Skip to content

Add Renovate bot to automate dependency updates#5004

Open
lucastigera wants to merge 1 commit into
tigera:masterfrom
lucastigera:renovate-bot-setup
Open

Add Renovate bot to automate dependency updates#5004
lucastigera wants to merge 1 commit into
tigera:masterfrom
lucastigera:renovate-bot-setup

Conversation

@lucastigera

Copy link
Copy Markdown
Contributor

Description

Enables a Renovate bot for tigera/operator, bringing it to parity with the core
dependency automation that already runs in projectcalico/calico. Until now the
operator's Go modules, Go toolchain, and calico/base image have been bumped by hand.

Type of change: new feature / CI tooling (no product code changes).

This mirrors calico's setup — a renovate.json config plus a .semaphore/renovate.yml
pipeline run on a Semaphore schedule — adapted to the operator's file layout. Like
calico's, it is deliberately not a blanket dependency bumper: it tracks a small,
safe, patch-focused set and groups everything into a single PR.

What it tracks

  • Go modules (patch-focused): k8s.io/** → patch; golang.org/x/** → patch + minor;
    all other Go modules disabled. go mod tidy runs after each update
    (postUpdateOptions: ["gomodTidy"]).
  • Go language version: the go x.y.z directive in go.mod (golang-version
    datasource), patch-only.
  • calico/base image: CALICO_BASE_VER in the Makefile (docker datasource,
    ubiN-<serial> regex versioning), tolerant of ?=.

Global behaviour (mirrored from calico)

  • All updates grouped into one PR (groupName: dependency-updates).
  • Minor / major / digest blocked globally (with the golang.org/x minor exception above).
  • baseBranchPatterns: release-v1.40, release-v1.42, release-v1.43, master.
  • vulnerabilityAlerts enabled, rebaseWhen: behind-base-branch, PR limits 20/20.

Semaphore job

.semaphore/renovate.yml: ubuntu2204 VM, nvm install 24, renovate@43,
renovate --platform=github --autodiscover=false, RENOVATE_REPOSITORIES=tigera/operator,
RENOVATE_GIT_AUTHOR=marvin-tigera. Reuses the org secrets marvin-renovate-token
(GitHub PAT) and private-repo (SSH key for private tigera/* module fetches, ssh-add
in the prologue). The cron schedule is configured as a Semaphore scheduled Task in
project settings — it is not committed here, same as calico.

Differences from the calico base config (intentionally dropped / adapted)

  • skip-bot-cherry-pick label — dropped. No such label exists in tigera/operator.
    Kept labels the operator actually has: docs-not-required, release-note-not-required,
    dependencies.
  • merge-when-ready / delete-branch labels — dropped for now. These drive
    auto-merge and branch cleanup. Omitted for the initial runs so we can build confidence
    with PRs that stop at "opened"; they can be added back later.
  • npm manager — dropped. The operator has no package.json; calico's npm manager
    and its "disable all npm updates" rule are not applicable.
  • metadata.mk / K8S_VERSION managers — dropped. The operator has no metadata.mk,
    and k8s-version bumping is out of scope. calico's GO_VERSION/K8S_VERSION/CALICO_BASE
    regex managers pointed at metadata.mk are replaced by two operator-appropriate managers:
    the go directive in go.mod, and CALICO_BASE_VER in the Makefile.
  • make gen-deps-files postUpgradeTasks + RENOVATE_ALLOWED_COMMANDS — dropped.
    The operator has no deps.txt generation step; it relies on gomodTidy instead.
  • calico/base source — adapted. Pointed at the operator's Makefile instead of
    calico's metadata.mk, and the regex tolerates ?= (CALICO_BASE_VER ?= ubi9-<serial>).
  • baseBranchPatterns — adapted to the operator's active release branches
    (release-v1.40/-v1.42/-v1.43 + master) instead of calico's release-v3.31/-v3.32.
    Note: release-v1.40's Makefile has no CALICO_BASE_VER (different base-image scheme),
    so calico/base is not tracked on that branch — Go modules and the go directive still are.

Testing

Validated locally against the real repo before opening this PR:

  • renovate-config-validator — config passes schema validation.
  • Full renovate --dry-run (config supplied via RENOVATE_CONFIG_FILE) — extraction
    succeeds on all base branches; both custom managers fire (golang go-directive and
    calico/base with ?=); scoping is correct (only k8s.io/*, golang.org/x/*, go
    directive, calico/base); updates group into renovate/<branch>-dependency-updates;
    vulnerabilityAlerts correctly opens security PRs that bypass the block rules.

Release Note

NONE

For PR author

  • Tests for change. (N/A — CI tooling; validated via renovate-config-validator + dry-run)
  • If changing pkg/apis/, run make gen-files (N/A)
  • If changing versions, run make gen-versions (N/A)

For PR reviewers

A note for code reviewers - all pull requests must have the following:

  • Milestone set according to targeted release.
  • Appropriate labels:
    • kind/bug if this is a bugfix.
    • kind/enhancement if this is a a new feature.
    • enterprise if this PR applies to Calico Enterprise only.

Mirror projectcalico/calico's Renovate setup, adapted to the operator's
file layout: a renovate.json config plus a .semaphore/renovate.yml pipeline
run on a Semaphore schedule.

Tracks the same safe, patch-focused dependency classes as calico:
- Go modules: k8s.io/** (patch), golang.org/x/** (patch + minor), all other
  modules disabled; go mod tidy after each update.
- Go language version: the "go x.y.z" directive in go.mod (golang-version).
- calico/base: CALICO_BASE_VER in the Makefile (docker datasource,
  ubiN-<serial> versioning), tolerant of ?=.

Updates are grouped into a single dependency-updates PR, minor/major/digest
blocked globally, vulnerability alerts enabled.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants