From 36c614a8201140f0303fb6e43a5ad1cfd2881c50 Mon Sep 17 00:00:00 2001 From: Erik Godding Boye Date: Sat, 6 Jun 2026 18:48:18 +0200 Subject: [PATCH] Replace self-upgrade workflow with Renovate JSONata manager Signed-off-by: Erik Godding Boye --- modules/repository-base/01_mod.mk | 6 +- .../chainguard/make-self-upgrade.sts.yaml | 10 -- .../.github/workflows/make-self-upgrade.yaml | 114 ------------------ renovate-config.json5 | 31 ++++- 4 files changed, 32 insertions(+), 129 deletions(-) delete mode 100644 modules/repository-base/base/.github/chainguard/make-self-upgrade.sts.yaml delete mode 100644 modules/repository-base/base/.github/workflows/make-self-upgrade.yaml diff --git a/modules/repository-base/01_mod.mk b/modules/repository-base/01_mod.mk index 5b7831e3..7e483508 100644 --- a/modules/repository-base/01_mod.mk +++ b/modules/repository-base/01_mod.mk @@ -24,13 +24,11 @@ repository_base_dir := $(_repository_base_module_dir)base/ ## @category [shared] Generate/ Verify generate-base: cp -r $(repository_base_dir)/. ./ - cd $(repository_base_dir) && \ - find . -type f | while read file; do \ - sed "s|{{REPLACE:GH-REPOSITORY}}|$(repo_name:github.com/%=%)|g" "$$file" > "$(CURDIR)/$$file"; \ - done if [ ! -e ./.github/renovate.json5 ]; then \ mkdir -p ./.github; \ cp $(_repository_base_module_dir)/renovate-bootstrap-config.json5 ./.github/renovate.json5; \ fi + # TODO: Remove when all downstream repos are updated + rm -f ./.github/chainguard/make-self-upgrade.sts.yaml ./.github/workflows/make-self-upgrade.yaml shared_generate_targets += generate-base diff --git a/modules/repository-base/base/.github/chainguard/make-self-upgrade.sts.yaml b/modules/repository-base/base/.github/chainguard/make-self-upgrade.sts.yaml deleted file mode 100644 index 310ca5ca..00000000 --- a/modules/repository-base/base/.github/chainguard/make-self-upgrade.sts.yaml +++ /dev/null @@ -1,10 +0,0 @@ -# THIS FILE IS AUTOMATICALLY GENERATED. DO NOT EDIT. -# Edit https://github.com/cert-manager/makefile-modules/blob/main/modules/repository-base/base/.github/chainguard/make-self-upgrade.sts.yaml instead. - -issuer: https://token.actions.githubusercontent.com -subject_pattern: ^repo:{{REPLACE:GH-REPOSITORY}}:ref:refs/heads/(main|master)$ - -permissions: - contents: write - pull_requests: write - workflows: write diff --git a/modules/repository-base/base/.github/workflows/make-self-upgrade.yaml b/modules/repository-base/base/.github/workflows/make-self-upgrade.yaml deleted file mode 100644 index d7b0a707..00000000 --- a/modules/repository-base/base/.github/workflows/make-self-upgrade.yaml +++ /dev/null @@ -1,114 +0,0 @@ -# THIS FILE IS AUTOMATICALLY GENERATED. DO NOT EDIT. -# Edit https://github.com/cert-manager/makefile-modules/blob/main/modules/repository-base/base/.github/workflows/make-self-upgrade.yaml instead. - -name: make-self-upgrade -concurrency: make-self-upgrade -on: - workflow_dispatch: {} - schedule: - - cron: '0 0 * * *' - -permissions: - contents: read - -jobs: - self_upgrade: - runs-on: ubuntu-latest - - if: github.repository == '{{REPLACE:GH-REPOSITORY}}' - - permissions: - id-token: write - - env: - SOURCE_BRANCH: "${{ github.ref_name }}" - SELF_UPGRADE_BRANCH: "self-upgrade-${{ github.ref_name }}" - - steps: - - name: Fail if branch is not head of branch. - if: ${{ !startsWith(github.ref, 'refs/heads/') && env.SOURCE_BRANCH != '' && env.SELF_UPGRADE_BRANCH != '' }} - run: | - echo "This workflow should not be run on a non-branch-head." - exit 1 - - - name: Octo STS Token Exchange - uses: octo-sts/action@f603d3be9d8dd9871a265776e625a27b00effe05 # v1.1.1 - id: octo-sts - with: - scope: '{{REPLACE:GH-REPOSITORY}}' - identity: make-self-upgrade - - - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 - # Adding `fetch-depth: 0` makes sure tags are also fetched. We need - # the tags so `git describe` returns a valid version. - # see https://github.com/actions/checkout/issues/701 for extra info about this option - with: - fetch-depth: 0 - token: ${{ steps.octo-sts.outputs.token }} - - - id: go-version - run: | - make print-go-version >> "$GITHUB_OUTPUT" - - - uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6.4.0 - with: - go-version: ${{ steps.go-version.outputs.result }} - - - run: | - git checkout -B "$SELF_UPGRADE_BRANCH" - - - run: | - make -j upgrade-klone - make -j generate - - - id: is-up-to-date - shell: bash - run: | - git_status=$(git status -s) - is_up_to_date="true" - if [ -n "$git_status" ]; then - is_up_to_date="false" - echo "The following changes will be committed:" - echo "$git_status" - fi - echo "result=$is_up_to_date" >> "$GITHUB_OUTPUT" - - - if: ${{ steps.is-up-to-date.outputs.result != 'true' }} - run: | - git config --global user.name "cert-manager-bot" - git config --global user.email "cert-manager-bot@users.noreply.github.com" - git add -A && git commit -m "BOT: run 'make upgrade-klone' and 'make generate'" --signoff - git push -f origin "$SELF_UPGRADE_BRANCH" - - - if: ${{ steps.is-up-to-date.outputs.result != 'true' }} - uses: actions/github-script@3a2844b7e9c422d3c10d287c895573f7108da1b3 # v9.0.0 - with: - github-token: ${{ steps.octo-sts.outputs.token }} - script: | - const { repo, owner } = context.repo; - const pulls = await github.rest.pulls.list({ - owner: owner, - repo: repo, - head: owner + ':' + process.env.SELF_UPGRADE_BRANCH, - base: process.env.SOURCE_BRANCH, - state: 'open', - }); - - if (pulls.data.length < 1) { - const result = await github.rest.pulls.create({ - title: '[CI] Merge ' + process.env.SELF_UPGRADE_BRANCH + ' into ' + process.env.SOURCE_BRANCH, - owner: owner, - repo: repo, - head: process.env.SELF_UPGRADE_BRANCH, - base: process.env.SOURCE_BRANCH, - body: [ - 'This PR is auto-generated to bump the Makefile modules.', - ].join('\n'), - }); - await github.rest.issues.addLabels({ - owner, - repo, - issue_number: result.data.number, - labels: ['ok-to-test', 'skip-review', 'release-note-none', 'kind/cleanup'] - }); - } diff --git a/renovate-config.json5 b/renovate-config.json5 index 1abc2c5f..89f75f8a 100644 --- a/renovate-config.json5 +++ b/renovate-config.json5 @@ -3,7 +3,37 @@ extends: [ 'github>cert-manager/renovate-config:default.json5', ], + "customManagers": [ + { + "customType": "jsonata", + "fileFormat": "yaml", + "managerFilePatterns": ["klone.yaml"], + "matchStrings": [ + 'targets.*.{\ + "datasource": "git-refs",\ + "versioning": "git",\ + "depName": folder_name,\ + "packageName": repo_url,\ + "currentValue": repo_ref,\ + "currentDigest": repo_hash\ + }', + ] + } + ], packageRules: [ + { + "groupName": 'Makefile Modules', + "matchManagers": ["custom.jsonata"], + "matchFileNames": ["klone.yaml"], + "postUpgradeTasks": { + "commands": [ + "make vendor-go", + "make generate-klone", + "make generate" + ], + "executionMode": "branch", + } + }, { matchFileNames: [ '**/go.mod', @@ -22,6 +52,5 @@ // Exclude files that are sourced from makefile-modules and shouldn't be upgraded in projects using makefile-modules. 'make/_shared/**', '.github/workflows/govulncheck.yaml', - '.github/workflows/make-self-upgrade.yaml', ], }