forked from defenseunicorns/terraform-aws-bastion
-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathrenovate.json5
88 lines (88 loc) · 4.81 KB
/
renovate.json5
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
{
$schema: "https://docs.renovatebot.com/renovate-schema.json",
extends: [
// Tells Renovate to maintain one GitHub issue as the "dependency dashboard". See https://docs.renovatebot.com/key-concepts/dashboard
":dependencyDashboard",
// Use semantic commit type fix for dependencies and chore for all others if semantic commits are in use. See https://docs.renovatebot.com/presets-default/#semanticprefixfixdepschoreothers
":semanticPrefixFixDepsChoreOthers",
// Group all updates together. See https://docs.renovatebot.com/presets-group/#groupall
// Other less drastic groupings that may be of interest include: group:allNonMajor, group:recommended, group:monorepos
"group:all",
// Apply crowd-sourced package replacement rules. See https://docs.renovatebot.com/presets-replacements/#replacementsall
"replacements:all",
// Apply crowd-sourced workarounds for known problems with packages. See https://docs.renovatebot.com/presets-workarounds/#workaroundsall
"workarounds:all"
],
// If we don't specify a timezone then Renovate will use UTC
timezone: "America/New_York",
// Giving a small window constrains when Renovate will create PRs. The objective here is to only have Renovate create PRs on weekdays in the morning. This setting only affects when PRs are created. Without other configuration Renovate will rebase any PRs that already exist whenever it wants to.
// We need an "after" and a "before" because there is other automation that happens earlier that we don't want Renovate to conflict with.
schedule: [
"after 7am and before 9am every weekday"
],
// This will prevent Renovate from automatically rebasing PRs. Without this, Renovate will rebase PRs whenever it wants to. The 'schedule' param is only for creating PRs. Because we are grouping all changes into one PR without this Renovate will be constantly rebasing that PR which we don't want since every time that happens another set of GHA status checks are kicked off.
// Using a value of "conflicted" means that Renovate will only rebase PRs if they are in a conflicted state. See https://docs.renovatebot.com/configuration-options/#rebasewhen
rebaseWhen: "conflicted",
// Labels to set in Pull Request. See https://docs.renovatebot.com/configuration-options/#labels
labels: [
"renovate"
],
// Rate limit PRs to maximum x created per hour. 0 means no limit. See https://docs.renovatebot.com/configuration-options/#prhourlylimit
prHourlyLimit: 0,
// Limit to a maximum of x concurrent branches/PRs. 0 means no limit. See https://docs.renovatebot.com/configuration-options/#prconcurrentlimit
prConcurrentLimit: 0,
// List of additional notes/templates to include in the Pull Request body. See https://docs.renovatebot.com/configuration-options/#prbodynotes
prBodyNotes: [
"- :warning: The E2E tests need to be run, they have a manual trigger. To start them add a comment to this PR that says `/test all`"
],
// Enable updates to the pre-commit-config.yaml file. See https://docs.renovatebot.com/modules/manager/pre-commit/
"pre-commit": {
enabled: true
},
"regexManagers": [
// Custom regex manager for the .env file that follows the pattern documented here: https://docs.renovatebot.com/modules/manager/regex/#advanced-capture
{
"fileMatch": ["^.env"],
"matchStrings": [
"datasource=(?<datasource>.*?) depName=(?<depName>.*?)( versioning=(?<versioning>.*?))?\\s.*?_VERSION=(?<currentValue>.*)\\s"
],
"versioningTemplate": "{{#if versioning}}{{{versioning}}}{{else}}semver-coerced{{/if}}",
"extractVersionTemplate": "^v?(?<version>.*)$"
},
// Custom regex manager for the .tool-versions file that follows the pattern documented here: https://docs.renovatebot.com/modules/manager/regex/#advanced-capture
{
"fileMatch": ["^.tool-versions$"],
"matchStrings": [
"datasource=(?<datasource>.*?) depName=(?<depName>.*?)( versioning=(?<versioning>.*?))?\\s.*? (?<currentValue>.*)\\s"
],
"versioningTemplate": "{{#if versioning}}{{{versioning}}}{{else}}semver-coerced{{/if}}",
"extractVersionTemplate": "^v?(?<version>.*)$"
}
],
packageRules: [
{
matchPackageNames: ["k8s.io/client-go"],
allowedVersions: "<1.0.0"
},
{
matchManagers: ["terraform"],
matchDepTypes: ["module"],
matchDatasources: ["github-tags", "git-tags"],
versioning: "loose"
}
],
"vulnerabilityAlerts": {
"enabled": true,
"groupName": null,
"schedule": [],
"dependencyDashboardApproval": false,
"minimumReleaseAge": null,
"rangeStrategy": "update-lockfile",
"commitMessageSuffix": "[SECURITY]",
"branchTopic": "{{{datasource}}}-{{{depName}}}-vulnerability",
"prCreation": "immediate",
"labels": ["security"],
"automerge": true,
"assignees": ["@defenseunicorns/delivery-aws-iac"]
}
}