Conversation
| // This is used so that not everything in the entire repo is setup for Renovate at once | ||
| // Initially this configuration is designed to only support the new GHA EKS clusters | ||
| "enabledManagers": [ | ||
| "github-actions", |
There was a problem hiding this comment.
Dependabot is already handling github-actions: https://github.com/gravitational/shared-workflows/blob/main/.github/dependabot.yml#L3
Why not just add to the Dependabot configuration for ecosystems which it's already managing?
There was a problem hiding this comment.
There was a problem hiding this comment.
@jentfoo: We've generally found Dependabot lacking for internal tooling IaC needs. It doesn't support critical ecosystems (helm, docker -- yes we've opened the feature requests) and lacks the configurability of renovate (e.g. in how we determine update sources). I'm in favor of incrementally replacing dependabot with renovate in this repo.
There was a problem hiding this comment.
I agree in the use of Renovate, I recognize it covers gaps that Dependabot has. But it seems like for a given repo we should be using a single tool for a given ecosystem. Having a single ecosystem (github actions) managed by two tools may add confusion.
There was a problem hiding this comment.
I can replace dependabot with Renovate in this repo if you like. I'd be a bit more work but not a significant amount, given that the (current) one other project is pretty much just Go + GHA workflows.
There was a problem hiding this comment.
It's my preference to keep them uniform for a single ecosystem + repo combo, unless there is a reason I am not considering to use both.
There was a problem hiding this comment.
AFAIK we haven't messed with renovate for golang yet, so I'd recommend we keep dependabot for go. I'm fine switching all of GHA to renovate in this repo.
wadells
left a comment
wadells
left a comment
There was a problem hiding this comment.
No concerns with getting this in and then iterating.
| ".github/workflows/codeql.yml", | ||
| ".github/workflows/csv-lint.yaml", | ||
| ".github/workflows/dependency-review.yaml", | ||
| ".github/workflows/github-action-lint.yaml", | ||
| ".github/workflows/govulncheck.yaml", | ||
| ".github/workflows/json-lint.yaml", | ||
| ".github/workflows/terraform-lint.yaml", | ||
| ".github/workflows/trivy.yaml" |
There was a problem hiding this comment.
Lets switch these to renovate.
| { | ||
| "$schema": "https://docs.renovatebot.com/renovate-schema.json", | ||
| "extends": [ | ||
| "config:recommended", |
There was a problem hiding this comment.
| "config:recommended", | |
| "config:best-practices", |
This adds the following on top of config:recommended:
{
"configMigration": true,
"extends": [
"config:recommended",
"docker:pinDigests",
"helpers:pinGitHubActionDigests",
":pinDevDependencies"
]
}
3 participants
Buddy PR for #214 to reduce the PR size. This PR adds Renovate to this repo to handle dependency updates for the AMI cleanup tool. The majority of these changes have been pulled from existing, working files in the cloud-terraform repo.
Renovate is self hosted. This has been running for several months now in the cloud-terraform repo to manage updates for our self-hosted GHA runner EKS clusters. All files associated with Renovate have been copy/pasted from the existing working configuration in that repo, with some minor project-specific changes.
This Renovate tooling needs improvements in a couple of places, and probably needs to be moved to a separate project in this repo at some point. I didn't do that as a part of this PR to avoid the scope creep.