Skip to content

ROSA-745: per-repo dependency automation config#3267

Open
MitaliBhalla wants to merge 1 commit into
openshift:masterfrom
MitaliBhalla:rosa-745-dependency-config
Open

ROSA-745: per-repo dependency automation config#3267
MitaliBhalla wants to merge 1 commit into
openshift:masterfrom
MitaliBhalla:rosa-745-dependency-config

Conversation

@MitaliBhalla

@MitaliBhalla MitaliBhalla commented Jun 11, 2026

Copy link
Copy Markdown

Summary

ROSA-745rosa per-repo MintMaker + Dependabot (not on boilerplate).

  • .github/renovate.json — extends boilerplate MintMaker rules (tekton + gomod)
  • .github/dependabot.yml — docker only; pre-labels lgtm/approved for tide on UBI bumps

Draft — merge after openshift/release#80263 is live (~6h).

Depends on

Test plan

  • MintMaker grouped gomod PR opens on schedule
  • Merge gated by Konflux + prow (no merge on partial green)
  • Major gomod stays manual

Summary by CodeRabbit

  • Chores
    • Added a Dependabot configuration to automatically check Docker dependencies weekly, with PR labeling, a cap on concurrently open Dependabot PRs, and a selected exclusion.
    • Added a Renovate configuration that validates the config schema and limits automated updates to specific dependency managers only.

@openshift-ci-robot openshift-ci-robot added the jira/valid-reference Indicates that this PR references a valid Jira ticket of any type. label Jun 11, 2026
@openshift-ci-robot

openshift-ci-robot commented Jun 11, 2026

Copy link
Copy Markdown

@MitaliBhalla: This pull request references ROSA-745 which is a valid jira issue.

Warning: The referenced jira issue has an invalid target version for the target branch this PR targets: expected the initiative to target the "5.0.0" version, but no target version was set.

Details

In response to this:

ROSA-745 phase 2 draft — MintMaker gomod (renovate extends boilerplate) + docker-only Dependabot with lgtm/approved. Konflux repo, not on boilerplate. Pending DPP branch protection openshift/release#80263.

Made with Cursor

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

@openshift-ci openshift-ci Bot added the do-not-merge/work-in-progress Indicates that a PR should not merge because it is a work in progress. label Jun 11, 2026
@openshift-ci

openshift-ci Bot commented Jun 11, 2026

Copy link
Copy Markdown
Contributor

Skipping CI for Draft Pull Request.
If you want CI signal for your change, please convert it to an actual PR.
You can still manually trigger a test run with /test all

@coderabbitai

coderabbitai Bot commented Jun 11, 2026

Copy link
Copy Markdown
📝 Walkthrough

Walkthrough

This PR adds two dependency management configuration files. .github/dependabot.yml configures weekly Docker updates for the repository root, applies labels, limits open Dependabot PRs to 10, and ignores ubi9/go-toolset. .github/renovate.json adds Renovate configuration that extends an external base config and enables only the tekton and gomod managers.

🚥 Pre-merge checks | ✅ 14 | ❌ 1

❌ Failed checks (1 warning)

Check name Status Explanation Resolution
Description check ⚠️ Warning The PR description is on-topic but does not follow the required template and omits most required sections, including type, issue details, and validation. Expand the description to match the template: add PR Summary, issue context, related links, change type, before/after behavior, step-by-step testing, proof, and checklist items.
✅ Passed checks (14 passed)
Check name Status Explanation
Title check ✅ Passed The title is concise and clearly names the per-repo dependency automation config change.
Docstring Coverage ✅ Passed No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check ✅ Passed Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check ✅ Passed Check skipped because no linked issues were found for this pull request.
Stable And Deterministic Test Names ✅ Passed PR only adds Dependabot/Renovate config files; no Ginkgo test titles or test files were changed.
Test Structure And Quality ✅ Passed PR only adds .github Dependabot/Renovate config; no Ginkgo test code was changed, so the test-quality check is not applicable.
Microshift Test Compatibility ✅ Passed PR only adds dependency automation configs; no new Ginkgo e2e tests or MicroShift-sensitive APIs were introduced.
Single Node Openshift (Sno) Test Compatibility ✅ Passed PR adds only .github/dependabot.yml and .github/renovate.json; no Ginkgo/e2e test code or SNO assumptions are introduced.
Topology-Aware Scheduling Compatibility ✅ Passed Only .github dependency-bot config changed; no deployment manifests/operator code/controllers or topology/scheduling fields were added, and .tekton files contain none.
Ote Binary Stdout Contract ✅ Passed Only .github/dependabot.yml and .github/renovate.json changed; no process-level code or stdout writes were touched.
Ipv6 And Disconnected Network Test Compatibility ✅ Passed Config-only change: .github/dependabot.yml and .github/renovate.json; no new Ginkgo e2e tests or network-sensitive code added.
No-Weak-Crypto ✅ Passed The PR only adds Dependabot/Renovate config; neither file contains weak ciphers, custom crypto, or secret comparisons.
Container-Privileges ✅ Passed PR only adds .github/dependabot.yml and .github/renovate.json; neither is a container/K8s manifest and no privileged settings appear in the changed files.
No-Sensitive-Data-In-Logs ✅ Passed The PR only adds dependency config files; there are no log statements or sensitive values like secrets, PII, or hostnames.
✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests

Comment @coderabbitai help to get the list of available commands.

@openshift-ci

openshift-ci Bot commented Jun 11, 2026

Copy link
Copy Markdown
Contributor

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by: MitaliBhalla
Once this PR has been reviewed and has the lgtm label, please assign braetroutman for approval. For more information see the Code Review Process.

The full list of commands accepted by this bot can be found here.

Details Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@amandahla

amandahla commented Jun 11, 2026

Copy link
Copy Markdown
Contributor

Hi @MitaliBhalla thanks for submitting the PR, [nvm]we are using only Renovate for the terraform repositories and the plan is apply same changes here.
See an example:
https://github.com/terraform-redhat/terraform-provider-rhcs/blob/main/renovate.json
[/nvm]

Correction: its already set here :) Is dependabot really necessary?
https://github.com/openshift/rosa/blob/master/renovate.json

@olucasfreitas FYI

@MitaliBhalla MitaliBhalla force-pushed the rosa-745-dependency-config branch 2 times, most recently from 739ed03 to 0872e95 Compare June 29, 2026 06:44
@MitaliBhalla MitaliBhalla force-pushed the rosa-745-dependency-config branch from 0872e95 to 7794b21 Compare June 29, 2026 07:02
@MitaliBhalla MitaliBhalla marked this pull request as ready for review June 29, 2026 11:04
@openshift-ci openshift-ci Bot removed the do-not-merge/work-in-progress Indicates that a PR should not merge because it is a work in progress. label Jun 29, 2026
@openshift-ci openshift-ci Bot requested review from gdbranco and jerichokeyne June 29, 2026 11:04
@openshift-ci

openshift-ci Bot commented Jun 29, 2026

Copy link
Copy Markdown
Contributor

@MitaliBhalla: all tests passed!

Full PR test history. Your PR dashboard.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.

@amandahla

Copy link
Copy Markdown
Contributor

Hi @MitaliBhalla ROSA CLI deps are already covered by Renovate configuration, could you confirm if there is something else to be added or if we can close this PR please?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

jira/valid-reference Indicates that this PR references a valid Jira ticket of any type.

Projects

None yet

Development

Successfully merging this pull request may close these issues.

3 participants