Merge pull request #1747 from erikgb/manual-self-upgrade

erikgb · web-flow · commit 15b5e982508a · 2025-08-25T17:09:28.000+02:00
Manual self upgrade
diff --git a/.github/dependabot.yaml b/.github/dependabot.yaml
@@ -4,17 +4,19 @@
 # Update Go dependencies and GitHub Actions dependencies daily.
 version: 2
 updates:
-- package-ecosystem: gomod
-  directory: /
-  schedule:
-    interval: daily
-  groups:
-    all-go-deps:
-      patterns: ["*"]
 - package-ecosystem: github-actions
   directory: /
   schedule:
     interval: daily
+  exclude-paths: # Exclude files that are mastered from makefile-modules and shouldn't be upgraded in projects using makefile-modules.
+    - .github/workflows/govulncheck.yaml
+    - .github/workflows/make-self-upgrade.yaml
+    - .github/workflows/renovate.yaml
   groups:
     all-gh-actions:
       patterns: ["*"]
+  labels:
+    - dependencies
+    - kind/cleanup
+    - release-note-none
+    - ok-to-test
diff --git a/.github/renovate.json5 b/.github/renovate.json5
@@ -0,0 +1,93 @@
+// THIS FILE IS AUTOMATICALLY GENERATED. DO NOT EDIT.
+// Edit https://github.com/cert-manager/makefile-modules/blob/main/modules/repository-base/base-dependabot/.github/renovate.json5 instead.
+
+{
+  $schema: 'https://docs.renovatebot.com/renovate-schema.json',
+  enabled: true,
+  enabledManagers: [
+    'gomod',
+  ],
+  separateMajorMinor: false,
+  extends: [
+    'config:best-practices',
+    ':gitSignOff',
+    ':semanticCommits',
+    ':disableVulnerabilityAlerts',
+    ':prConcurrentLimit10', // Set a limit to avoid too many PRs, at least on the first run
+    ':prHourlyLimitNone',
+  ],
+  timezone: 'Europe/London',
+  labels: [
+    'dependencies',
+    'kind/cleanup',
+    'release-note-none',
+  ],
+  postUpgradeTasks: {
+    commands: [
+      'make generate',
+    ],
+    executionMode: 'branch',
+  },
+  packageRules: [
+    {
+      groupName: 'Misc Go deps',
+      matchManagers: [
+        'gomod',
+      ],
+      matchPackageNames: [
+        '*',
+      ],
+    },
+    {
+      groupName: 'Kubernetes Go deps',
+      matchManagers: [
+        'gomod',
+      ],
+      matchPackageNames: [
+        'sigs.k8s.io**/**',
+        'k8s.io**/**',
+      ],
+    },
+    {
+      groupName: 'Cloud Go deps',
+      matchManagers: [
+        'gomod',
+      ],
+      matchPackageNames: [
+        'github.com/akamai**/**',
+        'github.com/aws**/**',
+        'github.com/Azure**/**',
+        'github.com/AzureAD**/**',
+        'github.com/cloudflare**/**',
+        'github.com/digitalocean**/**',
+        'google.golang.org/api',
+      ],
+    },
+    {
+      groupName: 'golang.org/x deps',
+      matchManagers: [
+        'gomod',
+      ],
+      matchPackageNames: [
+        'golang.org/x**/*',
+      ],
+      addLabels: [
+        'skip-review', // Adding label to allow PRs to automerge
+      ],
+    },
+    {
+      description: 'Disable Go pseudo-version updates',
+      matchManagers: [
+        'gomod',
+      ],
+      matchPackageNames: [
+        '*',
+      ],
+      matchCurrentValue: 'v0.0.0*',
+      enabled: false,
+    },
+  ],
+  ignorePaths: [
+    '**/vendor/**',
+  ],
+}
diff --git a/.github/workflows/renovate.yaml b/.github/workflows/renovate.yaml
@@ -0,0 +1,56 @@
+# THIS FILE IS AUTOMATICALLY GENERATED. DO NOT EDIT.
+# Edit https://github.com/cert-manager/makefile-modules/blob/main/modules/repository-base/base-dependabot/.github/workflows/renovate.yaml instead.
+
+name: Renovate
+on:
+  workflow_dispatch: {}
+  schedule:
+    - cron: '0 2 * * *'
+
+permissions:
+  contents: read
+
+jobs:
+  renovate:
+    runs-on: ubuntu-latest
+
+    if: github.repository == 'cert-manager/website'
+
+    permissions:
+      contents: write
+      issues: write
+      statuses: write
+      pull-requests: write
+
+    steps:
+      - name: Fail if branch is not head of branch.
+        if: ${{ !startsWith(github.ref, 'refs/heads/') && env.SOURCE_BRANCH != '' && env.SELF_UPGRADE_BRANCH != '' }}
+        run: |
+          echo "This workflow should not be run on a non-branch-head."
+          exit 1
+
+      - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
+        # Adding `fetch-depth: 0` makes sure tags are also fetched. We need
+        # the tags so `git describe` returns a valid version.
+        # see https://github.com/actions/checkout/issues/701 for extra info about this option
+        with: { fetch-depth: 0 }
+
+      - id: go-version
+        run: |
+          make print-go-version >> "$GITHUB_OUTPUT"
+
+      - uses: actions/setup-go@d35c59abb061a4a6fb18e82ac0862c26744d6ab5 # v5.5.0
+        with:
+          go-version: ${{ steps.go-version.outputs.result }}
+
+      - name: Self-hosted Renovate
+        uses: renovatebot/github-action@b11417b9eaac3145fe9a8544cee66503724e32b6 # v43.0.8
+        with:
+          configurationFile: .github/renovate.json5
+          token: ${{ secrets.GITHUB_TOKEN }}
+        env:
+          RENOVATE_REPOSITORIES: '["${{ github.repository }}"]'
+          RENOVATE_ONBOARDING: "false"
+          RENOVATE_PLATFORM: "github"
+          LOG_LEVEL: "debug"
+          RENOVATE_ALLOWED_COMMANDS: '["make generate"]'
diff --git a/.gitignore b/.gitignore
@@ -50,6 +50,7 @@ public/feed.*
 
 # IntelliJ
 .idea
+*.iml
 
 # Our release-process.md tells us to run 'sed' commands that create .bak files.
 *.bak
diff --git a/klone.yaml b/klone.yaml
@@ -10,30 +10,30 @@ targets:
     - folder_name: boilerplate
       repo_url: https://github.com/cert-manager/makefile-modules.git
       repo_ref: main
-      repo_hash: 8837533393f5309a1f6ce4cc09641c26d50cef5d
+      repo_hash: 63051131d09a2665195d8a045b1a07034468fe20
       repo_path: modules/boilerplate
     - folder_name: generate-verify
       repo_url: https://github.com/cert-manager/makefile-modules.git
       repo_ref: main
-      repo_hash: 8837533393f5309a1f6ce4cc09641c26d50cef5d
+      repo_hash: 63051131d09a2665195d8a045b1a07034468fe20
       repo_path: modules/generate-verify
     - folder_name: help
       repo_url: https://github.com/cert-manager/makefile-modules.git
       repo_ref: main
-      repo_hash: 8837533393f5309a1f6ce4cc09641c26d50cef5d
+      repo_hash: 63051131d09a2665195d8a045b1a07034468fe20
       repo_path: modules/help
     - folder_name: klone
       repo_url: https://github.com/cert-manager/makefile-modules.git
       repo_ref: main
-      repo_hash: 8837533393f5309a1f6ce4cc09641c26d50cef5d
+      repo_hash: 63051131d09a2665195d8a045b1a07034468fe20
       repo_path: modules/klone
     - folder_name: repository-base
       repo_url: https://github.com/cert-manager/makefile-modules.git
       repo_ref: main
-      repo_hash: 8837533393f5309a1f6ce4cc09641c26d50cef5d
+      repo_hash: 63051131d09a2665195d8a045b1a07034468fe20
       repo_path: modules/repository-base
     - folder_name: tools
       repo_url: https://github.com/cert-manager/makefile-modules.git
       repo_ref: main
-      repo_hash: 8837533393f5309a1f6ce4cc09641c26d50cef5d
+      repo_hash: 63051131d09a2665195d8a045b1a07034468fe20
       repo_path: modules/tools
diff --git a/make/_shared/repository-base/01_mod.mk b/make/_shared/repository-base/01_mod.mk
@@ -40,6 +40,10 @@ generate-base:
 			sed "s|{{REPLACE:GH-REPOSITORY}}|$(repo_name:github.com/%=%)|g" "$$file" > "$(CURDIR)/$$file"; \
 		done
 	cp -r $(repository_base_dependabot_dir)/. ./
+	cd $(repository_base_dependabot_dir) && \
+		find . -type f | while read file; do \
+			sed "s|{{REPLACE:GH-REPOSITORY}}|$(repo_name:github.com/%=%)|g" "$$file" > "$(CURDIR)/$$file"; \
+		done
 endif
 
 shared_generate_targets += generate-base
diff --git a/make/_shared/repository-base/base-dependabot/.github/dependabot.yaml b/make/_shared/repository-base/base-dependabot/.github/dependabot.yaml
@@ -4,17 +4,19 @@
 # Update Go dependencies and GitHub Actions dependencies daily.
 version: 2
 updates:
-- package-ecosystem: gomod
-  directory: /
-  schedule:
-    interval: daily
-  groups:
-    all-go-deps:
-      patterns: ["*"]
 - package-ecosystem: github-actions
   directory: /
   schedule:
     interval: daily
+  exclude-paths: # Exclude files that are mastered from makefile-modules and shouldn't be upgraded in projects using makefile-modules.
+    - .github/workflows/govulncheck.yaml
+    - .github/workflows/make-self-upgrade.yaml
+    - .github/workflows/renovate.yaml
   groups:
     all-gh-actions:
       patterns: ["*"]
+  labels:
+    - dependencies
+    - kind/cleanup
+    - release-note-none
+    - ok-to-test
diff --git a/make/_shared/repository-base/base-dependabot/.github/renovate.json5 b/make/_shared/repository-base/base-dependabot/.github/renovate.json5
@@ -0,0 +1,93 @@
+// THIS FILE IS AUTOMATICALLY GENERATED. DO NOT EDIT.
+// Edit https://github.com/cert-manager/makefile-modules/blob/main/modules/repository-base/base-dependabot/.github/renovate.json5 instead.
+
+{
+  $schema: 'https://docs.renovatebot.com/renovate-schema.json',
+  enabled: true,
+  enabledManagers: [
+    'gomod',
+  ],
+  separateMajorMinor: false,
+  extends: [
+    'config:best-practices',
+    ':gitSignOff',
+    ':semanticCommits',
+    ':disableVulnerabilityAlerts',
+    ':prConcurrentLimit10', // Set a limit to avoid too many PRs, at least on the first run
+    ':prHourlyLimitNone',
+  ],
+  timezone: 'Europe/London',
+  labels: [
+    'dependencies',
+    'kind/cleanup',
+    'release-note-none',
+  ],
+  postUpgradeTasks: {
+    commands: [
+      'make generate',
+    ],
+    executionMode: 'branch',
+  },
+  packageRules: [
+    {
+      groupName: 'Misc Go deps',
+      matchManagers: [
+        'gomod',
+      ],
+      matchPackageNames: [
+        '*',
+      ],
+    },
+    {
+      groupName: 'Kubernetes Go deps',
+      matchManagers: [
+        'gomod',
+      ],
+      matchPackageNames: [
+        'sigs.k8s.io**/**',
+        'k8s.io**/**',
+      ],
+    },
+    {
+      groupName: 'Cloud Go deps',
+      matchManagers: [
+        'gomod',
+      ],
+      matchPackageNames: [
+        'github.com/akamai**/**',
+        'github.com/aws**/**',
+        'github.com/Azure**/**',
+        'github.com/AzureAD**/**',
+        'github.com/cloudflare**/**',
+        'github.com/digitalocean**/**',
+        'google.golang.org/api',
+      ],
+    },
+    {
+      groupName: 'golang.org/x deps',
+      matchManagers: [
+        'gomod',
+      ],
+      matchPackageNames: [
+        'golang.org/x**/*',
+      ],
+      addLabels: [
+        'skip-review', // Adding label to allow PRs to automerge
+      ],
+    },
+    {
+      description: 'Disable Go pseudo-version updates',
+      matchManagers: [
+        'gomod',
+      ],
+      matchPackageNames: [
+        '*',
+      ],
+      matchCurrentValue: 'v0.0.0*',
+      enabled: false,
+    },
+  ],
+  ignorePaths: [
+    '**/vendor/**',
+  ],
+}
diff --git a/make/_shared/repository-base/base-dependabot/.github/workflows/renovate.yaml b/make/_shared/repository-base/base-dependabot/.github/workflows/renovate.yaml
