-
Notifications
You must be signed in to change notification settings - Fork 16
/
Copy pathdefaults.json5
229 lines (199 loc) · 8.93 KB
/
defaults.json5
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
/*
Validate this file before commiting with (from repository root):
podman run -it \
-v ./renovate/defaults.json5:/usr/src/app/renovate.json5:z \
ghcr.io/renovatebot/renovate:latest \
renovate-config-validator
and/or use the pre-commit hook: https://github.com/renovatebot/pre-commit-hooks
*/
{
"$schema": "https://docs.renovatebot.com/renovate-schema.json",
"description": "This is a basic preset intended\
for reuse to reduce the amount of boiler-plate\
configuration that otherwise would need to be\
duplicated. It should be referenced from other\
repositories renovate config under the 'extends'\
section as: github>containers/automation//renovate/defaults.json5\
(optionally with a '#X.Y.Z' version-tag suffix).",
/*************************************************
****** Global/general configuration options *****
*************************************************/
// Re-use predefined sets of configuration options to DRY
"extends": [
// https://docs.renovatebot.com/presets-config/#configbase
"config:recommended",
// https://docs.renovatebot.com/presets-default/#gitsignoff
":gitSignOff",
// Always rebase dep. update PRs from `main` when PR is stale
":rebaseStalePrs"
],
// The default setting is ambiguous, explicitly base schedules on UTC
"timezone": "UTC",
// Don't swamp CI, rate-limit opening of PRs w/in schedule limits.
"prHourlyLimit": 1,
// Make renovate PRs stand out from the crowd
"labels": ["dependencies"],
// Default setting is an "empty" schedule. Explicitly set this
// such that security-alert PRs may be opened immediately.
"vulnerabilityAlerts": {
// Distinguish PRs from regular dependency updates
"labels": ["dependencies", "security"],
// Force-enable renovate management of deps. which are otherwise
// disabled. Note: Does not apply to any "ignorePaths" list, nor
// any deps. disabled via `packageRules` in this block
// (last-match wins rule).
"enabled": true,
// Note: As of 2024-06-25 indirect golang dependency handling is
// broken in Renovate, and disabled by default. This affects
// vulnerabilityAlerts in that if the dep is 'indirect' no PR
// will ever open, it must be handled manually. Attempting
// to enable indirect deps (for golang) in this section will
// not work, it will always be overriden by the global golang
// indirect dep. setting.
},
// On a busy repo, automatic-rebasing will swamp the CI system.
// Turn it off here, then allow individual repos. to override/enable
// it as appropriate.
"rebaseWhen": "never",
/**************************************************
***** Manager-specific configuration options *****
**************************************************/
"customManagers": [
// Track the latest CI VM images by tag on the containers/automation_images
// repo. Propose updates when newer tag available compared to what is
// referenced in a repo's .cirrus.yml file.
{
"customType": "regex",
"fileMatch": "^.cirrus.yml$",
// Expected veresion format: c<automation_images IMG_SFX value>
// For example `c20230120t152650z-f37f36u2204`
"matchStrings": ["c(?<currentValue>20\\d{6}t\\d{6}z-\\w+)"],
"depNameTemplate": "containers/automation_images",
"datasourceTemplate": "github-tags",
"versioningTemplate": "loose",
"autoReplaceStringTemplate": "c{{{newVersion}}}"
},
// For skopeo and podman, manage the golangci-lint version as
// referenced in their Makefile.
{
"customType": "regex",
"fileMatch": "^Makefile$",
// make ignores whitespace around the value, make renovate do the same.
"matchStrings": [
"GOLANGCI_LINT_VERSION\\s+:=\\s+(?<currentValue>.+)\\s*"
],
"depNameTemplate": "golangci/golangci-lint",
"datasourceTemplate": "github-releases",
"versioningTemplate": "semver-coerced",
// Podman's installer script will puke if there's a 'v' prefix, as represented
// in upstream golangci/golangci-lint releases.
"extractVersionTemplate": "v(?<version>.+)"
}
],
/*************************************************
***** Language-specific configuration options ****
**************************************************/
// ***** ATTENTION WARNING CAUTION DANGER ***** //
// Go versions 1.21 and later will AUTO-UPDATE based on _module_
// _requirements_. ref: https://go.dev/doc/toolchain Because
// many different projects covered by this config, build under
// different distros and distro-versions, golang version consistency
// is desireable across build outputs. In golang 1.21 and later,
// it's possible to pin the version in each project using the
// toolchain go.mod directive. This should be done to prevent
// unwanted auto-updates.
// Ref: Upstream discussion https://github.com/golang/go/issues/65847
"constraints": {"go": "1.22"},
// N/B: LAST MATCHING RULE WINS, match statems are ANDed together.
// https://docs.renovatebot.com/configuration-options/#packagerules
"packageRules": [
/*************************************************
****** Rust-specific configuration options *******
**************************************************/
{
"matchCategories": ["rust"],
// Update both Cargo.toml and Cargo.lock when possible
// i.e. bump the range even if the new version satisfies the existing range.
// https://docs.renovatebot.com/configuration-options/#rangestrategy
"rangeStrategy": "bump"
},
{
"matchCategories": ["rust"],
"matchPackageNames": ["serde", "clap"],
// Update both Cargo.toml and Cargo.lock when possible
"rangeStrategy": "bump",
// These packages roll updates far too often, slow them down.
// Ref: https://github.com/containers/netavark/issues/772
"schedule": ["after 1am and before 11am on the first day of the month"]
},
/*************************************************
****** Python-specific configuration options *****
**************************************************/
{
"matchCategories": ["python"],
// Preserve (but continue to upgrade) any existing SemVer ranges.
"rangeStrategy": "replace"
},
/*************************************************
****** Golang-specific configuration options *****
**************************************************/
{
"matchCategories": ["golang"],
// disabled by default, safe to enable since "tidy" enforced by CI.
"postUpdateOptions": ["gomodTidy"],
// In case a version in use is retracted, allow going backwards.
// N/B: This is NOT compatible with pseudo versions, see below.
"rollbackPrs": false,
// Preserve (but continue to upgrade) any existing SemVer ranges.
"rangeStrategy": "replace"
},
// Golang pseudo-version packages will spam with every Commit ID change.
// Limit update frequency.
{
"matchCategories": ["golang"],
"matchUpdateTypes": ["digest"],
"schedule": ["after 1am and before 11am on the first day of the month"]
},
// Package version retraction (https://go.dev/ref/mod#go-mod-file-retract)
// is broken in Renovate. And no repo should use these retracted versions.
// ref: https://github.com/renovatebot/renovate/issues/13012
{
"matchCategories": ["golang"],
"matchPackageNames": ["github.com/containers/common"],
// Both v1.0.0 and v1.0.1 should be ignored.
"allowedVersions": "!/v((1.0.0)|(1.0.1))$/"
},
// Skip updating the go.mod toolchain directive, humans will manage this.
{
"matchCategories": ["golang"],
"matchDepTypes": ["toolchain"],
"enabled": false
},
/*************************************************
************ CI configuration options ************
**************************************************/
// Github-action updates cannot consistently be tested in a PR.
// This is caused by an unfixable architecture-flaw: Execution
// context always depends on trigger, and we (obvious) can't know
// that ahead of time for all workflows. Abandon all hope and
// mark github-action dep. update PRs '[skip-ci]'
{
"matchManagers": ["github-actions"],
"matchDepTypes": ["action"],
"commitMessagePrefix": "[skip-ci]"
},
// Group together all CI VM image updates into a single PR. This is needed
// to handle the case where an IMG_SFX is mentioned in a comment. For
// example, flagging an important TODO or FIXME item. Or, where CI VM
// images are split across multiple IMG_SFX values that all need to be updated.
{
"matchManagers": ["custom.regex"],
"matchFileNames": [".cirrus.yml"],
"groupName": "CI VM Image",
// Somebody(s) need to check image update PRs as soon as they open.
"reviewers": ["Luap99"],
// Don't wait, roll out CI VM Updates immediately
"schedule": ["at any time"]
},
]
}