cert-manager
diff --git a/‎.github/chainguard/make-self-upgrade.sts.yaml‎
Lines changed: 10 additions & 0 deletions b/‎.github/chainguard/make-self-upgrade.sts.yaml‎
Lines changed: 10 additions & 0 deletions
diff --git a/‎.github/chainguard/renovate.sts.yaml‎
Lines changed: 14 additions & 0 deletions b/‎.github/chainguard/renovate.sts.yaml‎
Lines changed: 14 additions & 0 deletions
diff --git a/‎.github/dependabot.yaml‎
Lines changed: 0 additions & 22 deletions b/‎.github/dependabot.yaml‎
Lines changed: 0 additions & 22 deletions
diff --git a/‎.github/renovate.json5‎
Lines changed: 70 additions & 24 deletions b/‎.github/renovate.json5‎
Lines changed: 70 additions & 24 deletions
diff --git a/‎.github/workflows/make-self-upgrade.yaml‎
Lines changed: 12 additions & 3 deletions b/‎.github/workflows/make-self-upgrade.yaml‎
Lines changed: 12 additions & 3 deletions
diff --git a/‎.github/workflows/renovate.yaml‎
Lines changed: 12 additions & 6 deletions b/‎.github/workflows/renovate.yaml‎
Lines changed: 12 additions & 6 deletions
diff --git a/‎klone.yaml‎
Lines changed: 6 additions & 6 deletions b/‎klone.yaml‎
Lines changed: 6 additions & 6 deletions
diff --git a/‎make/_shared/repository-base/01_mod.mk‎
Lines changed: 2 additions & 0 deletions b/‎make/_shared/repository-base/01_mod.mk‎
Lines changed: 2 additions & 0 deletions
diff --git a/‎make/_shared/repository-base/base-dependabot/.github/dependabot.yaml‎
Lines changed: 0 additions & 22 deletions b/‎make/_shared/repository-base/base-dependabot/.github/dependabot.yaml‎
Lines changed: 0 additions & 22 deletions
@@ -0,0 +1,10 @@
+# THIS FILE IS AUTOMATICALLY GENERATED. DO NOT EDIT.
+# Edit https://github.com/cert-manager/makefile-modules/blob/main/modules/repository-base/base/.github/chainguard/make-self-upgrade.sts.yaml instead.
+
+issuer: https://token.actions.githubusercontent.com
+subject_pattern: ^repo:cert-manager/website:ref:refs/heads/(main|master)$
+
+permissions:
+  contents: write
+  pull_requests: write
+  workflows: write
@@ -0,0 +1,14 @@
+# THIS FILE IS AUTOMATICALLY GENERATED. DO NOT EDIT.
+# Edit https://github.com/cert-manager/makefile-modules/blob/main/modules/repository-base/base/.github/chainguard/renovate.sts.yaml instead.
+
+issuer: https://token.actions.githubusercontent.com
+subject_pattern: ^repo:cert-manager/website:ref:refs/heads/(main|master)$
+
+permissions:
+  administration: read
+  contents: write
+  issues: write
+  pull_requests: write
+  security_events: read
+  statuses: write
+  workflows: write
@@ -4,8 +4,14 @@
 {
   $schema: 'https://docs.renovatebot.com/renovate-schema.json',
   enabled: true,
-  gitAuthor: 'cert-manager-bot <[email protected]>',
+  gitAuthor: 'Renovate Bot <[email protected]>',
+  gitIgnoredAuthors: [
+    'Renovate Bot <[email protected]>',
+    'cert-manager-bot <[email protected]>',
+  ],
+  recreateWhen: 'always', // TODO: Remove; temporary fix to force Renovate to ignore "foreign" commits
   enabledManagers: [
+    'github-actions',
     'gomod',
   ],
   extends: [
@@ -23,20 +29,33 @@
     'ok-to-test',
     'release-note-none',
   ],
-  postUpgradeTasks: {
-    commands: [
-      'make generate',
-    ],
-    executionMode: 'branch',
-  },
+  // packageRules uses globs for matchPackageNames. Some packages have a separate major version i.e. /v on them which is when we would need package**/**.
   packageRules: [
+    {
+      groupName: 'Misc GitHub actions',
+      matchManagers: [
+        'github-actions',
+      ],
+    },
+    {
+      matchManagers: [
+        'gomod',
+      ],
+      postUpgradeTasks: {
+        commands: [
+          'make vendor-go generate',
+        ],
+        executionMode: 'branch',
+      }
+    },
     {
       groupName: 'Misc Go deps',
       matchManagers: [
         'gomod',
       ],
-      matchPackageNames: [
-        '*',
+      matchUpdateTypes: [
+        'minor',
+        'patch',
       ],
     },
     {
@@ -45,43 +64,55 @@
         'gomod',
       ],
       matchPackageNames: [
-        'github.com/onsi/ginkgo**/**',
-        'github.com/onsi/gomega**/**',
-        'github.com/stretchr/testify**/**',
+        'github.com/onsi/ginkgo/**',
+        'github.com/onsi/gomega',
+        'github.com/stretchr/testify',
       ],
+      matchUpdateTypes: [
+        'minor',
+        'patch',
+      ]
     },
     {
       groupName: 'Cloud Go deps',
       matchManagers: [
         'gomod',
       ],
       matchPackageNames: [
-        'github.com/akamai**/**',
-        'github.com/aws**/**',
-        'github.com/Azure**/**',
-        'github.com/AzureAD**/**',
-        'github.com/cloudflare**/**',
-        'github.com/digitalocean**/**',
+        'github.com/akamai/**',
+        'github.com/aws/**',
+        'github.com/Azure/**',
+        'github.com/AzureAD/**',
+        'github.com/cloudflare/**',
+        'github.com/digitalocean/**',
         'google.golang.org/api',
       ],
+      matchUpdateTypes: [
+        'minor',
+        'patch',
+      ]
     },
     {
       groupName: 'Kubernetes Go deps',
       matchManagers: [
         'gomod',
       ],
       matchPackageNames: [
-        'sigs.k8s.io**/**',
-        'k8s.io**/**',
+        'sigs.k8s.io/**',
+        'k8s.io/**',
       ],
+      matchUpdateTypes: [
+        'minor',
+        'patch',
+      ]
     },
     {
       groupName: 'Kubernetes Go patches',
       matchManagers: [
         'gomod',
       ],
       matchPackageNames: [
-        'k8s.io**/**',
+        'k8s.io/**',
       ],
       matchUpdateTypes: [
         'patch',
@@ -96,25 +127,40 @@
         'gomod',
       ],
       matchPackageNames: [
-        'golang.org/x**/*',
+        'golang.org/x/**',
       ],
       addLabels: [
         'skip-review', // Adding label to allow PRs to automerge
       ],
     },
     {
-      description: 'Disable Go pseudo-version updates',
+      matchManagers: [
+        'gomod',
+      ],
+      matchUpdateTypes: [
+        'major',
+        'digest',
+      ],
+      dependencyDashboardApproval: true
+    },
+    {
+      description: 'Disable (internal) cert-manager pseudo-version updates',
       matchManagers: [
         'gomod',
       ],
       matchPackageNames: [
-        '*',
+        'github.com/cert-manager/**',
       ],
       matchCurrentValue: 'v0.0.0*',
       enabled: false,
     },
   ],
   ignorePaths: [
     '**/vendor/**',
+    // Exclude files that are mastered from makefile-modules and shouldn't be upgraded in projects using makefile-modules.
+    'make/_shared/**',
+    '.github/workflows/govulncheck.yaml',
+    '.github/workflows/make-self-upgrade.yaml',
+    '.github/workflows/renovate.yaml',
   ],
 }
@@ -18,8 +18,7 @@ jobs:
     if: github.repository == 'cert-manager/website'
 
     permissions:
-      contents: write
-      pull-requests: write
+      id-token: write
 
     env:
       SOURCE_BRANCH: "${{ github.ref_name }}"
@@ -32,11 +31,20 @@ jobs:
           echo "This workflow should not be run on a non-branch-head."
           exit 1
 
+      - name: Octo STS Token Exchange
+        uses: octo-sts/action@e480437973a6f6ac2e9caa40ecabedc870d76395 # main
+        id: octo-sts
+        with:
+          scope: 'cert-manager/website'
+          identity: make-self-upgrade
+
       - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
         # Adding `fetch-depth: 0` makes sure tags are also fetched. We need
         # the tags so `git describe` returns a valid version.
         # see https://github.com/actions/checkout/issues/701 for extra info about this option
-        with: { fetch-depth: 0 }
+        with:
+          fetch-depth: 0
+          token: ${{ steps.octo-sts.outputs.token }}
 
       - id: go-version
         run: |
@@ -75,6 +83,7 @@ jobs:
       - if: ${{ steps.is-up-to-date.outputs.result != 'true' }}
         uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea # v7.0.1
         with:
+          github-token: ${{ steps.octo-sts.outputs.token }}
           script: |
             const { repo, owner } = context.repo;
             const pulls = await github.rest.pulls.list({
 
@@ -17,10 +17,7 @@ jobs:
     if: github.repository == 'cert-manager/website'
 
     permissions:
-      contents: write
-      issues: write
-      statuses: write
-      pull-requests: write
+      id-token: write
 
     steps:
       - name: Fail if branch is not head of branch.
@@ -29,11 +26,20 @@ jobs:
           echo "This workflow should not be run on a non-branch-head."
           exit 1
 
+      - name: Octo STS Token Exchange
+        uses: octo-sts/action@e480437973a6f6ac2e9caa40ecabedc870d76395 # main
+        id: octo-sts
+        with:
+          scope: 'cert-manager/website'
+          identity: renovate
+
       - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
         # Adding `fetch-depth: 0` makes sure tags are also fetched. We need
         # the tags so `git describe` returns a valid version.
         # see https://github.com/actions/checkout/issues/701 for extra info about this option
-        with: { fetch-depth: 0 }
+        with:
+          fetch-depth: 0
+          token: ${{ steps.octo-sts.outputs.token }}
 
       - id: go-version
         run: |
@@ -47,7 +53,7 @@ jobs:
         uses: renovatebot/github-action@a447f09147d00e00ae2a82ad5ef51ca89352da80 # v43.0.9
         with:
           configurationFile: .github/renovate.json5
-          token: ${{ secrets.GITHUB_TOKEN }}
+          token: ${{ steps.octo-sts.outputs.token }}
         env:
           RENOVATE_REPOSITORIES: '["${{ github.repository }}"]'
           RENOVATE_ONBOARDING: "false"
 
@@ -10,30 +10,30 @@ targets:
     - folder_name: boilerplate
       repo_url: https://github.com/cert-manager/makefile-modules.git
       repo_ref: main
-      repo_hash: c4f8a8a4d10d0efc9d775d4b1e719d779bf46880
+      repo_hash: 217b9616a01c901044098e5ae0c285ae3b1223ac
       repo_path: modules/boilerplate
     - folder_name: generate-verify
       repo_url: https://github.com/cert-manager/makefile-modules.git
       repo_ref: main
-      repo_hash: c4f8a8a4d10d0efc9d775d4b1e719d779bf46880
+      repo_hash: 217b9616a01c901044098e5ae0c285ae3b1223ac
       repo_path: modules/generate-verify
     - folder_name: help
       repo_url: https://github.com/cert-manager/makefile-modules.git
       repo_ref: main
-      repo_hash: c4f8a8a4d10d0efc9d775d4b1e719d779bf46880
+      repo_hash: 217b9616a01c901044098e5ae0c285ae3b1223ac
       repo_path: modules/help
     - folder_name: klone
       repo_url: https://github.com/cert-manager/makefile-modules.git
       repo_ref: main
-      repo_hash: c4f8a8a4d10d0efc9d775d4b1e719d779bf46880
+      repo_hash: 217b9616a01c901044098e5ae0c285ae3b1223ac
       repo_path: modules/klone
     - folder_name: repository-base
       repo_url: https://github.com/cert-manager/makefile-modules.git
       repo_ref: main
-      repo_hash: c4f8a8a4d10d0efc9d775d4b1e719d779bf46880
+      repo_hash: 217b9616a01c901044098e5ae0c285ae3b1223ac
       repo_path: modules/repository-base
     - folder_name: tools
       repo_url: https://github.com/cert-manager/makefile-modules.git
       repo_ref: main
-      repo_hash: c4f8a8a4d10d0efc9d775d4b1e719d779bf46880
+      repo_hash: 217b9616a01c901044098e5ae0c285ae3b1223ac
       repo_path: modules/tools
@@ -34,6 +34,8 @@ else
 ## Generate base files in the repository
 ## @category [shared] Generate/ Verify
 generate-base:
+	# TODO(erikgb): Remove; just a temporary command to clean out Dependabot files
+	rm -f ./.github/dependabot.yaml
 	cp -r $(repository_base_dir)/. ./
 	cd $(repository_base_dir) && \
 		find . -type f | while read file; do \