Skip to content

ROSA-745: MintMaker pilot — enable gomod + docker-only Dependabot#553

Closed
MitaliBhalla wants to merge 2 commits into
openshift:masterfrom
MitaliBhalla:rosa-745-mintmaker-pilot
Closed

ROSA-745: MintMaker pilot — enable gomod + docker-only Dependabot#553
MitaliBhalla wants to merge 2 commits into
openshift:masterfrom
MitaliBhalla:rosa-745-mintmaker-pilot

Conversation

@MitaliBhalla

@MitaliBhalla MitaliBhalla commented Jun 11, 2026

Copy link
Copy Markdown
Contributor

Summary

Investigation showed MintMaker was not running gomod on repos that only had extends: openshift/boilerplate — Dependency Dashboard listed tekton only. Pagerduty (with explicit enabledManagers) is the counterexample.

This PR:

  1. enabledManagers: ["tekton", "gomod"] in .github/renovate.json — test whether MintMaker picks up gomod + boilerplate#748 grouped rules
  2. Remove Dependabot gomod — MintMaker owns go.mod bumps; Dependabot is docker-only
  3. Sync Dependabot docker from #748 template (lgtm/approved, Mon 03:00 UTC)
  4. Dependabot ignores derived from build/Dockerfile: ubi9/go-toolset only (no boilerplate/ose-operator-registry — not used in this repo)
  5. make boilerplate-update for latest boilerplate-managed files

Test plan

  • CI green (prow + Konflux)
  • After merge, Dependency Dashboard shows gomod section (not tekton-only)
  • First grouped “gomod dependencies” MintMaker PR in Mon–Fri 02:00–04:59 UTC window
  • Dependabot docker PRs get lgtm/approved; ubi-minimal bumps allowed, go-toolset ignored

Jira: ROSA-745

Made with Cursor

Summary by CodeRabbit

  • Chores

    • Refined dependency update automation with stricter scheduling (day/time/timezone), streamlined ignore rules, and additional review labels for clearer automated PR handling.
    • Explicitly enabled additional dependency managers for more consistent update coverage.
  • Tests

    • Updated E2E test build environment to a newer Go builder image and adjusted the test build context for compatibility.

- Explicit enabledManagers tekton/gomod so MintMaker runs go.mod updates
- Drop Dependabot gomod (MintMaker owns gomod via boilerplate#748)
- Sync Dependabot docker template: lgtm/approved, Mon 03:00 UTC
- Ignore ubi9/go-toolset only (matches build/Dockerfile; no ose-operator-registry)
- boilerplate-update for latest managed files

Co-authored-by: Cursor <cursoragent@cursor.com>
@openshift-ci-robot openshift-ci-robot added the jira/valid-reference Indicates that this PR references a valid Jira ticket of any type. label Jun 11, 2026
@openshift-ci-robot

openshift-ci-robot commented Jun 11, 2026

Copy link
Copy Markdown

@MitaliBhalla: This pull request references ROSA-745 which is a valid jira issue.

Warning: The referenced jira issue has an invalid target version for the target branch this PR targets: expected the initiative to target the "5.0.0" version, but no target version was set.

Details

In response to this:

Summary

MintMaker pilot for ROSA-745 on MCWV.

Investigation showed MintMaker was not running gomod on repos that only had extends: openshift/boilerplate — Dependency Dashboard listed tekton only. Pagerduty (with explicit enabledManagers) is the counterexample.

This PR:

  1. enabledManagers: ["tekton", "gomod"] in .github/renovate.json — test whether MintMaker picks up gomod + boilerplate#748 grouped rules
  2. Remove Dependabot gomod — MintMaker owns go.mod bumps; Dependabot is docker-only
  3. Sync Dependabot docker from #748 template (lgtm/approved, Mon 03:00 UTC)
  4. Dependabot ignores derived from build/Dockerfile: ubi9/go-toolset only (no boilerplate/ose-operator-registry — not used in this repo)
  5. make boilerplate-update for latest boilerplate-managed files

Supersedes #552 and #546 (combine boilerplate dependabot sync + gomod removal + MintMaker fix in one PR).

Test plan

  • CI green (prow + Konflux)
  • After merge, Dependency Dashboard shows gomod section (not tekton-only)
  • First grouped “gomod dependencies” MintMaker PR in Mon–Fri 02:00–04:59 UTC window
  • Dependabot docker PRs get lgtm/approved; ubi-minimal bumps allowed, go-toolset ignored

Jira: ROSA-745

Made with Cursor

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

@openshift-ci
openshift-ci Bot requested review from aliceh and joshbranham June 11, 2026 05:47
@openshift-ci

openshift-ci Bot commented Jun 11, 2026

Copy link
Copy Markdown
Contributor

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: MitaliBhalla

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Details Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@coderabbitai

coderabbitai Bot commented Jun 11, 2026

Copy link
Copy Markdown

Walkthrough

Consolidates Dependabot to Docker-only updates with a specified Monday 03:00 UTC schedule and new labels, removes Dependabot gomod handling, enables Renovate managers tekton and gomod, and updates the E2E Dockerfile to use the Go 1.26 builder and adjusted WORKDIR.

Changes

Dependency Management Tooling

Layer / File(s) Summary
Dependabot Docker configuration and gomod removal
.github/dependabot.yml
Dependabot configured as boilerplate-managed for Docker only, schedule set to Monday 03:00 UTC, PR labels include area/dependency, ok-to-test, lgtm, approved, and the previous Go module (gomod) update block was removed.
Renovate manager enablement
.github/renovate.json
Adds enabledManagers with tekton and gomod to explicitly enable those Renovate managers.
E2E builder image and WORKDIR update
test/e2e/Dockerfile
Switches the E2E builder image to openshift-golang-builder (Go 1.26) and updates WORKDIR to managed-cluster-validating-webhooks/.

🎯 2 (Simple) | ⏱️ ~8 minutes

🚥 Pre-merge checks | ✅ 13 | ❌ 2

❌ Failed checks (2 warnings)

Check name Status Explanation Resolution
Single Node Openshift (Sno) Test Compatibility ⚠️ Warning Three new Ginkgo tests assume multi-node clusters and will fail on SNO: "blocks pods scheduled onto master/infra nodes", "allows cluster-admin to schedule pods onto master/infra nodes", and "blocks... Add [Skipped:SingleReplicaTopology] label to the three problematic test names, or guard them with exutil.IsSingleNode() checks and skip on single-node topologies.
Ipv6 And Disconnected Network Test Compatibility ⚠️ Warning New Ginkgo e2e tests added in test/e2e/validation_webhook_tests.go contain hardcoded external registry references (quay.io, registry.access.redhat.com) without disconnected environment handling. Add image pull secret handling or use cluster-internal registries. Alternatively, wrap tests with [Skipped:Disconnected] flag or implement IP family detection to skip in IPv6-only environments.
✅ Passed checks (13 passed)
Check name Status Explanation
Title check ✅ Passed The title 'ROSA-745: MintMaker pilot — enable gomod + docker-only Dependabot' directly reflects the main changes: enabling gomod in Renovate and converting Dependabot to docker-only while removing its gomod configuration.
Docstring Coverage ✅ Passed No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check ✅ Passed Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check ✅ Passed Check skipped because no linked issues were found for this pull request.
Stable And Deterministic Test Names ✅ Passed All Ginkgo test names in the repository (29 test files examined) use static, descriptive strings with no dynamic values like fmt.Sprintf, RandomName, UUIDs, timestamps, or concatenation in test tit...
Test Structure And Quality ✅ Passed The PR contains only configuration file changes (.github/dependabot.yml, .github/renovate.json) and a Dockerfile update (test/e2e/Dockerfile), with no modifications to Ginkgo test code (*_test.go f...
Microshift Test Compatibility ✅ Passed No new Ginkgo e2e tests are added in this PR. Changes are limited to dependency management configs (.github/dependabot.yml, .github/renovate.json) and test build Dockerfile (updated Go 1.25→1.26)....
Topology-Aware Scheduling Compatibility ✅ Passed PR only modifies GitHub Dependabot/Renovate configuration files and an E2E test Dockerfile - no deployment manifests, operator code, or pod scheduling constraints are added or modified.
Ote Binary Stdout Contract ✅ Passed This PR does not violate the OTE Binary Stdout Contract because the repository builds validating admission webhooks, not OpenShift Tests Extension (OTE) binaries. The check is not applicable to thi...
No-Weak-Crypto ✅ Passed PR changes configuration files and a test Dockerfile only; no cryptographic code, weak algorithms (MD5, SHA1, DES, RC4, ECB), or non-constant-time comparisons are present.
Container-Privileges ✅ Passed No container privilege-escalation flags (privileged, hostPID, hostNetwork, hostIPC, SYS_ADMIN, allowPrivilegeEscalation: true, or root execution) detected in Dockerfiles or K8s manifests in this PR.
No-Sensitive-Data-In-Logs ✅ Passed All modified files (.github/dependabot.yml, .github/renovate.json, test/e2e/Dockerfile) contain only standard configuration without logging of passwords, tokens, API keys, PII, or sensitive data.
Description Check ✅ Passed Check skipped - CodeRabbit’s high-level summary is enabled.

✏️ Tip: You can configure your own custom pre-merge checks in the settings.

✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests

Comment @coderabbitai help to get the list of available commands and usage tips.

@openshift-ci openshift-ci Bot added the approved Indicates a PR has been approved by an approver from all required OWNERS files. label Jun 11, 2026

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🧹 Nitpick comments (1)
.github/renovate.json (1)

6-9: Restricting enabledManagers to tekton/gomod matches the boilerplate, but means workflow action refs won’t be Renovate-managed.

  • This repo contains only GitHub Actions workflow files under .github/workflows/ (no package.json, Pipfile/requirements*.txt, poetry.lock, or docker-compose*.yml found), so limiting managers doesn’t appear to drop other ecosystems.
  • openshift/boilerplate/.github/renovate.json uses the same enabledManagers: ["tekton","gomod"], so the setting looks intentional for this template.
  • If you want Renovate to bump actions/* (e.g., actions/checkout@v4) inside workflows, add/enable the github-actions manager (or otherwise manage workflow deps).
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/renovate.json around lines 6 - 9, The Renovate config restricts
enabledManagers to ["tekton","gomod"], so GitHub Actions workflow refs
(actions/*) won’t be updated; update the enabledManagers array (the
"enabledManagers" key) to include "github-actions" in addition to "tekton" and
"gomod" so Renovate will manage action versions in .github/workflows (add the
string "github-actions" to the array).
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Nitpick comments:
In @.github/renovate.json:
- Around line 6-9: The Renovate config restricts enabledManagers to
["tekton","gomod"], so GitHub Actions workflow refs (actions/*) won’t be
updated; update the enabledManagers array (the "enabledManagers" key) to include
"github-actions" in addition to "tekton" and "gomod" so Renovate will manage
action versions in .github/workflows (add the string "github-actions" to the
array).

ℹ️ Review info
⚙️ Run configuration

Configuration used: Repository: openshift/coderabbit/.coderabbit.yaml

Review profile: CHILL

Plan: Enterprise

Run ID: 3371725a-cada-4e41-b3cd-111f0a2ee7ea

📥 Commits

Reviewing files that changed from the base of the PR and between d403e2a and c6d94a6.

⛔ Files ignored due to path filters (2)
  • boilerplate/_data/last-boilerplate-commit is excluded by !boilerplate/**
  • boilerplate/_lib/subscriber-propose-update is excluded by !boilerplate/**
📒 Files selected for processing (2)
  • .github/dependabot.yml
  • .github/renovate.json

go.mod requires 1.26 but test/e2e/Dockerfile used rhel_9_1.25 builder
(Konflux build-container failed). Align with .tekton BASE_IMAGE rhel_9_1.26
and use the go.mod module path instead of OperatorName (validation-webhook).

Co-authored-by: Cursor <cursoragent@cursor.com>
@MitaliBhalla

MitaliBhalla commented Jun 11, 2026

Copy link
Copy Markdown
Contributor Author

🧹 Nitpick comments (1)

.github/renovate.json (1)> 6-9: Restricting enabledManagers to tekton/gomod matches the boilerplate, but means workflow action refs won’t be Renovate-managed.

  • This repo contains only GitHub Actions workflow files under .github/workflows/ (no package.json, Pipfile/requirements*.txt, poetry.lock, or docker-compose*.yml found), so limiting managers doesn’t appear to drop other ecosystems.
  • openshift/boilerplate/.github/renovate.json uses the same enabledManagers: ["tekton","gomod"], so the setting looks intentional for this template.
  • If you want Renovate to bump actions/* (e.g., actions/checkout@v4) inside workflows, add/enable the github-actions manager (or otherwise manage workflow deps).

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/renovate.json around lines 6 - 9, The Renovate config restricts
enabledManagers to ["tekton","gomod"], so GitHub Actions workflow refs
(actions/*) won’t be updated; update the enabledManagers array (the
"enabledManagers" key) to include "github-actions" in addition to "tekton" and
"gomod" so Renovate will manage action versions in .github/workflows (add the
string "github-actions" to the array).

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Nitpick comments:
In @.github/renovate.json:
- Around line 6-9: The Renovate config restricts enabledManagers to
["tekton","gomod"], so GitHub Actions workflow refs (actions/*) won’t be
updated; update the enabledManagers array (the "enabledManagers" key) to include
"github-actions" in addition to "tekton" and "gomod" so Renovate will manage
action versions in .github/workflows (add the string "github-actions" to the
array).

ℹ️ Review info

Intentional for ROSA-745: we inherit boilerplate #748’s enabledManagers: ["tekton", "gomod"] to pilot MintMaker gomod grouping. GitHub Actions pin updates are out of scope for this PR; we can revisit adding github-actions in a follow-up if the team wants Renovate-managed workflow refs.

This was referenced Jun 11, 2026
@openshift-ci

openshift-ci Bot commented Jun 11, 2026

Copy link
Copy Markdown
Contributor

@MitaliBhalla: all tests passed!

Full PR test history. Your PR dashboard.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

approved Indicates a PR has been approved by an approver from all required OWNERS files. jira/valid-reference Indicates that this PR references a valid Jira ticket of any type.

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants