ci: update renovate window

.checkov.yml

@@ -9,4 +9,3 @@ summary-position: bottom
 
 skip-check:
   - CKV_TF_1 # Ensure Terraform module sources use a commit hash // pending https://github.com/hashicorp/terraform/issues/29867
-  - CKV2_AWS_65

.env

@@ -1,3 +1,3 @@
 BUILD_HARNESS_REPO=ghcr.io/defenseunicorns/build-harness/build-harness
 # renovate: datasource=github-tags depName=defenseunicorns/build-harness
-BUILD_HARNESS_VERSION=1.14.1
+BUILD_HARNESS_VERSION=1.14.0

.github/workflows/pull-request-opened-by-renovate.yml

@@ -2,7 +2,15 @@
 # If Renovate is the author of the PR that triggers this workflow, but the workflow event is anything but "opened", it will do nothing.
 # If Renovate is the author of the PR that triggers this workflow, and the workflow event is "opened", it will:
 #   1. Autoformat using pre-commit and, if necessary, push an additional commit to the PR with the autoformat fixes.
-#   2. Add the "/test all" comment to the PR, so that the Slash Command Dispatch workflow is triggered automatically.
+#   2. Change the branch protection rules to turn off require codeowner approval due to github apps not being able to be codeowners or added to teams.
+#   3. narwhal-bot approves the PR.
+#   4. narwhal-bot merges the PR.
+#   5. PR is added to merge queue.
+#   6. tests are ran.
+#     a. If tests pass, PR is merged.
+#       i. If PR is merged, it is closed and branch is deleted.
+#     b. If tests fail, PR stays open and it is removed from merge queue.
+#   7. Branch protection is always set back to the original state.
 #
 # See ADR #0008.
 name: auto-test

.golangci.yml

@@ -21,6 +21,21 @@ linters:
 linters-settings:
   funlen:
     lines: 120
+  testifylint:
+    enable-all: false
+    enable:
+      - bool-compare
+      - compares
+      - empty
+      - error-is-as
+      - error-nil
+      - expected-actual
+      - float-compare
+      - len
+      - suite-dont-use-pkg
+      - suite-extra-assert-call
+      - suite-thelper
+      # -require-error causes errors in our e2e test patterns
 issues:
   exclude:
     - "G304" # Potential file inclusion via variable

.pre-commit-config.yaml

@@ -16,8 +16,8 @@ repos:
       - id: check-yaml
         args:
           - "--allow-multiple-documents"
-  - repo: https://github.com/sirosen/fix-smartquotes
-    rev: 0.2.0
+  - repo: https://github.com/sirosen/texthooks
+    rev: 0.6.2
     hooks:
       - id: fix-smartquotes
   - repo: https://github.com/tekwizely/pre-commit-golang
@@ -28,6 +28,7 @@ repos:
         args:
           - "--timeout=10m"
           - "--verbose"
+          - "--allow-parallel-runners"
   - repo: https://github.com/antonbabenko/pre-commit-terraform
     rev: v1.83.5
     hooks:
@@ -46,6 +47,6 @@ repos:
         args:
           - --args=--config=__GIT_WORKING_DIR__/.tflint.hcl
   - repo: https://github.com/renovatebot/pre-commit-hooks
-    rev: 37.47.0
+    rev: 37.59.7
     hooks:
       - id: renovate-config-validator

go.sum

@@ -384,8 +384,6 @@ github.com/gorilla/websocket v1.4.2/go.mod h1:YR8l580nyteQvAITg2hZ9XVh4b55+EU/ad
 github.com/grpc-ecosystem/grpc-gateway v1.16.0/go.mod h1:BDjrQk3hbvj6Nolgz8mAMFbcEtjT1g+wF4CSlocrBnw=
 github.com/gruntwork-io/go-commons v0.8.0 h1:k/yypwrPqSeYHevLlEDmvmgQzcyTwrlZGRaxEM6G0ro=
 github.com/gruntwork-io/go-commons v0.8.0/go.mod h1:gtp0yTtIBExIZp7vyIV9I0XQkVwiQZze678hvDXof78=
-github.com/gruntwork-io/terratest v0.46.1 h1:dJ/y2/Li6yCDIc8KXY8PfydtrMRiXFb3UZm4LoPShPI=
-github.com/gruntwork-io/terratest v0.46.1/go.mod h1:gl//tb5cLnbpQs1FTSNwhsrbhsoG00goCJPfOnyliiU=
 github.com/gruntwork-io/terratest v0.46.5 h1:cmsIAKjM1Hqwy5tlZPb6EJQvaMCD4xRX1DN9fnTptBM=
 github.com/gruntwork-io/terratest v0.46.5/go.mod h1:6gI5MlLeyF+SLwqocA5GBzcTix+XiuxCy1BPwKuT+WM=
 github.com/hashicorp/errwrap v1.0.0/go.mod h1:YH+1FKiLXxHSkmPseP+kNlulaMuP3n2brvKWEqk/Jc4=

renovate.json5

@@ -1,6 +1,6 @@
 {
-  $schema: "https://docs.renovatebot.com/renovate-schema.json",
-  extends: [
+  "$schema": "https://docs.renovatebot.com/renovate-schema.json",
+  "extends": [
     // Tells Renovate to maintain one GitHub issue as the "dependency dashboard". See https://docs.renovatebot.com/key-concepts/dashboard
     ":dependencyDashboard",
     // Use semantic commit type fix for dependencies and chore for all others if semantic commits are in use. See https://docs.renovatebot.com/presets-default/#semanticprefixfixdepschoreothers
@@ -14,30 +14,25 @@
     "workarounds:all"
   ],
   // If we don't specify a timezone then Renovate will use UTC
-  timezone: "America/New_York",
-  // Giving a small window constrains when Renovate will create PRs. The objective here is to only have Renovate create PRs on weekdays in the morning. This setting only affects when PRs are created. Without other configuration Renovate will rebase any PRs that already exist whenever it wants to.
-  // We need an "after" and a "before" because there is other automation that happens earlier that we don't want Renovate to conflict with.
-  schedule: [
-    "after 7am and before 9am every weekday"
+  "timezone": "America/New_York",
+  // fires between 4 am and 5 am EST on mondays
+  "schedule": [
+    "after 4am and before 5am on Monday"
   ],
   // This will prevent Renovate from automatically rebasing PRs. Without this, Renovate will rebase PRs whenever it wants to. The 'schedule' param is only for creating PRs. Because we are grouping all changes into one PR without this Renovate will be constantly rebasing that PR which we don't want since every time that happens another set of GHA status checks are kicked off.
   // Using a value of "conflicted" means that Renovate will only rebase PRs if they are in a conflicted state. See https://docs.renovatebot.com/configuration-options/#rebasewhen
-  rebaseWhen: "conflicted",
+  "rebaseWhen": "never",
   // Labels to set in Pull Request. See https://docs.renovatebot.com/configuration-options/#labels
-  labels: [
+  "labels": [
     "renovate"
   ],
   // Rate limit PRs to maximum x created per hour. 0 means no limit. See https://docs.renovatebot.com/configuration-options/#prhourlylimit
-  prHourlyLimit: 0,
+  "prHourlyLimit": 1,
   // Limit to a maximum of x concurrent branches/PRs. 0 means no limit. See https://docs.renovatebot.com/configuration-options/#prconcurrentlimit
-  prConcurrentLimit: 0,
-  // List of additional notes/templates to include in the Pull Request body. See https://docs.renovatebot.com/configuration-options/#prbodynotes
-  prBodyNotes: [
-    "- :warning: The E2E tests need to be run, they have a manual trigger. To start them add a comment to this PR that says `/test all`"
-  ],
+  "prConcurrentLimit": 0,
   // Enable updates to the pre-commit-config.yaml file. See https://docs.renovatebot.com/modules/manager/pre-commit/
   "pre-commit": {
-    enabled: true
+    "enabled": true
   },
   "regexManagers": [
     // Custom regex manager for the .env file that follows the pattern documented here: https://docs.renovatebot.com/modules/manager/regex/#advanced-capture
@@ -59,30 +54,16 @@
       "extractVersionTemplate": "^v?(?<version>.*)$"
     }
   ],
-  packageRules: [
+  "packageRules": [
     {
-      matchPackageNames: ["k8s.io/client-go"],
-      allowedVersions: "<1.0.0"
+      "matchPackageNames": ["k8s.io/client-go"],
+      "allowedVersions": "<1.0.0"
     },
     {
-      matchManagers: ["terraform"],
-      matchDepTypes: ["module"],
-      matchDatasources: ["github-tags", "git-tags"],
-      versioning: "loose"
+      "matchManagers": ["terraform"],
+      "matchDepTypes": ["module"],
+      "matchDatasources": ["github-tags", "git-tags"],
+      "versioning": "loose"
     }
-  ],
-  "vulnerabilityAlerts": {
-    "enabled": true,
-    "groupName": null,
-    "schedule": [],
-    "dependencyDashboardApproval": false,
-    "minimumReleaseAge": null,
-    "rangeStrategy": "update-lockfile",
-    "commitMessageSuffix": "[SECURITY]",
-    "branchTopic": "{{{datasource}}}-{{{depName}}}-vulnerability",
-    "prCreation": "immediate",
-    "labels": ["security"],
-    "automerge": true,
-    "assignees": ["@defenseunicorns/delivery-aws-iac"]
-  }
+  ]
 }