From 758292975192d6fcd13c3b557eb6f53cb8b544aa Mon Sep 17 00:00:00 2001 From: Renovate Bot Date: Fri, 30 Jan 2026 17:26:07 +0000 Subject: [PATCH 1/3] Add renovate.json --- renovate.json | 3 +++ 1 file changed, 3 insertions(+) create mode 100644 renovate.json diff --git a/renovate.json b/renovate.json new file mode 100644 index 00000000..7190a60b --- /dev/null +++ b/renovate.json @@ -0,0 +1,3 @@ +{ + "$schema": "https://docs.renovatebot.com/renovate-schema.json" +} From c748741a78f1a6f46c5640ea60702805439532e8 Mon Sep 17 00:00:00 2001 From: Pavel Okhlopkov Date: Mon, 25 May 2026 13:39:08 +0300 Subject: [PATCH 2/3] check renovate Signed-off-by: Pavel Okhlopkov --- README.md | 5 +++ renovate.json | 103 +++++++++++++++++++++++++++++++++++++++++++++++++- 2 files changed, 107 insertions(+), 1 deletion(-) diff --git a/README.md b/README.md index 0d2bb24c..9c4ee0c4 100644 --- a/README.md +++ b/README.md @@ -177,6 +177,11 @@ For any specific platform: `task build:dist:darwin:arm64` `task build:dist:windows:amd64` +### Dependency updates + +Dependencies are updated automatically via [Renovate](https://docs.renovatebot.com/). +See the auto-created `Dependency Dashboard` issue to track or trigger updates manually. + --- ## 🔗 Links diff --git a/renovate.json b/renovate.json index 7190a60b..4c469870 100644 --- a/renovate.json +++ b/renovate.json @@ -1,3 +1,104 @@ { - "$schema": "https://docs.renovatebot.com/renovate-schema.json" + "$schema": "https://docs.renovatebot.com/renovate-schema.json", + "extends": [ + "config:recommended", + ":dependencyDashboard", + ":semanticCommits", + ":timezone(Europe/Moscow)", + ":enableVulnerabilityAlertsWithLabel(security)" + ], + "schedule": ["before 6am on monday"], + "prConcurrentLimit": 10, + "prHourlyLimit": 2, + "labels": ["dependencies", "renovate"], + "rangeStrategy": "replace", + "rebaseWhen": "conflicted", + "ignorePaths": ["**/bin/**", "**/dist/**", "**/build/**", "**/.tmp/**", "**/testing/**"], + "ignoreDeps": [ + "werf/trdl-vault-actions" + ], + "postUpdateOptions": [], + "gomod": { + "enabled": true + }, + "vulnerabilityAlerts": { + "labels": ["security"], + "schedule": ["at any time"] + }, + "packageRules": [ + { + "description": "Group k8s.io/*", + "matchManagers": ["gomod"], + "matchPackagePatterns": ["^k8s\\.io/", "^sigs\\.k8s\\.io/"], + "groupName": "kubernetes" + }, + { + "description": "Group werf/*", + "matchManagers": ["gomod"], + "matchPackagePatterns": ["^github\\.com/werf/"], + "groupName": "werf" + }, + { + "description": "Group deckhouse/*", + "matchManagers": ["gomod"], + "matchPackagePatterns": ["^github\\.com/deckhouse/"], + "groupName": "deckhouse" + }, + { + "description": "Group hashicorp/* (including vault — major upgrades require manual review)", + "matchManagers": ["gomod"], + "matchPackagePatterns": ["^github\\.com/hashicorp/"], + "groupName": "hashicorp" + }, + { + "description": "All github-actions in a single PR", + "matchManagers": ["github-actions"], + "groupName": "github-actions" + }, + { + "description": "Major updates get separate PRs and require manual review", + "matchUpdateTypes": ["major"], + "labels": ["dependencies", "renovate", "major-update"], + "addLabels": ["needs-review"] + }, + { + "description": "Go toolchain updates grouped into a single PR", + "matchDepNames": ["go", "golang"], + "groupName": "go-toolchain" + } + ], + "customManagers": [ + { + "customType": "regex", + "description": "kubectlVersion in Taskfile.yml — track kubernetes/kubernetes releases", + "fileMatch": ["^Taskfile\\.ya?ml$"], + "matchStrings": [ + "kubectlVersion:\\s*(?v\\d+\\.\\d+\\.\\d+)" + ], + "datasourceTemplate": "github-releases", + "depNameTemplate": "kubernetes/kubernetes", + "extractVersionTemplate": "^(?v\\d+\\.\\d+\\.\\d+)$" + }, + { + "customType": "regex", + "description": "GOLANGCI_LINT_VERSION in release workflow", + "fileMatch": ["^\\.github/workflows/.+\\.ya?ml$"], + "matchStrings": [ + "GOLANGCI_LINT_VERSION:\\s*['\"]?(?v\\d+\\.\\d+\\.\\d+)['\"]?" + ], + "datasourceTemplate": "github-releases", + "depNameTemplate": "golangci/golangci-lint", + "extractVersionTemplate": "^(?v\\d+\\.\\d+\\.\\d+)$" + }, + { + "customType": "regex", + "description": "go-version in setup-go steps, synced with golang-version datasource", + "fileMatch": ["^\\.github/workflows/.+\\.ya?ml$"], + "matchStrings": [ + "go-version:\\s*['\"](?\\d+\\.\\d+(?:\\.\\d+)?)['\"]" + ], + "datasourceTemplate": "golang-version", + "depNameTemplate": "go" + } + ] } From ff0bdd2ddfd10dc4245130ab1ddb15e1356a3964 Mon Sep 17 00:00:00 2001 From: Pavel Okhlopkov Date: Mon, 25 May 2026 13:44:22 +0300 Subject: [PATCH 3/3] fix Signed-off-by: Pavel Okhlopkov --- renovate.json | 10 +++++++++- 1 file changed, 9 insertions(+), 1 deletion(-) diff --git a/renovate.json b/renovate.json index 4c469870..ab08aa27 100644 --- a/renovate.json +++ b/renovate.json @@ -15,7 +15,9 @@ "rebaseWhen": "conflicted", "ignorePaths": ["**/bin/**", "**/dist/**", "**/build/**", "**/.tmp/**", "**/testing/**"], "ignoreDeps": [ - "werf/trdl-vault-actions" + "werf/trdl-vault-actions", + "github.com/werf/3p-helm", + "go.cypherpunks.ru/gogost/v5" ], "postUpdateOptions": [], "gomod": { @@ -65,6 +67,12 @@ "description": "Go toolchain updates grouped into a single PR", "matchDepNames": ["go", "golang"], "groupName": "go-toolchain" + }, + { + "description": "Disable updates for private flant.internal packages (replace targets for hashicorp/vault, not accessible to Renovate)", + "matchManagers": ["gomod"], + "matchPackagePatterns": ["^flant\\.internal/"], + "enabled": false } ], "customManagers": [