3.13"

actions/update_development_dependencies/main.py

@@ -192,7 +192,7 @@ def main() -> None:
     repo_root = os.environ["INPUT_REPO-ROOT"]
     dependency_dict = convert_dict_input(os.environ["INPUT_DEPENDENCY-DICT"])
     export_dependency_groups = [
-        x for x in os.environ["INPUT_EXPORT-DEPENDENCY-GROUPS"].split(",") if x
+        x.strip() for x in os.environ["INPUT_EXPORT-DEPENDENCY-GROUPS"].split(",") if x
     ]
     pre_commit_hook_skip_list = os.environ["INPUT_PRE-COMMIT-HOOK-SKIP-LIST"]
     install_dependencies = os.environ["INPUT_INSTALL-DEPENDENCIES"].lower() in _ENV_VAR_TRUE_VALUES

actions/update_development_dependencies/requirements.txt

@@ -40,7 +40,7 @@ ptyprocess==0.7.0 ; python_version >= "3.12" and python_version < "3.13"
 pycparser==2.22 ; python_version >= "3.12" and python_version < "3.13" and (sys_platform == "darwin" or sys_platform == "linux") and (sys_platform == "darwin" or platform_python_implementation != "PyPy")
 pydantic==2.8.2 ; python_version >= "3.12" and python_version < "3.13"
 pydantic-core==2.20.1 ; python_version >= "3.12" and python_version < "3.13"
-pypi-simple==1.6.0 ; python_version >= "3.12" and python_version < "3.13"
+pypi-simple==1.5.0 ; python_version >= "3.12" and python_version < "3.13"
 pyproject-hooks==1.1.0 ; python_version >= "3.12" and python_version < "3.13"
 pywin32-ctypes==0.2.3 ; python_version >= "3.12" and python_version < "3.13" and sys_platform == "win32"
 pyyaml==6.0.2 ; python_version >= "3.12" and python_version < "3.13"