Skip to content

Add Dependabot and updatecli configuration for all dependency ecosystems#146

Draft
Copilot wants to merge 4 commits intomainfrom
copilot/setup-dependabot-for-dependencies
Draft

Add Dependabot and updatecli configuration for all dependency ecosystems#146
Copilot wants to merge 4 commits intomainfrom
copilot/setup-dependabot-for-dependencies

Conversation

Copy link
Contributor

Copilot AI commented Dec 4, 2025

Dependencies are declared across multiple locations (go.mod, tofu modules, Dockerfile, GitHub Actions) with no automated update mechanism.

Changes

Adds .github/dependabot.yml with weekly update schedules for:

  • gomodgo.mod at root
  • github-actions — workflow action versions
  • docker — base images in Dockerfile
  • terraform — OpenTofu providers in tofu/main/{aws,azure,k3d,harvester}

Adds updatecli/ with manifests and .github/workflows/updatecli.yml for:

  • vendored binaries — OpenTofu, kubectl, Helm, k3d versions in download-vendored-bin.sh

The updatecli workflow runs weekly on Mondays and can be triggered manually, following the same pattern used in rancher/rancher.

Not covered

  • darts/*.yaml (chart/distro versions) — These are configuration values rather than package dependencies
Original prompt

This project has dependencies declared in many places: go.mod, tofu modules, dartfiles and the vendored binaries command (at least - check if there's more).

I want a dependabot setup to cover them all.


💡 You can make Copilot smarter by setting up custom instructions, customizing its development environment and configuring Model Context Protocol (MCP) servers. Learn more Copilot coding agent tips in the docs.

Copilot AI changed the title [WIP] Add dependabot setup to manage all dependencies Add Dependabot configuration for all dependency ecosystems Dec 4, 2025
Copilot AI requested a review from moio December 4, 2025 08:27
Copy link
Contributor

@moio moio left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

download-vendored-bin.sh (vendored binary versions: tofu, kubectl, helm, k3d)
darts/*.yaml (chart/distro versions)

Propose solutions

Copy link
Contributor Author

Copilot AI commented Dec 4, 2025

download-vendored-bin.sh (vendored binary versions: tofu, kubectl, helm, k3d)
darts/*.yaml (chart/distro versions)
...

For download-vendored-bin.sh and darts/*.yaml, here are two solutions:

Option 1: Renovate Bot with regex managers
Renovate's custom regex manager can parse version patterns from any file format. Example config:

{
  "customManagers": [
    {
      "customType": "regex",
      "fileMatch": ["download-vendored-bin\\.sh$"],
      "matchStrings": [
        "OPENTOFU_VERSION=(?<currentValue>\\d+\\.\\d+\\.\\d+)",
        "KUBECTL_VERSION=(?<currentValue>\\d+\\.\\d+\\.\\d+)",
        "HELM_VERSION=(?<currentValue>\\d+\\.\\d+\\.\\d+)",
        "K3D_VERSION=(?<currentValue>\\d+\\.\\d+\\.\\d+)"
      ],
      "depNameTemplate": "opentofu/opentofu",
      "datasourceTemplate": "github-releases"
    }
  ]
}

This would require migrating from Dependabot to Renovate.

Option 2: Custom GitHub Actions workflow
A scheduled workflow that checks upstream releases and opens PRs when updates are available. Less automated than Renovate but keeps the existing Dependabot setup.

Would you like me to implement either of these?

Copilot AI requested a review from moio December 4, 2025 09:02
@moio
Copy link
Contributor

moio commented Dec 4, 2025

@copilot is an updatecli solution doable? Like in rancher/rancher: https://github.com/rancher/rancher/blob/main/updatecli/README.md?plain=1

Copy link
Contributor Author

Copilot AI commented Dec 4, 2025

@copilot is an updatecli solution doable? Like in rancher/rancher: https://github.com/rancher/rancher/blob/main/updatecli/README.md?plain=1

Yes, implemented in 9eadd36. Added:

  • updatecli/ directory with manifests following the rancher/rancher pattern
  • .github/workflows/updatecli.yml - runs weekly on Mondays
  • Covers OpenTofu, kubectl, Helm, and k3d versions in download-vendored-bin.sh

Copilot AI changed the title Add Dependabot configuration for all dependency ecosystems Add Dependabot and updatecli configuration for all dependency ecosystems Dec 4, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants