Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Added Renovate config for AMI cleanup tool #237

Open
wants to merge 2 commits into
base: main
Choose a base branch
from

Conversation

fheinecke
Copy link
Contributor

@fheinecke fheinecke commented Mar 28, 2024

Buddy PR for #214 to reduce the PR size. This PR adds Renovate to this repo to handle dependency updates for the AMI cleanup tool. The majority of these changes have been pulled from existing, working files in the cloud-terraform repo.

Renovate is self hosted. This has been running for several months now in the cloud-terraform repo to manage updates for our self-hosted GHA runner EKS clusters. All files associated with Renovate have been copy/pasted from the existing working configuration in that repo, with some minor project-specific changes.

This Renovate tooling needs improvements in a couple of places, and probably needs to be moved to a separate project in this repo at some point. I didn't do that as a part of this PR to avoid the scope creep.

@fheinecke fheinecke requested review from a team as code owners March 28, 2024 21:29
// This is used so that not everything in the entire repo is setup for Renovate at once
// Initially this configuration is designed to only support the new GHA EKS clusters
"enabledManagers": [
"github-actions",
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Dependabot is already handling github-actions: https://github.com/gravitational/shared-workflows/blob/main/.github/dependabot.yml#L3

Why not just add to the Dependabot configuration for ecosystems which it's already managing?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@jentfoo: We've generally found Dependabot lacking for internal tooling IaC needs. It doesn't support critical ecosystems (helm, docker -- yes we've opened the feature requests) and lacks the configurability of renovate (e.g. in how we determine update sources). I'm in favor of incrementally replacing dependabot with renovate in this repo.

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I agree in the use of Renovate, I recognize it covers gaps that Dependabot has. But it seems like for a given repo we should be using a single tool for a given ecosystem. Having a single ecosystem (github actions) managed by two tools may add confusion.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I can replace dependabot with Renovate in this repo if you like. I'd be a bit more work but not a significant amount, given that the (current) one other project is pretty much just Go + GHA workflows.

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

It's my preference to keep them uniform for a single ecosystem + repo combo, unless there is a reason I am not considering to use both.

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

AFAIK we haven't messed with renovate for golang yet, so I'd recommend we keep dependabot for go. I'm fine switching all of GHA to renovate in this repo.

Copy link
Contributor

@wadells wadells left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

No concerns with getting this in and then iterating.

Comment on lines +37 to +44
".github/workflows/codeql.yml",
".github/workflows/csv-lint.yaml",
".github/workflows/dependency-review.yaml",
".github/workflows/github-action-lint.yaml",
".github/workflows/govulncheck.yaml",
".github/workflows/json-lint.yaml",
".github/workflows/terraform-lint.yaml",
".github/workflows/trivy.yaml"
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Lets switch these to renovate.

{
"$schema": "https://docs.renovatebot.com/renovate-schema.json",
"extends": [
"config:recommended",
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
"config:recommended",
"config:best-practices",

This adds the following on top of config:recommended:

{
  "configMigration": true,
  "extends": [
    "config:recommended",
    "docker:pinDigests",
    "helpers:pinGitHubActionDigests",
    ":pinDevDependencies"
  ]
}

https://docs.renovatebot.com/presets-config/

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

3 participants