Feature: Renovate for Dependency Management

[DreamingRaven]

Description of the change

Similar to what I have seen, and done in other repositories, I believe it would be beneficial to get renovate on this repository.

It will generate PRs like this one for example: https://gitlab.com/GeorgeRaven/raven-helm-charts/-/merge_requests/201, so that we can automate a significant portion of the maintenance work related to updating patches etc.

I extend renovate with custom managers so we can manage the version of anything in any file using regex.

This is my generic configuration that handles 90% of my use cases in my repositories:

{
    "$schema": "https://docs.renovatebot.com/renovate-schema.json",
    "extends": [
        "config:recommended"
    ],
    "packageRules": [
        {
            "description": "Automerge patches",
            "excludePackageNames": [],
            "matchUpdateTypes": [
                "patch"
            ],
            "matchCurrentVersion": "!/^0/",
            "automerge": true
        }
    ],
    "customManagers": [
        {
            "customType": "regex",
            "managerFilePatterns": [
                "/^.*$/"
            ],
            "matchStrings": [
                "\"?v?(?<currentValue>(?<major>0|[1-9]\\d*)\\.(?<minor>0|[1-9]\\d*)\\.(?<patch>0|[1-9]\\d*)(?:-(?<prerelease>(?:0|[1-9]\\d*|\\d*[a-zA-Z-][0-9a-zA-Z-]*)(?:\\.(?:0|[1-9]\\d*|\\d*[a-zA-Z-][0-9a-zA-Z-]*))*))?(?:\\+(?<buildmetadata>[0-9a-zA-Z-]+(?:\\.[0-9a-zA-Z-]+)*))?)\"?\\s+# renovate: datasource=(?<datasource>.*) depName=(?<depName>.*)"
            ],
            "extractVersionTemplate": "^v?(?<version>.*)$"
        }
    ]
}

The only thing to note is the addition of an automerge rule, this will create and automate merging of semver patches. Thus eliminating the maintenance of and keeping on top of them.

Benefits

• higher automation, reducing maintenance work
• ensures all dependencies can be managed even those in non-standard locations that might be forgotten about
• works with just about everything, helm, github workflows, lockfiles, etc
• highly configurable depending on what everyone would like to see, including automated bumping of helm package versions, when a sub-dependency is updated.

Possible drawbacks

• higher automation in particular patch automerging requires good Ci setup to ensure a high-bar of trust in merges. (This will be a seperate issue I will likely open shortly to do with kubeconform etc)
• while I can self-host it, I would probably recommend that it is added to the github repo directly via the marketplace: https://github.com/marketplace/renovate/ for long-term support.
• some level of trust is required in renovate to give it access to create branches, from which it creates PRs to the default branch (unless otherwise specified)

Additional information

There are many ways to skin the proverbial renovate cat. Please let me know what you think.

[varet80]

I was thinking the same

[wrenix]

Here is already a PR, which try to implement it #574 (with #576) . Maybe we should recycle that code.