ROSA-745: per-repo dependency automation config

[MitaliBhalla]

Summary

ROSA-745 — rosa per-repo MintMaker + Dependabot (not on boilerplate).

• .github/renovate.json — extends boilerplate MintMaker rules (tekton + gomod)
• .github/dependabot.yml — docker only; pre-labels lgtm/approved for tide on UBI bumps

Draft — merge after openshift/release#80263 is live (~6h).

Depends on

• openshift/release#80263 — Konflux rosa-on-pull-request + EC + mandatory prow image contexts

Test plan

• MintMaker grouped gomod PR opens on schedule
• Merge gated by Konflux + prow (no merge on partial green)
• Major gomod stays manual

Summary by CodeRabbit

• Chores
  • Added a Dependabot configuration to automatically check Docker dependencies weekly, with PR labeling, a cap on concurrently open Dependabot PRs, and a selected exclusion.
  • Added a Renovate configuration that validates the config schema and limits automated updates to specific dependency managers only.

[openshift-ci-robot]

@MitaliBhalla: This pull request references ROSA-745 which is a valid jira issue.

Warning: The referenced jira issue has an invalid target version for the target branch this PR targets: expected the initiative to target the "5.0.0" version, but no target version was set.

Details

In response to this:

ROSA-745 phase 2 draft — MintMaker gomod (renovate extends boilerplate) + docker-only Dependabot with lgtm/approved. Konflux repo, not on boilerplate. Pending DPP branch protection openshift/release#80263.

Made with Cursor

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[openshift-ci]

Skipping CI for Draft Pull Request.
If you want CI signal for your change, please convert it to an actual PR.
You can still manually trigger a test run with /test all

[coderabbitai]

📝 Walkthrough

Walkthrough

This PR adds two dependency management configuration files. .github/dependabot.yml configures weekly Docker updates for the repository root, applies labels, limits open Dependabot PRs to 10, and ignores ubi9/go-toolset. .github/renovate.json adds Renovate configuration that extends an external base config and enables only the tekton and gomod managers.

🚥 Pre-merge checks | ✅ 14 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Description check	⚠️ Warning	The PR description is on-topic but does not follow the required template and omits most required sections, including type, issue details, and validation.	Expand the description to match the template: add PR Summary, issue context, related links, change type, before/after behavior, step-by-step testing, proof, and checklist items.

✅ Passed checks (14 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title is concise and clearly names the per-repo dependency automation config change.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Stable And Deterministic Test Names	✅ Passed	PR only adds Dependabot/Renovate config files; no Ginkgo test titles or test files were changed.
Test Structure And Quality	✅ Passed	PR only adds .github Dependabot/Renovate config; no Ginkgo test code was changed, so the test-quality check is not applicable.
Microshift Test Compatibility	✅ Passed	PR only adds dependency automation configs; no new Ginkgo e2e tests or MicroShift-sensitive APIs were introduced.
Single Node Openshift (Sno) Test Compatibility	✅ Passed	PR adds only .github/dependabot.yml and .github/renovate.json; no Ginkgo/e2e test code or SNO assumptions are introduced.
Topology-Aware Scheduling Compatibility	✅ Passed	Only .github dependency-bot config changed; no deployment manifests/operator code/controllers or topology/scheduling fields were added, and .tekton files contain none.
Ote Binary Stdout Contract	✅ Passed	Only .github/dependabot.yml and .github/renovate.json changed; no process-level code or stdout writes were touched.
Ipv6 And Disconnected Network Test Compatibility	✅ Passed	Config-only change: .github/dependabot.yml and .github/renovate.json; no new Ginkgo e2e tests or network-sensitive code added.
No-Weak-Crypto	✅ Passed	The PR only adds Dependabot/Renovate config; neither file contains weak ciphers, custom crypto, or secret comparisons.
Container-Privileges	✅ Passed	PR only adds .github/dependabot.yml and .github/renovate.json; neither is a container/K8s manifest and no privileged settings appear in the changed files.
No-Sensitive-Data-In-Logs	✅ Passed	The PR only adds dependency config files; there are no log statements or sensitive values like secrets, PII, or hostnames.

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

---

_{Comment @coderabbitai help to get the list of available commands.}

[openshift-ci]

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by: MitaliBhalla
Once this PR has been reviewed and has the lgtm label, please assign braetroutman for approval. For more information see the Code Review Process.

The full list of commands accepted by this bot can be found here.

Details

Needs approval from an approver in each of these files:

• OWNERS

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[amandahla]

Hi @MitaliBhalla thanks for submitting the PR, [nvm]we are using only Renovate for the terraform repositories and the plan is apply same changes here.
See an example:
https://github.com/terraform-redhat/terraform-provider-rhcs/blob/main/renovate.json
[/nvm]

Correction: its already set here :) Is dependabot really necessary?
https://github.com/openshift/rosa/blob/master/renovate.json

@olucasfreitas FYI

[openshift-ci]

@MitaliBhalla: all tests passed!

Full PR test history. Your PR dashboard.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.

[amandahla]

Hi @MitaliBhalla ROSA CLI deps are already covered by Renovate configuration, could you confirm if there is something else to be added or if we can close this PR please?