chore(ci): enable Renovate (#4642)

Signed-off-by: Barabanov <[email protected]>

Author: AlexanderBarabanov

.github/dependabot.yaml

@@ -0,0 +1,171 @@
+// Dependency Update Configuration
+//
+// See https://docs.renovatebot.com/configuration-options/
+// See https://json5.org/ for JSON5 syntax
+
+// [!] While updating the Renovate config, test changes on your own fork.
+//  1. Modify the Renovate configuration, which is located in .github/renovate.json5 and push your changes to the default branch of your fork.
+//  2. Enable the Renovate GitHub app in your GitHub account.
+//     Verify that Renovate is activated in the repository settings within the Renovate Dashboard.
+//     To enable the dashboard set `dependencyDashboard` to true
+//  3. Trigger the Renovate app from the dashboard, or push a new commit to your fork’s default branch to re-trigger Renovate.
+//  4. Use the dashboard to initiate Renovate and create a PR on your fork, then check that the proposed PRs are modifying the correct parts.
+//  5. Once you’ve validated that the Renovate configuration works on your fork, submit a PR,
+//     and include links in the description to share details about the testing you've conducted.
+
+{
+  $schema: "https://docs.renovatebot.com/renovate-schema.json",
+
+  // regenerate lock weekly https://docs.renovatebot.com/configuration-options/#lockfilemaintenance
+  lockFileMaintenance: {
+    enabled: true,
+    schedule: ["* * * * 0"], // weekly
+  },
+
+  extends: ["config:base", ":gitSignOff", "helpers:pinGitHubActionDigests"],
+  // https://docs.renovatebot.com/presets-default/#gitsignoff
+  // https://docs.renovatebot.com/presets-helpers/#helperspingithubactiondigests
+
+  // if necessary, add supported releases branches here
+  // it is possible to enable/disable specific upgrades per branch with
+  // `matchBaseBranches` in specific rule
+  baseBranches: ["develop"],
+
+  // https://docs.renovatebot.com/modules/manager/#disabling-managers
+  pip_requirements: {
+    // Prevent renovate from trying to update demo code
+    enabled: false,
+    managerFilePatterns: [
+      "lib/src/otx/backend/native/exporter/exportable_code/demo/requirements.txt",
+    ],
+  },
+
+  // Set limit to 5
+  ignorePresets: [":prHourlyLimit2"],
+  prHourlyLimit: 5,
+
+  packageRules: [
+    // Enable pinning for container images
+    // https://docs.renovatebot.com/presets-docker/#dockerpindigests
+    {
+      enabled: true,
+      matchDatasources: ["docker"],
+      pinDigests: true,
+      groupName: "Pin images",
+      groupSlug: "pin-images",
+      schedule: ["* * * * 0"], // weekly
+    },
+
+    // Disable python base image upgrades, except patch and digital pinning
+    {
+      enabled: false,
+      matchDatasources: ["docker"],
+      matchPackageNames: ["python"],
+      matchUpdateTypes: ["major", "minor"],
+    },
+
+    // Disable node image upgrades, except patch and digital pinning
+    {
+      enabled: false,
+      matchDatasources: ["docker"],
+      matchPackageNames: ["node"],
+      matchUpdateTypes: ["major", "minor"],
+    },
+
+    // Disable eclipse-mosquitto image upgrades, except patch and digital pinning
+    {
+      enabled: false,
+      matchDatasources: ["docker"],
+      matchPackageNames: ["eclipse-mosquitto"],
+      matchUpdateTypes: ["major", "minor"],
+    },
+
+    // Disable emqx/mqttx-web image upgrades, except patch and digital pinning
+    {
+      enabled: false,
+      matchDatasources: ["docker"],
+      matchPackageNames: ["emqx/mqttx-web"],
+      matchUpdateTypes: ["major", "minor"],
+    },
+
+    // Disable nvidia/cuda image upgrades, except patch and digital pinning
+    {
+      enabled: false,
+      matchDatasources: ["docker"],
+      matchPackageNames: ["nvidia/cuda"],
+      matchUpdateTypes: ["major", "minor"],
+    },
+
+    // Disable pytorch/pytorch image upgrades, except patch and digital pinning
+    {
+      enabled: false,
+      matchDatasources: ["docker"],
+      matchPackageNames: ["pytorch/pytorch"],
+      matchUpdateTypes: ["major", "minor"],
+    },
+
+    // Disable non-security upgrades for pypi, npm and crate, except lock file update
+    // node is upgraded manually
+    {
+      enabled: false,
+      matchDatasources: ["pypi", "node-version", "crate", "npm"],
+    },
+
+    // Python version in TOML is updated manually
+    {
+      enabled: false,
+      matchDatasources: ["python-version"],
+      matchDepTypes: ["requires-python"],
+      matchDepNames: ["python"],
+    },
+
+    // Disable upgrades for Dockerfile syntax (docker/dockerfile)
+    {
+      enabled: false,
+      matchDatasources: ["docker"],
+      matchDepNames: ["docker/dockerfile"],
+    },
+
+    // Group GitHub Actions updates
+    {
+      enabled: true,
+      separateMajorMinor: false,
+      groupName: "GitHub Actions",
+      matchManagers: ["github-actions"],
+      matchPackagePatterns: ["*"],
+      schedule: ["* * 1,15 * *"], // twice a month
+    },
+
+    // uv version used in GitHub Actions is updated manually
+    {
+      enabled: false,
+      matchDatasources: ["github-releases"],
+      matchDepNames: ["astral-sh/uv"],
+      matchDepTypes: ["uses-with"],
+    },
+
+    // python version used in GitHub Actions is updated manually
+    {
+      enabled: false,
+      matchDatasources: ["github-releases"],
+      matchDepNames: ["python"],
+      matchDepTypes: ["uses-with"],
+    },
+
+    // Disable mcr.microsoft.com/playwright image upgrades, except digital pinning,
+    {
+      enabled: false,
+      matchManagers: ["github-actions"],
+      matchDepTypes: ["container"],
+      matchDepNames: ["mcr.microsoft.com/playwright"],
+      matchUpdateTypes: ["major", "minor", "patch"],
+    },
+  ],
+
+  // Enable security upgrades
+  vulnerabilityAlerts: {
+    enabled: true,
+  },
+  osvVulnerabilityAlerts: true,
+  dependencyDashboard: true,
+}

.github/renovate.json5

@@ -0,0 +1,42 @@
+# Renovate configuration validator
+#
+# This workflow validates changes proposed into Renovate configuration file
+# (.github/renovate.json5) and prevents non-valid configuration to be used by Renovate.
+#
+# Required Secrets:
+# - None
+#
+# Automatically triggered on:
+# - Pull requests to .github/renovate.json5.
+#
+
+name: Validate Renovate configuration
+
+on:
+  pull_request:
+    paths:
+      - ".github/renovate.json5"
+
+permissions:
+  contents: read
+
+concurrency:
+  group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.event.after }}
+  cancel-in-progress: true
+
+jobs:
+  validate:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout configuration
+        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
+        with:
+          persist-credentials: false
+
+      - name: Validate configuration
+        run: |
+          # renovate: datasource=docker
+          export RENOVATE_IMAGE=ghcr.io/renovatebot/renovate:40.11
+          docker run --rm --entrypoint "renovate-config-validator" \
+          -v "${{ github.workspace }}/.github/renovate.json5":"/renovate.json5" \
+          ${RENOVATE_IMAGE} "/renovate.json5"

.github/workflows/renovate-config-validator.yml

@@ -0,0 +1,84 @@
+# Dependencies Management Workflow
+#
+# This workflow automates the dependence management based on self-hosed Renovate
+# ensure the project's dependencies remains up-to-date and security fixes are delivered regularly.
+#
+# Key Features:
+# - Automated PR creation into pyproject.toml and uv.lock regeneration
+# - Dry-run for debug purposes
+# - Dependency dashboard (is available in GitHub issues) maintenance
+#
+# Process Stages:
+#
+# 1. Dependencies Management:
+#    - Runs on a daily schedule.
+#    - Identifies dependencies that may be updated based on .github/renovate.json5 configuration.
+#    - Opens corresponding PRs with respect to schedule defined in Renovate config file.
+#    - Updates Renovate Dependency dashboard that is available in GitHub issues.
+#
+# Required Secrets:
+# - RENOVATE_APP_ID: application ID
+# - RENOVATE_APP_PEM: application private key
+#
+# Example Usage:
+# 1. Scheduled Run:
+#    Automatically runs, daily
+#
+# 2. Manual Trigger:
+#    workflow_dispatch:
+#    inputs:
+#      dry-run:
+#        description: "Run Renovate in dry-run mode (no PR)"
+#        required: false
+#        default: false
+#        type: boolean
+#
+# Note: Renovate maintains and updates Dependency dashboard that is available in GitHub issues.
+
+name: Renovate
+on:
+  schedule:
+    # daily
+    - cron: "0 2 * * *"
+
+  # allow to manually trigger this workflow
+  workflow_dispatch:
+    inputs:
+      dry-run:
+        description: "Run Renovate in dry-run mode (no PR)"
+        required: false
+        default: false
+        type: boolean
+
+permissions: {}
+
+jobs:
+  renovate:
+    permissions:
+      contents: read
+    runs-on: ubuntu-latest
+
+    steps:
+      - name: Checkout
+        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
+        with:
+          persist-credentials: false
+
+      - name: Get token
+        id: get-github-app-token
+        uses: actions/create-github-app-token@a8d616148505b5069dccd32f177bb87d7f39123b # v2.1.1
+        with:
+          app-id: ${{ secrets.RENOVATE_APP_ID }}
+          private-key: ${{ secrets.RENOVATE_APP_PEM }}
+
+      - name: Self-hosted Renovate
+        uses: renovatebot/github-action@a447f09147d00e00ae2a82ad5ef51ca89352da80 # v43.0.9
+        with:
+          configurationFile: .github/renovate.json5
+          token: "${{ steps.get-github-app-token.outputs.token }}"
+        env:
+          LOG_LEVEL: ${{ github.event_name == 'workflow_dispatch' && 'debug' || 'info' }}
+          # Dry run if the event is workflow_dispatch AND the dry-run input is true
+          RENOVATE_DRY_RUN: ${{ (github.event_name == 'workflow_dispatch' && github.event.inputs.dry-run == 'true') && 'full' || null }}
+          RENOVATE_PLATFORM: github
+          RENOVATE_REPOSITORIES: ${{ github.repository }}