ci: Automate Dependabot configuration generation

[vdemeester]

Changes

• Generate the dependabot configuration to handle LTS branches in
  order to prevent release branches dependencies drift and reduce manual
  effort in maintaining per-branch dependency updates
• For release branches, only bump dependencies on patch versions
• Enable weekly automated checks with PR creation on changes

Signed-off-by: Vincent Demeester vdemeest@redhat.com

/kind misc
/area automation

Closes #8572

Submitter Checklist

As the author of this PR, please check off the items in this checklist:

• Has Docs if any changes are user facing, including updates to minimum requirements e.g. Kubernetes version bumps
• Has Tests included if any functionality added or changed
• pre-commit Passed
• Follows the commit message standard
• Meets the Tekton contributor standards (including functionality, content, code)
• Has a kind label. You can add one by adding a comment on this PR that contains /kind <type>. Valid types are bug, cleanup, design, documentation, feature, flake, misc, question, tep
• Release notes block below has been updated with any user facing changes (API changes, bug fixes, changes requiring upgrade notices or deprecation warnings). See some examples of good release notes.
• Release notes contains the string "action required" if the change requires additional action from users switching to the new release

Release Notes

NONE

[afrittoli]

Thanks for this. Perhaps for some ecosystems (like GHA), we could setup auto merge if CI passes on release branches, otherwise it will become a lot of work only to approve all the PRs for the various branches 😅

[vdemeester]

Thanks for this. Perhaps for some ecosystems (like GHA), we could setup auto merge if CI passes on release branches, otherwise it will become a lot of work only to approve all the PRs for the various branches 😅

Agreed 👼🏼 But note that we would only update patch dependencies, and it would only do it for the LTSes branches, so it shouldn't be that bad I guess/hope.

Also, we could do it today, by applying the labels (lgtm and approved) directly when creating the pull-request 🧌

[vdemeester]

/retest

[waveywaves]

/lgtm

anticipating this to be opened on Monday !

[tekton-robot]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: waveywaves

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Details

Needs approval from an approver in each of these files:

• OWNERS [waveywaves]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[aThorp96]

This should be be automatically updated I think, it should be coming from a source of truth elsewhere

[vdemeester]

Right, for now, the only "source of truth" is the release.md markdown, but not necessarily easy to parse. For now I thought it would make sense to have a post release checklist item for this.. but agreeing that mid/long term it needs to be automated.

[aThorp96]

Hmmm, yeah that's not super clean to parse as the source of truth. It could be done using an awk oneliner but it's a little ugly/archaic so not a blocker

E.g. this awk script searches for any 3rd-level heading under ## Release (stops searching at the next 2nd-level heading) which match the regex ### \d+\.\d+, then rewrites the \d\.\d version into the branch name.

 $ awk '/^## Release$/{found=1; next} found && /^## /{exit} found && /^### v[0-9]+\.[0-9]+/{sub(/^### /, "release-"); sub(/( \(LTS\))?\s*$/, ".x"); print}' releases.md
release-v1.11.x
release-v1.9.x
release-v1.6.x
release-v1.3.x
release-v1.0.x

Note though that regex doesn't check for \(LTS\)$ so it lists release-v1.11.x which is not included in this PR's list.

If we want to leave this list as hardcoded can we update the post-release checklist in this same PR?

[github-advanced-security]

zizmor found more than 20 potential problems in the proposed changes. Check the Files changed tab for more details.

[vdemeester]

/retest

[afrittoli]

/lgtm