-
Notifications
You must be signed in to change notification settings - Fork 2
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Added Renovate config for AMI cleanup tool #237
base: main
Are you sure you want to change the base?
Conversation
// This is used so that not everything in the entire repo is setup for Renovate at once | ||
// Initially this configuration is designed to only support the new GHA EKS clusters | ||
"enabledManagers": [ | ||
"github-actions", |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Dependabot is already handling github-actions: https://github.com/gravitational/shared-workflows/blob/main/.github/dependabot.yml#L3
Why not just add to the Dependabot configuration for ecosystems which it's already managing?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@jentfoo: We've generally found Dependabot lacking for internal tooling IaC needs. It doesn't support critical ecosystems (helm, docker -- yes we've opened the feature requests) and lacks the configurability of renovate (e.g. in how we determine update sources). I'm in favor of incrementally replacing dependabot with renovate in this repo.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I agree in the use of Renovate, I recognize it covers gaps that Dependabot has. But it seems like for a given repo we should be using a single tool for a given ecosystem. Having a single ecosystem (github actions) managed by two tools may add confusion.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I can replace dependabot with Renovate in this repo if you like. I'd be a bit more work but not a significant amount, given that the (current) one other project is pretty much just Go + GHA workflows.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
It's my preference to keep them uniform for a single ecosystem + repo combo, unless there is a reason I am not considering to use both.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
AFAIK we haven't messed with renovate for golang yet, so I'd recommend we keep dependabot for go. I'm fine switching all of GHA to renovate in this repo.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
No concerns with getting this in and then iterating.
".github/workflows/codeql.yml", | ||
".github/workflows/csv-lint.yaml", | ||
".github/workflows/dependency-review.yaml", | ||
".github/workflows/github-action-lint.yaml", | ||
".github/workflows/govulncheck.yaml", | ||
".github/workflows/json-lint.yaml", | ||
".github/workflows/terraform-lint.yaml", | ||
".github/workflows/trivy.yaml" |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Lets switch these to renovate.
{ | ||
"$schema": "https://docs.renovatebot.com/renovate-schema.json", | ||
"extends": [ | ||
"config:recommended", |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
"config:recommended", | |
"config:best-practices", |
This adds the following on top of config:recommended
:
{
"configMigration": true,
"extends": [
"config:recommended",
"docker:pinDigests",
"helpers:pinGitHubActionDigests",
":pinDevDependencies"
]
}
Buddy PR for #214 to reduce the PR size. This PR adds Renovate to this repo to handle dependency updates for the AMI cleanup tool. The majority of these changes have been pulled from existing, working files in the cloud-terraform repo.
Renovate is self hosted. This has been running for several months now in the cloud-terraform repo to manage updates for our self-hosted GHA runner EKS clusters. All files associated with Renovate have been copy/pasted from the existing working configuration in that repo, with some minor project-specific changes.
This Renovate tooling needs improvements in a couple of places, and probably needs to be moved to a separate project in this repo at some point. I didn't do that as a part of this PR to avoid the scope creep.