Skip to content
Closed
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
23 changes: 19 additions & 4 deletions .github/renovate.json
Original file line number Diff line number Diff line change
Expand Up @@ -5,12 +5,27 @@
],
"packageRules": [
{
"description": "KFLUXSPRT-8235: Prow/Tide repo — pre-label lgtm/approved; Tide merges after CI (no Renovate/platform automerge)",
"matchManagers": ["gomod", "tekton"],
"matchUpdateTypes": ["minor", "patch", "pin", "digest"],
"description": "KFLUXSPRT-8235: Prow/Tide repo \u2014 pre-label lgtm/approved; Tide merges after CI (no Renovate/platform automerge)",
"matchManagers": [
"gomod",
"tekton"
],
"matchUpdateTypes": [
"minor",
"patch",
"pin",
"digest"
],
"automerge": false,
"platformAutomerge": false,
"addLabels": ["lgtm", "approved"]
"addLabels": [
"lgtm",
"approved"
]
}
],
"enabledManagers": [

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Does this MCVW really needs this explicitly for MintMaker gomod to run, instead of relying only on the inherited boilerplate renovate config?

as you mentioned earlier pagerduty-operator was used as a reference case, but I want to understand whether this is a `Renovate/MintMaker merge behavior or a rollout workaround?

"tekton",
"gomod"
Comment on lines +27 to +29

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🟠 Major

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
# Read-only check for potential duplicate gomod automation across Renovate and Dependabot.

set -euo pipefail

echo "== Renovate managers =="
if [ -f .github/renovate.json ]; then
  sed -n '1,200p' .github/renovate.json | nl -ba
else
  echo ".github/renovate.json not found"
fi

echo
echo "== Dependabot gomod entries (if any) =="
if [ -f .github/dependabot.yml ]; then
  nl -ba .github/dependabot.yml | sed -n '1,260p'
  echo
  rg -n -C3 'package-ecosystem:\s*"gomod"|package-ecosystem:\s*gomod' .github/dependabot.yml || true
else
  echo ".github/dependabot.yml not found"
fi

Repository: openshift/managed-cluster-validating-webhooks

Length of output: 174


🏁 Script executed:

#!/bin/bash
set -euo pipefail

echo "== Renovate configuration (.github/renovate.json) =="
if [ -f .github/renovate.json ]; then
  cat -n .github/renovate.json | head -20
else
  echo ".github/renovate.json not found"
fi

echo
echo "== Dependabot configuration (.github/dependabot.yml) =="
if [ -f .github/dependabot.yml ]; then
  cat -n .github/dependabot.yml
  echo
  echo "== Searching for gomod in dependabot.yml =="
  rg -n 'gomod' .github/dependabot.yml || echo "No 'gomod' found in dependabot.yml"
else
  echo ".github/dependabot.yml not found"
fi

Repository: openshift/managed-cluster-validating-webhooks

Length of output: 1721


Remove gomod from Renovate's enabledManagers or from Dependabot.

The gomod manager is now enabled in Renovate (line 8), but .github/dependabot.yml still has an active gomod package-ecosystem entry (line 16). Both systems will attempt to manage the same dependencies, creating duplicate PR streams. Choose one tool for gomod updates and disable it in the other.

🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/renovate.json around lines 6 - 8, You have duplicate dependency
management for Go modules: the `gomod` manager is enabled in Renovate's
enabledManagers configuration, and `.github/dependabot.yml` also has an active
`gomod` package-ecosystem entry. This causes both tools to create separate PRs
for the same dependencies. Choose one tool to manage Go module dependencies and
disable it in the other. Either remove `gomod` from the enabledManagers array in
the Renovate configuration, or remove the gomod package-ecosystem entry from the
Dependabot configuration—pick one tool to be the single source of truth for
gomod updates.

]
}
Binary file added e2e.test
Binary file not shown.