ROSA-745: per-repo dependency automation config

[MitaliBhalla]

ROSA-745 phase 2 draft — MintMaker gomod (renovate extends boilerplate) + docker-only Dependabot with lgtm/approved. Konflux repo, not on boilerplate. Pending DPP branch protection openshift/release#80263.

Made with Cursor

Summary by CodeRabbit

• Chores
  • Added configuration files for automated dependency checking and version management workflows.

[openshift-ci-robot]

@MitaliBhalla: This pull request references ROSA-745 which is a valid jira issue.

Warning: The referenced jira issue has an invalid target version for the target branch this PR targets: expected the initiative to target the "5.0.0" version, but no target version was set.

Details

In response to this:

ROSA-745 phase 2 draft — MintMaker gomod (renovate extends boilerplate) + docker-only Dependabot with lgtm/approved. Konflux repo, not on boilerplate. Pending DPP branch protection openshift/release#80263.

Made with Cursor

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[openshift-ci]

Skipping CI for Draft Pull Request.
If you want CI signal for your change, please convert it to an actual PR.
You can still manually trigger a test run with /test all

[coderabbitai]

📝 Walkthrough

Walkthrough

This PR adds two dependency management configuration files to the repository. .github/dependabot.yml enables Dependabot to automatically check Docker dependencies weekly on Mondays at 03:00 UTC, applying standard labels to created pull requests, limiting concurrent open PRs to 10, and excluding updates for ubi9/go-toolset. .github/renovate.json adds Renovate configuration that inherits from an external OpenShift boilerplate configuration and restricts active package managers to tekton and gomod types only.

🚥 Pre-merge checks | ✅ 14 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Description check	⚠️ Warning	PR description is minimal and lacks required sections from the template. Missing detailed problem description, validation approach, testing steps, and verification checklist.	Expand description to include: detailed issue context and impact, how changes were validated, step-by-step testing instructions, and completion of the Developer Verification Checklist.

✅ Passed checks (14 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title clearly and specifically describes the main change: adding per-repository dependency automation configuration files (Dependabot and Renovate).
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Stable And Deterministic Test Names	✅ Passed	PR only modifies configuration files (.github/dependabot.yml and .github/renovate.json), not test files. No Ginkgo tests are present to assess.
Test Structure And Quality	✅ Passed	PR only adds dependency automation config files (.github/dependabot.yml, .github/renovate.json) with no Ginkgo test code, making the test structure check inapplicable.
Microshift Test Compatibility	✅ Passed	PR adds only configuration files (.github/dependabot.yml, .github/renovate.json) with no Ginkgo e2e tests; MicroShift test compatibility check not applicable.
Single Node Openshift (Sno) Test Compatibility	✅ Passed	This PR adds only configuration files (.github/dependabot.yml and .github/renovate.json) for dependency automation; it contains no Ginkgo e2e tests.
Topology-Aware Scheduling Compatibility	✅ Passed	PR only adds Dependabot and Renovate configuration files, not deployment manifests or operator/controller code. Topology-aware scheduling check doesn't apply.
Ote Binary Stdout Contract	✅ Passed	PR only adds configuration files (.github/dependabot.yml and .github/renovate.json) with no executable code that could write to stdout.
Ipv6 And Disconnected Network Test Compatibility	✅ Passed	This PR adds only configuration files (.github/dependabot.yml and .github/renovate.json) for dependency management automation. No Ginkgo e2e tests are being added, so the IPv6/disconnected network...
No-Weak-Crypto	✅ Passed	The PR adds two configuration files (.github/dependabot.yml and .github/renovate.json) containing no weak cryptographic algorithms (MD5, SHA1, DES, RC4, 3DES, Blowfish, ECB), custom crypto implemen...
Container-Privileges	✅ Passed	No privileged container configurations found. PR adds dependency automation config files (dependabot.yml, renovate.json) with no container privilege escalation settings.
No-Sensitive-Data-In-Logs	✅ Passed	Both new configuration files (.github/dependabot.yml and .github/renovate.json) contain only static, non-sensitive configuration data with no logging code or sensitive information exposed.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[openshift-ci]

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by: MitaliBhalla
Once this PR has been reviewed and has the lgtm label, please assign braetroutman for approval. For more information see the Code Review Process.

The full list of commands accepted by this bot can be found here.

Details

Needs approval from an approver in each of these files:

• OWNERS

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[amandahla]

Hi @MitaliBhalla thanks for submitting the PR, [nvm]we are using only Renovate for the terraform repositories and the plan is apply same changes here.
See an example:
https://github.com/terraform-redhat/terraform-provider-rhcs/blob/main/renovate.json
[/nvm]

Correction: its already set here :) Is dependabot really necessary?
https://github.com/openshift/rosa/blob/master/renovate.json

@olucasfreitas FYI