feat(deps): added renovate config for custom regexes

[ivankatliarchuk]

Description

• Added renovate configuration. It automate dependency updates, quite similar to Dendabot, but it does provide more flebilities and support custom package updates.

Fixes #4973

Result on forked repo https://github.com/ik-workshop/external-dns-fork-renovate-bootstrap/pull/24/files

How to onboard

• there are two options
  1. To run a Github Action with Renovate (self hosted)
  2. Github App https://github.com/apps/renovate

I'll share config how to onboard. Onboarding very similar to Dependabot as well.

Go to Github App

Allow Renovate to access required repo. No credentials required

Trust Renovate App

You can access UI as well

Check the logs of a recent job

Regex used in config

Checklist

• Unit tests updated
• End user documentation updated

[k8s-ci-robot]

Hi @ivankatliarchuk. Thanks for your PR.

I'm waiting for a kubernetes-sigs member to verify that this patch is reasonable to test. If it is, they should reply with /ok-to-test on its own line. Until that is done, I will not automatically test new commits in this PR, but the usual testing commands by org members will still work. Regular contributors should join the org to skip this step.

Once the patch is verified, the new status will be reflected by the ok-to-test label.

I understand the commands that are listed here.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

[mloiseleur]

That sound good to me.
Before I start reviewing this PR, @Raffo wdyt of this approach ? For the onboard, do you know if it's possible to use GitHub App on kubernetes-sigs ?

[Raffo]

I don’t think we should proceed with this. We don’t have permissions to do changes like adding apps and I don’t see a lot of problems with dependabot. Updating the version docs like in the linked PR is really no hassle compared to what we have to pull off every time we do a release due to the constraints that the kubernetes flow imposes to us.

[ivankatliarchuk]

So you would not consider renovate as a github action? I do get that there are multiple steps, and not all of them are simple. But step-by-step you could automate pretty much everything and make it quite safe at the same time too.

[Raffo]

@ivankatliarchuk sorry, I misunderstood. I'm okay with the action, but I don't think we should fully switch to renovate, dependabot is working quite fine for us for regular dependency updates and we won't be enabling other github apps on this repo.

[ivankatliarchuk]

Could be related. kubernetes/org#5126

Need to spend a bit more time on that one to understand current permissions and security concerns if any

[ivankatliarchuk]

So renovate as integration is not allowed at the moment

1. REQUEST: New integration for kubernetes-sigs/gcp-compute-persistent-disk-csi-driver kubernetes/org#4501
2. REQUEST: New integration for kubernetes-sigs/gcp-filestore-csi-driver kubernetes/org#4502

The github action job seems like no restrictions, but still digging

[k8s-ci-robot]

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by:
Once this PR has been reviewed and has the lgtm label, please assign raffo for approval. For more information see the Code Review Process.

The full list of commands accepted by this bot can be found here.

Needs approval from an approver in each of these files:

• OWNERS

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[ivankatliarchuk]

Hi @Raffo wdyt? I found no evidences that GitHub Actions are not allowed.

[ivankatliarchuk]

Example pull-request ik-workshop#39

[ivankatliarchuk]

With renovate we only do custom regexes and pre-commit, as it's not supported. So only features that not yet supported by dependabot dependabot/dependabot-core#1524, it's not a replacement of dependabot