Skip to content

ROSA-745: MintMaker gomod batch + automerge via boilerplate renovate#748

Merged
openshift-merge-bot[bot] merged 1 commit into
openshift:masterfrom
MitaliBhalla:draft/rosa-745-gomod-batch-monday
Jun 9, 2026
Merged

ROSA-745: MintMaker gomod batch + automerge via boilerplate renovate#748
openshift-merge-bot[bot] merged 1 commit into
openshift:masterfrom
MitaliBhalla:draft/rosa-745-gomod-batch-monday

Conversation

@MitaliBhalla

@MitaliBhalla MitaliBhalla commented May 29, 2026

Copy link
Copy Markdown
Contributor

Summary

Re-introduces ROSA-745 MintMaker gomod batching + tide automerge via shared boilerplate config, after revert #747.

  • Enable gomod in .github/renovate.json with grouped minor/patch updates and production UTC schedule (02:00–04:59, Mon–Fri).
  • Pre-apply lgtm / approved on patch/minor/digest gomod + Tekton rules so tide automerges when required checks pass.
  • Major gomod/Tekton updates: MintMaker opens PRs with major-update / manual-review-required / ok-to-testno lgtm/approved, no automerge (manual /lgtm after CI).
  • Dependabot docker template: lgtm / approved + ok-to-test + area/dependency; weekly Mon 03:00 UTC (aligned with MintMaker batch window).

Who opens what

Ecosystem Bot Safe updates (automerge after CI) Major / manual
Go modules MintMaker (Renovate) Grouped batch, Mon–Fri 02:00–04:59 UTC PR opened; manual /lgtm
Tekton MintMaker (Renovate) Same UTC window Major: manual /lgtm
Docker /build Dependabot Weekly Mon 03:00 UTC + pre-labels N/A (digest/tag bumps)

Do not add gomod to Dependabot where MintMaker runs — avoids duplicate PRs. Gomod majors are MintMaker’s job (e.g. module line v4→v5).

Lessons from #741 / #746 rollback (#747)

Issue (why we reverted) Fix in this PR
#746 used a narrow Thu 06:00 UTC pilot window Mon–Fri 02:00–04:59 UTC production window from day one
#741 had no groupName → stream of individual gomod PRs "groupName": "gomod dependencies" (patch/minor only)
Missing timezone / updateNotScheduled "timezone": "UTC", "updateNotScheduled": false
Automerge without clear CI gate expectation Rule descriptions note merge requires Prow + Konflux via branch protection (DPP ticket)
Push for per-repo GHA auto-merge workflows Out of scope — tide + labels only (per platform review)

Out of scope

  • Per-operator GitHub Action auto-merge workflows.
  • dependency-pr-automerge.yml or boilerplate update-script workflow install.
  • Dependabot gomod (MintMaker covers gomod including majors).

Prerequisites before fleet impact

  • DPP applies required ci/prow/* + primary Konflux *-on-pull-request per repo (see ROSA-745 DPP handoff).
  • Operators run boilerplate-update to pick up dependabot.yml label + schedule changes.

Test plan (after merge)

  • One grouped patch/minor gomod PR automerges after required Prow + Konflux green.
  • A major MintMaker PR appears with major-update labels and does not merge without human /lgtm.
  • Dependabot docker PR opens with lgtm/approved and automerges after required CI green.

Related

Summary by CodeRabbit

  • Chores
    • Configured automated dependency updates for Go modules and Tekton with scheduled maintenance windows (Mon–Fri 02:00–04:59 UTC).
    • Enabled auto-merge for grouped minor/patch updates and disabled auto-merge for major updates, which now require manual review.
    • Applied review and area labels to updates for clearer triage.
    • Set repository timezone to UTC and enforced scheduled-only update behavior.

@openshift-ci openshift-ci Bot added the do-not-merge/work-in-progress Indicates that a PR should not merge because it is a work in progress. label May 29, 2026
@openshift-ci-robot openshift-ci-robot added the jira/valid-reference Indicates that this PR references a valid Jira ticket of any type. label May 29, 2026
@openshift-ci-robot

openshift-ci-robot commented May 29, 2026

Copy link
Copy Markdown

@MitaliBhalla: This pull request references ROSA-745 which is a valid jira issue.

Warning: The referenced jira issue has an invalid target version for the target branch this PR targets: expected the initiative to target the "5.0.0" version, but no target version was set.

Details

In response to this:

Summary

Re-introduces ROSA-745 MintMaker gomod batching + tide automerge via shared boilerplate config, after revert #747.

  • Enable gomod in .github/renovate.json with grouped minor/patch updates and production UTC schedule (02:00–04:59, Mon–Fri).
  • Pre-apply lgtm / approved on gomod + Tekton rules so Prow/tide merges when required checks pass (not a new GHA workflow).
  • Add lgtm / approved to golang-osd-operator Dependabot docker /build template.

Lessons from #741 / #746 rollback (#747)

Issue (why we reverted) Fix in this PR
#746 used a narrow Thu 06:00 UTC pilot window Mon–Fri 02:00–04:59 UTC production window from day one
#741 had no groupName → stream of individual gomod PRs "groupName": "gomod dependencies"
Missing timezone / updateNotScheduled "timezone": "UTC", "updateNotScheduled": false
Automerge without clear CI gate expectation Rule descriptions note merge requires Prow + Konflux via branch protection (DPP ticket)
Push for per-repo GHA auto-merge workflows Out of scope — tide + labels only (per platform review)
Optional Konflux checks (EC, pr-group, e2e, pko) blocking operators Documented in DPP: require only *-on-pull-request + ci/prow/*; operators must remove extra required checks if already set

Out of scope

  • Per-operator GitHub Action auto-merge workflows.
  • dependency-pr-automerge.yml or boilerplate update-script workflow install.

Prerequisites before fleet impact

  • DPP applies required ci/prow/* + primary Konflux *-on-pull-request per repo (see ROSA-745 DPP handoff).
  • Operators run boilerplate-update to pick up dependabot.yml label changes.

Test plan (after merge)

  • Validate on one Phase 1 operator with extends boilerplate renovate (e.g. aws-account-operator).
  • Expect one grouped gomod PR per cycle in the UTC window (not many individual PRs).
  • gh pr checks <pr> --state all — merge only when required Prow + Konflux are green; neutral optional Konflux checks must not be required in branch protection.
  • Confirm tide merges with lgtm + approved after required checks pass.

Related

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

@coderabbitai

coderabbitai Bot commented May 29, 2026

Copy link
Copy Markdown

Note

Reviews paused

It looks like this branch is under active development. To avoid overwhelming you with review comments due to an influx of new commits, CodeRabbit has automatically paused this review. You can configure this behavior by changing the reviews.auto_review.auto_pause_after_reviewed_commits setting.

Use the following commands to manage reviews:

  • @coderabbitai resume to resume automatic reviews.
  • @coderabbitai review to trigger a single review.

Use the checkboxes below for quick actions:

  • ▶️ Resume reviews
  • 🔍 Trigger review

Walkthrough

Renovate config: adds gomod manager, updates tekton packageRules (adds schedule and automergeSchedule, and a new major-update rule), adds gomod packageRules for automerge and major updates, and sets timezone: UTC and updateNotScheduled: false.

Changes

Renovate Automation Rules

Layer / File(s) Summary
Enable gomod manager & top-level flags
.github/renovate.json
enabledManagers now includes gomod; top-level timezone set to UTC and updateNotScheduled: false.
Tekton packageRules adjustments
.github/renovate.json
tekton patch/minor packageRules description updated and schedule/automergeSchedule added (Mon–Fri 02:00–04:59 UTC); new tekton major-update rule added that disables automerge, uses the same schedule, and applies major-update/manual-review-required/area/dependency/ok-to-test labels.
Enable and configure gomod manager
.github/renovate.json
Adds a gomod manager with two packageRules: one grouping minor/patch/pin/digest updates under gomod dependencies with automerge and lgtm/approved labels (Mon–Fri 02:00–04:59 UTC), and one for major updates that disables automerge, applies the same schedule, and sets major-update/manual-review-required/area/dependency/ok-to-test labels.

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~20 minutes

Possibly related PRs

  • openshift/boilerplate#747: Modifies .github/renovate.json's Renovate automerge configuration and gomod/tekton manager rules.
  • openshift/boilerplate#746: Adjusts gomod manager configuration, grouping and schedule/automerge settings overlapping this change.

Suggested labels

approved, lgtm

Suggested reviewers

  • rafael-azevedo
  • smarthall
🚥 Pre-merge checks | ✅ 15
✅ Passed checks (15 passed)
Check name Status Explanation
Title check ✅ Passed The title directly references the specific change: enabling gomod batching and automerge via renovate configuration, which matches the primary objective of the PR.
Docstring Coverage ✅ Passed No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check ✅ Passed Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check ✅ Passed Check skipped because no linked issues were found for this pull request.
Stable And Deterministic Test Names ✅ Passed No Ginkgo test definitions found in modified files. suite_test.go contains only setup/teardown hooks with no test names, making the check inapplicable.
Test Structure And Quality ✅ Passed PR contains only configuration file changes (.github/renovate.json); no Ginkgo test code is present, so the test structure quality check is not applicable.
Microshift Test Compatibility ✅ Passed This PR modifies .github/renovate.json and boilerplate files only. No new Ginkgo e2e tests are added, so the MicroShift compatibility check does not apply.
Single Node Openshift (Sno) Test Compatibility ✅ Passed This PR only modifies .github/renovate.json (a configuration file for dependency updates). No Ginkgo e2e tests are being added, so the SNO test compatibility check does not apply.
Topology-Aware Scheduling Compatibility ✅ Passed PR modifies .github/renovate.json and adds boilerplate templates. No deployment manifests or controllers with topology-unsafe scheduling constraints are introduced.
Ote Binary Stdout Contract ✅ Passed PR modifies renovate.json and adds test fixture files in test/projects/. These are dummy boilerplate projects, not OTE binaries. Go code properly configures logging without stdout contract violations.
Ipv6 And Disconnected Network Test Compatibility ✅ Passed No new Ginkgo e2e tests were added in this PR. Custom check applies only to Ginkgo test additions (It, Describe, Context, When declarations), not to configuration or fixture files.
No-Weak-Crypto ✅ Passed PR only modifies .github/renovate.json, a JSON config file with no code, crypto operations, or cryptographic patterns. No MD5, SHA1, DES, RC4, 3DES, Blowfish, ECB usage or weak crypto found.
Container-Privileges ✅ Passed PR introduces no privileged container flags, hostPID/Network/IPC, SYS_ADMIN capabilities, or unsafe allowPrivilegeEscalation settings. Security contexts properly configured with restrictive defaults.
No-Sensitive-Data-In-Logs ✅ Passed The renovate.json file contains no logging that exposes passwords, tokens, API keys, PII, or sensitive data. Its configurations use safe labels and schedules only.
Description Check ✅ Passed Check skipped - CodeRabbit’s high-level summary is enabled.

✏️ Tip: You can configure your own custom pre-merge checks in the settings.

✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests

Comment @coderabbitai help to get the list of available commands and usage tips.

@MitaliBhalla MitaliBhalla marked this pull request as ready for review June 3, 2026 12:51
@openshift-ci openshift-ci Bot removed the do-not-merge/work-in-progress Indicates that a PR should not merge because it is a work in progress. label Jun 3, 2026
@openshift-ci openshift-ci Bot requested review from AlexSmithGH and joshbranham June 3, 2026 12:51
@MitaliBhalla

Copy link
Copy Markdown
Contributor Author

/label tide/merge-method-squash

@openshift-ci openshift-ci Bot added the tide/merge-method-squash Denotes a PR that should be squashed by tide when it merges. label Jun 3, 2026
@MitaliBhalla

Copy link
Copy Markdown
Contributor Author

Please don't merge until https://github.com/openshift/release/pulls/MitaliBhalla all PRs here except the one for rosa are merged.
Thanks.

@joshbranham

Copy link
Copy Markdown
Contributor

/lgtm
/hold

@openshift-ci openshift-ci Bot added the do-not-merge/hold Indicates that a PR should not merge because someone has issued a /hold command. label Jun 3, 2026
@openshift-ci openshift-ci Bot added lgtm Indicates that a PR is ready to be merged. approved Indicates a PR has been approved by an approver from all required OWNERS files. and removed lgtm Indicates that a PR is ready to be merged. labels Jun 3, 2026
openshift-merge-bot Bot pushed a commit to openshift/ocm-agent-operator that referenced this pull request Jun 4, 2026
Point renovate.json at draft/rosa-745-gomod-batch-monday on MitaliBhalla/boilerplate
until openshift/boilerplate#748 merges. Align Dependabot docker labels and
Mon 03:00 UTC schedule with boilerplate template for tide automerge pilot.

Co-authored-by: Cursor <cursoragent@cursor.com>
@MitaliBhalla MitaliBhalla force-pushed the draft/rosa-745-gomod-batch-monday branch from e8f674f to 4d5a5d8 Compare June 8, 2026 07:37
@MitaliBhalla

Copy link
Copy Markdown
Contributor Author

/retest

@MitaliBhalla

Copy link
Copy Markdown
Contributor Author

/unhold

@openshift-ci openshift-ci Bot removed the do-not-merge/hold Indicates that a PR should not merge because someone has issued a /hold command. label Jun 8, 2026
Comment thread boilerplate/openshift/golang-osd-operator/standard.mk Outdated
Enable grouped gomod manager in shared renovate.json with Mon-Fri 02:00-04:59
UTC batch window; pre-label lgtm/approved on safe patch/minor/digest updates;
major gomod and Tekton updates open for manual review. Add lgtm/approved and
Mon 03:00 UTC schedule to Dependabot docker template.

Co-authored-by: Cursor <cursoragent@cursor.com>
@MitaliBhalla MitaliBhalla force-pushed the draft/rosa-745-gomod-batch-monday branch from 4d5a5d8 to 38a86e9 Compare June 8, 2026 16:47
@MitaliBhalla

Copy link
Copy Markdown
Contributor Author

/retest

openshift-merge-bot Bot pushed a commit to openshift/ocm-agent-operator that referenced this pull request Jun 9, 2026
Revert the pilot fork extends (MitaliBhalla/boilerplate#draft/rosa-745-gomod-batch-monday)
so this repo inherits renovate config from openshift/boilerplate master like the rest
of the fleet. Dependabot docker labels/schedule from #285 are unchanged.

After openshift/boilerplate#748 merges, gomod MintMaker rules apply via upstream extends.

Co-authored-by: Cursor <cursoragent@cursor.com>
@joshbranham

Copy link
Copy Markdown
Contributor

Looks good, approving with a hold, you can unhold and do testing when you are online.

/lgtm
/hold

@openshift-ci openshift-ci Bot added do-not-merge/hold Indicates that a PR should not merge because someone has issued a /hold command. lgtm Indicates that a PR is ready to be merged. labels Jun 9, 2026
@openshift-ci

openshift-ci Bot commented Jun 9, 2026

Copy link
Copy Markdown
Contributor

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: joshbranham, MitaliBhalla

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Details Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@MitaliBhalla

Copy link
Copy Markdown
Contributor Author

/unhold

@openshift-ci openshift-ci Bot removed the do-not-merge/hold Indicates that a PR should not merge because someone has issued a /hold command. label Jun 9, 2026
@openshift-merge-bot openshift-merge-bot Bot merged commit adf5de7 into openshift:master Jun 9, 2026
5 checks passed
This was referenced Jun 11, 2026
openshift-merge-bot Bot pushed a commit to openshift/release that referenced this pull request Jun 29, 2026
* ROSA-745: branch-protection for non-boilerplate repos

Require mandatory ci/prow/* presubmits (non-optional, always_run) for repos
that do not inherit dependency automerge config from openshift/boilerplate#748.

rosa: Konflux on-pull-request + mandatory prow (supersedes #79948).

aws-account-shredder: not in openshift/release — DPP-only for required checks.

Repos: backplane-cli, backplane-tools, cluster-api-provider-aws, managed-cluster-config, osdctl, rosa

* Fix _config.yaml repo ordering for prow-config (release before rosa)

determinize-prow-config requires alphabetical ordering under
tide.context_options.orgs.openshift.repos.

* Revert managed-cluster-config from ROSA-745 branch-protection PR

Branch protection for MCC is already live via #77430 (ci/prow/pr-check).
No functional change needed for non-boilerplate ROSA-745 scope.

* ROSA-745: require enterprise-contract for openshift/rosa master

Add Red Hat Konflux / rh-rosa-cli-enterprise-contract / rosa alongside
rosa-on-pull-request per release review; EC reports success on rosa
dependency PRs (not neutral like most OSD operators).

Co-authored-by: Cursor <cursoragent@cursor.com>

* ROSA-745: drop cluster-api-provider-aws from branch-protection

Soft-fork kept in sync with kubernetes-sigs/cluster-api-provider-aws;
dependency updates flow via upstream rebase/sync, not downstream
Dependabot/automerge (per maintainer review).

Co-authored-by: Cursor <cursoragent@cursor.com>

* ROSA-745: require osdctl format and verify-docs on master

Align branch-protection with always-run presubmits from
openshift-osdctl-master-presubmits.yaml.

Co-authored-by: Cursor <cursoragent@cursor.com>

* Address review: align required checks and drop CAPA tide edits

- osdctl: format + verify-docs (prior commit)
- backplane-cli: add always-run ci/prow/scan-optional
- rosa: add always-run images/e2e-presubmits prow contexts
- cluster-api-provider-aws: fully restore _prowconfig.yaml to main

Co-authored-by: Cursor <cursoragent@cursor.com>

* ROSA-745: drop scan-optional from backplane-cli branch-protection

The presubmit is optional: true in ci-operator; requiring it repo-wide
would gate every PR on an advisory scan job.

Co-authored-by: Cursor <cursoragent@cursor.com>

---------

Co-authored-by: Cursor <cursoragent@cursor.com>
krisnababu pushed a commit to oharan2/release that referenced this pull request Jul 3, 2026
* ROSA-745: branch-protection for non-boilerplate repos

Require mandatory ci/prow/* presubmits (non-optional, always_run) for repos
that do not inherit dependency automerge config from openshift/boilerplate#748.

rosa: Konflux on-pull-request + mandatory prow (supersedes openshift#79948).

aws-account-shredder: not in openshift/release — DPP-only for required checks.

Repos: backplane-cli, backplane-tools, cluster-api-provider-aws, managed-cluster-config, osdctl, rosa

* Fix _config.yaml repo ordering for prow-config (release before rosa)

determinize-prow-config requires alphabetical ordering under
tide.context_options.orgs.openshift.repos.

* Revert managed-cluster-config from ROSA-745 branch-protection PR

Branch protection for MCC is already live via openshift#77430 (ci/prow/pr-check).
No functional change needed for non-boilerplate ROSA-745 scope.

* ROSA-745: require enterprise-contract for openshift/rosa master

Add Red Hat Konflux / rh-rosa-cli-enterprise-contract / rosa alongside
rosa-on-pull-request per release review; EC reports success on rosa
dependency PRs (not neutral like most OSD operators).

Co-authored-by: Cursor <cursoragent@cursor.com>

* ROSA-745: drop cluster-api-provider-aws from branch-protection

Soft-fork kept in sync with kubernetes-sigs/cluster-api-provider-aws;
dependency updates flow via upstream rebase/sync, not downstream
Dependabot/automerge (per maintainer review).

Co-authored-by: Cursor <cursoragent@cursor.com>

* ROSA-745: require osdctl format and verify-docs on master

Align branch-protection with always-run presubmits from
openshift-osdctl-master-presubmits.yaml.

Co-authored-by: Cursor <cursoragent@cursor.com>

* Address review: align required checks and drop CAPA tide edits

- osdctl: format + verify-docs (prior commit)
- backplane-cli: add always-run ci/prow/scan-optional
- rosa: add always-run images/e2e-presubmits prow contexts
- cluster-api-provider-aws: fully restore _prowconfig.yaml to main

Co-authored-by: Cursor <cursoragent@cursor.com>

* ROSA-745: drop scan-optional from backplane-cli branch-protection

The presubmit is optional: true in ci-operator; requiring it repo-wide
would gate every PR on an advisory scan job.

Co-authored-by: Cursor <cursoragent@cursor.com>

---------

Co-authored-by: Cursor <cursoragent@cursor.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

approved Indicates a PR has been approved by an approver from all required OWNERS files. jira/valid-reference Indicates that this PR references a valid Jira ticket of any type. lgtm Indicates that a PR is ready to be merged. tide/merge-method-squash Denotes a PR that should be squashed by tide when it merges.

Projects

None yet

Development

Successfully merging this pull request may close these issues.

3 participants