chore(kubernetes): get up to date

Author: buroa

.github/renovate/groups.json5

@@ -16,7 +16,7 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Checkout
-        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
 
       - name: Run flux-local test
         uses: docker://ghcr.io/allenporter/flux-local:v7.2.1
@@ -39,12 +39,12 @@ jobs:
       fail-fast: false
     steps:
       - name: Checkout Pull Request Branch
-        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
         with:
           path: pull
 
       - name: Checkout Default Branch
-        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
         with:
           ref: "${{ github.event.repository.default_branch }}"
           path: default
@@ -70,20 +70,20 @@ jobs:
           cat diff.patch >> $GITHUB_OUTPUT
           echo 'EOF' >> $GITHUB_OUTPUT
 
-      - name: Generate Token
-        if: ${{ steps.diff.outputs.diff != '' }}
-        uses: actions/create-github-app-token@21cfef2b496dd8ef5b904c159339626a10ad380e # v1
+      - if: ${{ steps.diff.outputs.diff != '' }}
+        name: Generate Token
+        uses: actions/create-github-app-token@21cfef2b496dd8ef5b904c159339626a10ad380e # v1.11.6
         id: app-token
         with:
-          app-id: "${{ secrets.BOT_APP_ID }}"
-          private-key: "${{ secrets.BOT_APP_PRIVATE_KEY }}"
+          app-id: ${{ secrets.BOT_APP_ID }}
+          private-key: ${{ secrets.BOT_APP_PRIVATE_KEY }}
 
-      - name: Add Comment
-        if: ${{ steps.diff.outputs.diff != '' }}
-        uses: mshick/add-pr-comment@b8f338c590a895d50bcbfa6c5859251edc8952fc # v2
+      - if: ${{ steps.diff.outputs.diff != '' }}
+        name: Add Comment
+        uses: mshick/add-pr-comment@b8f338c590a895d50bcbfa6c5859251edc8952fc # v2.8.2
         with:
-          repo-token: "${{ steps.app-token.outputs.token }}"
-          message-id: "${{ github.event.pull_request.number }}/kubernetes/${{ matrix.resources }}"
+          repo-token: ${{ steps.app-token.outputs.token }}
+          message-id: ${{ github.event.pull_request.number }}/kubernetes/${{ matrix.resources }}
           message-failure: Diff was not successful
           message: |
             ```diff

.github/workflows/flux-local.yaml

@@ -23,9 +23,9 @@ jobs:
       pull: ${{ steps.extract.outputs.pull }}
     steps:
       - name: Checkout
-        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
         with:
-          ref: "${{ matrix.branches == 'default' && github.event.repository.default_branch || '' }}"
+          ref: ${{ matrix.branches == 'default' && github.event.repository.default_branch || '' }}
 
       - name: Gather Images
         uses: docker://ghcr.io/allenporter/flux-local:v7.2.1
@@ -44,10 +44,10 @@ jobs:
         run: echo "${{ matrix.branches }}=$(jq --compact-output '.' images.json)" >> $GITHUB_OUTPUT
 
   diff:
+    if: ${{ needs.extract.outputs.default != needs.extract.outputs.pull }}
     needs: extract
     name: Diff Images
     runs-on: ubuntu-latest
-    if: ${{ needs.extract.outputs.default != needs.extract.outputs.pull }}
     outputs:
       images: ${{ steps.diff.outputs.images }}
     steps:
@@ -62,10 +62,10 @@ jobs:
           echo "images=${images}" >> $GITHUB_OUTPUT
 
   pull:
+    if: ${{ needs.diff.outputs.images != '[]' }}
     needs: diff
     name: Pull Images
     runs-on: k8s-gitops-runner
-    if: ${{ needs.diff.outputs.images != '[]' }}
     strategy:
       matrix:
         images: ${{ fromJSON(needs.diff.outputs.images) }}

.github/workflows/image-pull.yaml

@@ -17,12 +17,12 @@ jobs:
       issues: write
     steps:
       - name: Checkout
-        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
         with:
           sparse-checkout: .github/labels.yaml
 
       - name: Sync Labels
-        uses: EndBug/label-sync@52074158190acb45f3077f9099fea818aa43f97a # v2
+        uses: EndBug/label-sync@52074158190acb45f3077f9099fea818aa43f97a # v2.3.3
         with:
           config-file: .github/labels.yaml
           delete-other-labels: true

.github/workflows/label-sync.yaml

@@ -13,14 +13,14 @@ jobs:
     if: ${{ github.event.pull_request.head.repo.full_name == github.repository }}
     steps:
       - name: Generate Token
-        uses: actions/create-github-app-token@21cfef2b496dd8ef5b904c159339626a10ad380e # v1
+        uses: actions/create-github-app-token@21cfef2b496dd8ef5b904c159339626a10ad380e # v1.11.6
         id: app-token
         with:
-          app-id: "${{ secrets.BOT_APP_ID }}"
-          private-key: "${{ secrets.BOT_APP_PRIVATE_KEY }}"
+          app-id: ${{ secrets.BOT_APP_ID }}
+          private-key: ${{ secrets.BOT_APP_PRIVATE_KEY }}
 
       - name: Labeler
-        uses: actions/labeler@8558fd74291d67161a8a78ce36a881fa63b766a9 # v5
+        uses: actions/labeler@8558fd74291d67161a8a78ce36a881fa63b766a9 # v5.0.0
         with:
-          repo-token: "${{ steps.app-token.outputs.token }}"
+          repo-token: ${{ steps.app-token.outputs.token }}
           configuration-path: .github/labeler.yaml

.github/workflows/labeler.yaml

@@ -17,44 +17,46 @@ on:
         default: latest
         required: false
   schedule:
-    - cron: "0 * * * *" # Every hour
+    - cron: "0 * * * *"
   push:
     branches: ["main"]
-    paths: [".github/renovate.json5", ".github/renovate/**.json5"]
+    paths:
+      - .renovaterc.json5
+      - .renovate/**.json5
 
 concurrency:
   group: ${{ github.workflow }}-${{ github.event.number || github.ref }}
   cancel-in-progress: true
 
 env:
-  LOG_LEVEL: "${{ inputs.logLevel || 'debug' }}"
+  LOG_LEVEL: ${{ inputs.logLevel || 'debug' }}
   RENOVATE_AUTODISCOVER: true
-  RENOVATE_AUTODISCOVER_FILTER: "${{ github.repository }}"
-  RENOVATE_DRY_RUN: "${{ inputs.dryRun == true }}"
+  RENOVATE_AUTODISCOVER_FILTER: ${{ github.repository }}
+  RENOVATE_DRY_RUN: ${{ inputs.dryRun == true }}
+  RENOVATE_INTERNAL_CHECKS_FILTER: strict
   RENOVATE_PLATFORM: github
   RENOVATE_PLATFORM_COMMIT: true
-  WORKFLOW_RENOVATE_VERSION: "${{ inputs.version || 'latest' }}"
+  WORKFLOW_RENOVATE_VERSION: ${{ inputs.version || 'latest' }}
 
 jobs:
   renovate:
     name: Renovate
     runs-on: ubuntu-latest
     steps:
       - name: Generate Token
-        uses: actions/create-github-app-token@21cfef2b496dd8ef5b904c159339626a10ad380e # v1
+        uses: actions/create-github-app-token@21cfef2b496dd8ef5b904c159339626a10ad380e # v1.11.6
         id: app-token
         with:
-          app-id: "${{ secrets.BOT_APP_ID }}"
-          private-key: "${{ secrets.BOT_APP_PRIVATE_KEY }}"
+          app-id: ${{ secrets.BOT_APP_ID }}
+          private-key: ${{ secrets.BOT_APP_PRIVATE_KEY }}
 
       - name: Checkout
-        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
         with:
-          token: "${{ steps.app-token.outputs.token }}"
+          token: ${{ steps.app-token.outputs.token }}
 
       - name: Renovate
         uses: renovatebot/github-action@02f4fdeb479bbb229caa7ad82cb5e691c07e80b3 # v41.0.14
         with:
-          configurationFile: .github/renovate.json5
-          token: "${{ steps.app-token.outputs.token }}"
-          renovate-version: "${{ env.WORKFLOW_RENOVATE_VERSION }}"
+          token: ${{ steps.app-token.outputs.token }}
+          renovate-version: ${{ env.WORKFLOW_RENOVATE_VERSION }}

.github/workflows/renovate.yaml

@@ -12,17 +12,17 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Generate Token
-        uses: actions/create-github-app-token@21cfef2b496dd8ef5b904c159339626a10ad380e # v1
+        uses: actions/create-github-app-token@21cfef2b496dd8ef5b904c159339626a10ad380e # v1.11.6
         id: app-token
         with:
-          app-id: "${{ secrets.BOT_APP_ID }}"
-          private-key: "${{ secrets.BOT_APP_PRIVATE_KEY }}"
+          app-id: ${{ secrets.BOT_APP_ID }}
+          private-key: ${{ secrets.BOT_APP_PRIVATE_KEY }}
 
       - name: Get Previous Tag and Determine Next Tag
         id: determine-next-tag
-        uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea # v7
+        uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea # v7.0.1
         with:
-          github-token: "${{ steps.app-token.outputs.token }}"
+          github-token: ${{ steps.app-token.outputs.token }}
           result-encoding: string
           script: |
             const { data: tags } = await github.rest.repos.listTags({
@@ -43,9 +43,9 @@ jobs:
             return `${nextMajorMinor}.${nextPatch}`;
 
       - name: Create Tag
-        uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea # v7
+        uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea # v7.0.1
         with:
-          github-token: "${{ steps.app-token.outputs.token }}"
+          github-token: ${{ steps.app-token.outputs.token }}
           script: |
             const tagName = "${{ steps.determine-next-tag.outputs.result }}";
 

.github/workflows/tag.yaml

@@ -2,16 +2,16 @@
   $schema: "https://docs.renovatebot.com/renovate-schema.json",
   packageRules: [
     {
-      description: ["Auto-merge trusted container digests"],
+      description: "Auto-merge trusted container digests",
       matchDatasources: ["docker"],
       automerge: true,
       automergeType: "branch",
       matchUpdateTypes: ["digest"],
-      matchPackageNames: ["/buroa/"],
+      matchPackageNames: ["/buroa/", "/home-operations/"],
       ignoreTests: true,
     },
     {
-      description: ["Auto-merge GitHub Actions"],
+      description: "Auto-merge GitHub Actions",
       matchManagers: ["github-actions"],
       automerge: true,
       automergeType: "branch",

.github/renovate/allowedVersions.json5 renamed to .renovate/allowedVersions.json5

@@ -3,7 +3,7 @@
   customManagers: [
     {
       customType: "regex",
-      description: ["Process annotated dependencies"],
+      description: "Process annotated dependencies",
       fileMatch: ["(^|/).+\\.ya?ml(?:\\.j2)?$"],
       matchStrings: [
         // # renovate: datasource=github-releases depName=kubernetes/kubernetes

.github/renovate/autoMerge.json5 renamed to .renovate/autoMerge.json5

@@ -10,7 +10,7 @@
   customManagers: [
     {
       customType: "regex",
-      description: ["Process Grafana dashboards"],
+      description: "Process Grafana dashboards",
       fileMatch: ["(^|/)kubernetes/.+\\.ya?ml$"],
       matchStrings: [
         'depName="(?<depName>.*)"\\n(?<indentation>\\s+)gnetId: (?<packageName>\\d+)\\n.+revision: (?<currentValue>\\d+)',

.github/renovate/customManagers.json5 renamed to .renovate/customManagers.json5

@@ -0,0 +1,83 @@
+{
+  $schema: "https://docs.renovatebot.com/renovate-schema.json",
+  packageRules: [
+    {
+      description: "1Password Connect Group",
+      groupName: "1Password Connnect",
+      matchDatasources: ["docker"],
+      matchPackageNames: ["/1password/"],
+      group: {
+        commitMessageTopic: "{{{groupName}}} group",
+      },
+    },
+    {
+      description: "Actions Runner Controller Group",
+      groupName: "Actions Runner Controller",
+      matchDatasources: ["docker"],
+      matchPackageNames: [
+        "/gha-runner-scale-set-controller/",
+        "/gha-runner-scale-set/",
+      ],
+      group: {
+        commitMessageTopic: "{{{groupName}}} group",
+      },
+    },
+    {
+      description: "Cert-Manager Group",
+      groupName: "Cert-Manager",
+      matchDatasources: ["docker"],
+      matchPackageNames: ["/cert-manager/"],
+      group: {
+        commitMessageTopic: "{{{groupName}}} group",
+      },
+    },
+    {
+      description: "Cilium Group",
+      groupName: "Cilium",
+      matchDatasources: ["docker"],
+      matchPackageNames: ["/cilium/"],
+      group: {
+        commitMessageTopic: "{{{groupName}}} group",
+      },
+    },
+    {
+      description: "CoreDNS Group",
+      groupName: "CoreDNS",
+      matchDatasources: ["docker"],
+      matchPackageNames: ["/coredns/"],
+      group: {
+        commitMessageTopic: "{{{groupName}}} group",
+      },
+    },
+    {
+      description: "External Secrets Operator Group",
+      groupName: "External Secrets Operator",
+      matchDatasources: ["docker"],
+      matchPackageNames: ["/external-secrets/"],
+      group: {
+        commitMessageTopic: "{{{groupName}}} group",
+      },
+    },
+    {
+      description: "Flux Operator Group",
+      groupName: "Flux Operator",
+      matchDatasources: ["docker"],
+      matchPackageNames: ["/flux-operator/", "/flux-instance/"],
+      group: {
+        commitMessageTopic: "{{{groupName}}} group",
+      },
+    },
+    {
+      description: "Intel Device Plugins Group",
+      groupName: "Intel-Device-Plugins",
+      matchDatasources: ["docker"],
+      matchPackageNames: [
+        "/intel-device-plugins-operator/",
+        "/intel-device-plugins-gpu/",
+      ],
+      group: {
+        commitMessageTopic: "{{{groupName}}} group",
+      },
+    },
+  ],
+}

.github/renovate/grafanaDashboards.json5 renamed to .renovate/grafanaDashboards.json5

@@ -16,7 +16,7 @@
     ":disableRateLimiting",
     ":gitSignOff",
     ":semanticCommits",
-    ":timezone(America/New_York)",
+    ":timezone(America/Chicago)",
   ],
   dependencyDashboardTitle: "Renovate Dashboard 🤖",
   suppressNotifications: ["prEditedNotification", "prIgnoreNotification"],