diff --git a/README.md b/README.md index 0d2bb24c..9c4ee0c4 100644 --- a/README.md +++ b/README.md @@ -177,6 +177,11 @@ For any specific platform: `task build:dist:darwin:arm64` `task build:dist:windows:amd64` +### Dependency updates + +Dependencies are updated automatically via [Renovate](https://docs.renovatebot.com/). +See the auto-created `Dependency Dashboard` issue to track or trigger updates manually. + --- ## 🔗 Links diff --git a/renovate.json b/renovate.json new file mode 100644 index 00000000..ab08aa27 --- /dev/null +++ b/renovate.json @@ -0,0 +1,112 @@ +{ + "$schema": "https://docs.renovatebot.com/renovate-schema.json", + "extends": [ + "config:recommended", + ":dependencyDashboard", + ":semanticCommits", + ":timezone(Europe/Moscow)", + ":enableVulnerabilityAlertsWithLabel(security)" + ], + "schedule": ["before 6am on monday"], + "prConcurrentLimit": 10, + "prHourlyLimit": 2, + "labels": ["dependencies", "renovate"], + "rangeStrategy": "replace", + "rebaseWhen": "conflicted", + "ignorePaths": ["**/bin/**", "**/dist/**", "**/build/**", "**/.tmp/**", "**/testing/**"], + "ignoreDeps": [ + "werf/trdl-vault-actions", + "github.com/werf/3p-helm", + "go.cypherpunks.ru/gogost/v5" + ], + "postUpdateOptions": [], + "gomod": { + "enabled": true + }, + "vulnerabilityAlerts": { + "labels": ["security"], + "schedule": ["at any time"] + }, + "packageRules": [ + { + "description": "Group k8s.io/*", + "matchManagers": ["gomod"], + "matchPackagePatterns": ["^k8s\\.io/", "^sigs\\.k8s\\.io/"], + "groupName": "kubernetes" + }, + { + "description": "Group werf/*", + "matchManagers": ["gomod"], + "matchPackagePatterns": ["^github\\.com/werf/"], + "groupName": "werf" + }, + { + "description": "Group deckhouse/*", + "matchManagers": ["gomod"], + "matchPackagePatterns": ["^github\\.com/deckhouse/"], + "groupName": "deckhouse" + }, + { + "description": "Group hashicorp/* (including vault — major upgrades require manual review)", + "matchManagers": ["gomod"], + "matchPackagePatterns": ["^github\\.com/hashicorp/"], + "groupName": "hashicorp" + }, + { + "description": "All github-actions in a single PR", + "matchManagers": ["github-actions"], + "groupName": "github-actions" + }, + { + "description": "Major updates get separate PRs and require manual review", + "matchUpdateTypes": ["major"], + "labels": ["dependencies", "renovate", "major-update"], + "addLabels": ["needs-review"] + }, + { + "description": "Go toolchain updates grouped into a single PR", + "matchDepNames": ["go", "golang"], + "groupName": "go-toolchain" + }, + { + "description": "Disable updates for private flant.internal packages (replace targets for hashicorp/vault, not accessible to Renovate)", + "matchManagers": ["gomod"], + "matchPackagePatterns": ["^flant\\.internal/"], + "enabled": false + } + ], + "customManagers": [ + { + "customType": "regex", + "description": "kubectlVersion in Taskfile.yml — track kubernetes/kubernetes releases", + "fileMatch": ["^Taskfile\\.ya?ml$"], + "matchStrings": [ + "kubectlVersion:\\s*(?v\\d+\\.\\d+\\.\\d+)" + ], + "datasourceTemplate": "github-releases", + "depNameTemplate": "kubernetes/kubernetes", + "extractVersionTemplate": "^(?v\\d+\\.\\d+\\.\\d+)$" + }, + { + "customType": "regex", + "description": "GOLANGCI_LINT_VERSION in release workflow", + "fileMatch": ["^\\.github/workflows/.+\\.ya?ml$"], + "matchStrings": [ + "GOLANGCI_LINT_VERSION:\\s*['\"]?(?v\\d+\\.\\d+\\.\\d+)['\"]?" + ], + "datasourceTemplate": "github-releases", + "depNameTemplate": "golangci/golangci-lint", + "extractVersionTemplate": "^(?v\\d+\\.\\d+\\.\\d+)$" + }, + { + "customType": "regex", + "description": "go-version in setup-go steps, synced with golang-version datasource", + "fileMatch": ["^\\.github/workflows/.+\\.ya?ml$"], + "matchStrings": [ + "go-version:\\s*['\"](?\\d+\\.\\d+(?:\\.\\d+)?)['\"]" + ], + "datasourceTemplate": "golang-version", + "depNameTemplate": "go" + } + ] +}