Add Renovate bot to automate dependency updates#5004
Open
lucastigera wants to merge 1 commit into
Open
Conversation
Mirror projectcalico/calico's Renovate setup, adapted to the operator's file layout: a renovate.json config plus a .semaphore/renovate.yml pipeline run on a Semaphore schedule. Tracks the same safe, patch-focused dependency classes as calico: - Go modules: k8s.io/** (patch), golang.org/x/** (patch + minor), all other modules disabled; go mod tidy after each update. - Go language version: the "go x.y.z" directive in go.mod (golang-version). - calico/base: CALICO_BASE_VER in the Makefile (docker datasource, ubiN-<serial> versioning), tolerant of ?=. Updates are grouped into a single dependency-updates PR, minor/major/digest blocked globally, vulnerability alerts enabled. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Description
Enables a Renovate bot for
tigera/operator, bringing it to parity with the coredependency automation that already runs in
projectcalico/calico. Until now theoperator's Go modules, Go toolchain, and
calico/baseimage have been bumped by hand.Type of change: new feature / CI tooling (no product code changes).
This mirrors calico's setup — a
renovate.jsonconfig plus a.semaphore/renovate.ymlpipeline run on a Semaphore schedule — adapted to the operator's file layout. Like
calico's, it is deliberately not a blanket dependency bumper: it tracks a small,
safe, patch-focused set and groups everything into a single PR.
What it tracks
k8s.io/**→ patch;golang.org/x/**→ patch + minor;all other Go modules disabled.
go mod tidyruns after each update(
postUpdateOptions: ["gomodTidy"]).go x.y.zdirective ingo.mod(golang-versiondatasource), patch-only.
calico/baseimage:CALICO_BASE_VERin the Makefile (dockerdatasource,ubiN-<serial>regex versioning), tolerant of?=.Global behaviour (mirrored from calico)
groupName: dependency-updates).golang.org/xminor exception above).baseBranchPatterns:release-v1.40,release-v1.42,release-v1.43,master.vulnerabilityAlertsenabled,rebaseWhen: behind-base-branch, PR limits 20/20.Semaphore job
.semaphore/renovate.yml: ubuntu2204 VM,nvm install 24,renovate@43,renovate --platform=github --autodiscover=false,RENOVATE_REPOSITORIES=tigera/operator,RENOVATE_GIT_AUTHOR=marvin-tigera. Reuses the org secretsmarvin-renovate-token(GitHub PAT) and
private-repo(SSH key for privatetigera/*module fetches,ssh-addin the prologue). The cron schedule is configured as a Semaphore scheduled Task in
project settings — it is not committed here, same as calico.
Differences from the calico base config (intentionally dropped / adapted)
skip-bot-cherry-picklabel — dropped. No such label exists intigera/operator.Kept labels the operator actually has:
docs-not-required,release-note-not-required,dependencies.merge-when-ready/delete-branchlabels — dropped for now. These driveauto-merge and branch cleanup. Omitted for the initial runs so we can build confidence
with PRs that stop at "opened"; they can be added back later.
npmmanager — dropped. The operator has nopackage.json; calico's npm managerand its "disable all npm updates" rule are not applicable.
metadata.mk/K8S_VERSIONmanagers — dropped. The operator has nometadata.mk,and k8s-version bumping is out of scope. calico's
GO_VERSION/K8S_VERSION/CALICO_BASEregex managers pointed at
metadata.mkare replaced by two operator-appropriate managers:the
godirective ingo.mod, andCALICO_BASE_VERin theMakefile.make gen-deps-filespostUpgradeTasks+RENOVATE_ALLOWED_COMMANDS— dropped.The operator has no
deps.txtgeneration step; it relies ongomodTidyinstead.calico/basesource — adapted. Pointed at the operator'sMakefileinstead ofcalico's
metadata.mk, and the regex tolerates?=(CALICO_BASE_VER ?= ubi9-<serial>).baseBranchPatterns— adapted to the operator's active release branches(
release-v1.40/-v1.42/-v1.43+master) instead of calico'srelease-v3.31/-v3.32.Note:
release-v1.40's Makefile has noCALICO_BASE_VER(different base-image scheme),so
calico/baseis not tracked on that branch — Go modules and the go directive still are.Testing
Validated locally against the real repo before opening this PR:
renovate-config-validator— config passes schema validation.renovate --dry-run(config supplied viaRENOVATE_CONFIG_FILE) — extractionsucceeds on all base branches; both custom managers fire (
golanggo-directive andcalico/basewith?=); scoping is correct (onlyk8s.io/*,golang.org/x/*, godirective,
calico/base); updates group intorenovate/<branch>-dependency-updates;vulnerabilityAlertscorrectly opens security PRs that bypass the block rules.Release Note
For PR author
make gen-files(N/A)make gen-versions(N/A)For PR reviewers
A note for code reviewers - all pull requests must have the following:
kind/bugif this is a bugfix.kind/enhancementif this is a a new feature.enterpriseif this PR applies to Calico Enterprise only.