Add big-fat-warning re: golang 1.21+ toolchain

.cirrus.yml

@@ -27,7 +27,7 @@
 cirrus-ci/renovate_validation_task:
     only_if: *not_docs
     container:
-        image: docker.io/renovate/renovate:latest
+        image: ghcr.io/renovatebot/renovate:latest
     env:
         RCV: /usr/local/bin/renovate-config-validator
     preset_validate_script:
@@ -84,7 +84,7 @@
 
 
 # Represent primary Cirrus-CI based testing (Required for merge)
 cirrus-ci/success_task:
     container: *ci_container
     depends_on: &everything
         - cirrus-ci/unit-test
@@ -101,7 +101,7 @@
 #      action trigers `on: check-suite: completed` event, which cannot
 #      fire since the manual task has dependencies that cannot be
 #      satisfied.
 github-actions/success_task:
     container: *ci_container
     # Note: ***DO NOT*** manually trigger this task under normal circumstances.
     #       It is triggered automatically by the cirrus-ci_retrospective

renovate/defaults.json5

@@ -4,21 +4,20 @@ Validate this file before commiting with (from repository root):
 
     podman run -it \
         -v ./renovate/defaults.json5:/usr/src/app/renovate.json5:z \
-        docker.io/renovate/renovate:latest \
+        ghcr.io/renovatebot/renovate:latest \
         renovate-config-validator
 
+and/or use the pre-commit hook: https://github.com/renovatebot/pre-commit-hooks
 */
 
 {
   "$schema": "https://docs.renovatebot.com/renovate-schema.json",
-
   "description": "This is a basic preset intended\
   for reuse to reduce the amount of boiler-plate\
   configuration that otherwise would need to be\
   duplicated. It should be referenced from other\
   repositories renovate config under the 'extends'\
-  section as:\
-  github>containers/automation//renovate/defaults.json5\
+  section as:  github>containers/automation//renovate/defaults.json5\
   (optionally with a '#X.Y.Z' version-tag suffix).",
 
   /*************************************************
@@ -34,7 +33,7 @@ Validate this file before commiting with (from repository root):
     ":gitSignOff",
 
     // Always rebase dep. update PRs from `main` when PR is stale
-    ":rebaseStalePrs",
+    ":rebaseStalePrs"
   ],
 
   // The default setting is ambiguous, explicitly base schedules on UTC
@@ -49,6 +48,7 @@ Validate this file before commiting with (from repository root):
   // Default setting is an "empty" schedule.  Explicitly set this
   // such that security-alert PRs may be opened immediately.
   "vulnerabilityAlerts": {
+    // Distinguish PRs from regular dependency updates
     "labels": ["dependencies", "security"],
 
     // Force-enable renovate management of deps. which are otherwise
@@ -64,7 +64,7 @@ Validate this file before commiting with (from repository root):
       {
         "matchManagers": ["gomod"],
         "matchDepTypes": ["indirect"],
-        "enabled": true,
+        "enabled": true
       }
     ]
   },
@@ -78,37 +78,65 @@ Validate this file before commiting with (from repository root):
    ***** Manager-specific configuration options *****
    **************************************************/
 
-  "regexManagers": [
+  "customManagers": [
+    // Track the latest CI VM images by tag on the containers/automation_images
+    // repo.  Propose updates when newer tag available compared to what is
+    // referenced in a repo's .cirrus.yml file.
     {
+      "customType": "regex",
       "fileMatch": "^.cirrus.yml$",
       // Expected veresion format: c<automation_images IMG_SFX value>
       // For example `c20230120t152650z-f37f36u2204`
       "matchStrings": ["c(?<currentValue>20\\d{6}t\\d{6}z-\\w+)"],
       "depNameTemplate": "containers/automation_images",
       "datasourceTemplate": "github-tags",
       "versioningTemplate": "loose",
-      "autoReplaceStringTemplate": "c{{{newVersion}}}",
+      "autoReplaceStringTemplate": "c{{{newVersion}}}"
     },
+
+    // For skopeo and podman, manage the golangci-lint version as
+    // referenced in their Makefile.
     {
+      "customType": "regex",
       "fileMatch": "^Makefile$",
       // make ignores whitespace around the value, make renovate do the same.
-      "matchStrings": ["GOLANGCI_LINT_VERSION\\s+:=\\s+(?<currentValue>.+)\\s*"],
+      "matchStrings": [
+        "GOLANGCI_LINT_VERSION\\s+:=\\s+(?<currentValue>.+)\\s*"
+      ],
       "depNameTemplate": "golangci/golangci-lint",
       "datasourceTemplate": "github-releases",
       "versioningTemplate": "semver-coerced",
       // Podman's installer script will puke if there's a 'v' prefix, as represented
       // in upstream golangci/golangci-lint releases.
-      "extractVersionTemplate": "v(?<version>.+)",
+      "extractVersionTemplate": "v(?<version>.+)"
     }
   ],
 
+  /*************************************************
+  ***** Language-specific configuration options ****
+  **************************************************/
+
+  // *****  ATTENTION  WARNING  CAUTION  DANGER  ***** //
+  // Go versions 1.21 and later will AUTO-UPDATE based on _module_
+  // _requirements_.  ref: https://go.dev/doc/toolchain  Because
+  // many different projects covered by this config, build under
+  // different distros and distro-versions, golang version consistency
+  // is desireable across build outputs.  In golang 1.21 and later,
+  // it's possible to pin the version in each project using the
+  // toolchain go.mod directive.  Prior to 1.21, for now, we do not
+  // want Renovate to propose updates which also trigger golang
+  // auto-updates. The only way to fully disable these auto-updates
+  // in renovate is through a forced static-version constraint. This
+  // is undesireable from a maintenance perspective, and hopefully
+  // temporarry. Ref: Upstream discussion https://github.com/golang/go/issues/65847
+  "constraints": {"go": "1.20"},
+
   // N/B: LAST MATCHING RULE WINS, match statems are ANDed together.
   // https://docs.renovatebot.com/configuration-options/#packagerules
   "packageRules": [
-
     /*************************************************
-    ***** Rust-specific configuration options *****
-    *************************************************/
+    ****** Rust-specific configuration options *******
+    **************************************************/
     {
       "matchCategories": ["rust"],
       // Update both Cargo.toml and Cargo.lock when possible
@@ -124,44 +152,38 @@ Validate this file before commiting with (from repository root):
       "rangeStrategy": "bump",
       // These packages roll updates far too often, slow them down.
       // Ref: https://github.com/containers/netavark/issues/772
-      "schedule": ["after 1am and before 11am on the first day of the month"],
+      "schedule": ["after 1am and before 11am on the first day of the month"]
     },
 
     /*************************************************
-    ***** Python-specific configuration options *****
-    *************************************************/
+    ****** Python-specific configuration options *****
+    **************************************************/
     {
       "matchCategories": ["python"],
       // Preserve (but continue to upgrade) any existing SemVer ranges.
       "rangeStrategy": "replace"
     },
 
     /*************************************************
-    ***** Golang-specific configuration options *****
-    *************************************************/
+    ****** Golang-specific configuration options *****
+    **************************************************/
     {
       "matchCategories": ["golang"],
-
       // disabled by default, safe to enable since "tidy" enforced by CI.
       "postUpdateOptions": ["gomodTidy"],
-
       // In case a version in use is retracted, allow going backwards.
       // N/B: This is NOT compatible with pseudo versions, see below.
       "rollbackPrs": false,
-
       // Preserve (but continue to upgrade) any existing SemVer ranges.
-      "rangeStrategy": "replace",
-
-      // N/B: LAST MATCHING RULE WINS
-      // https://docs.renovatebot.com/configuration-options/#packagerules
+      "rangeStrategy": "replace"
     },
 
     // Golang pseudo-version packages will spam with every Commit ID change.
     // Limit update frequency.
     {
       "matchCategories": ["golang"],
       "matchUpdateTypes": ["digest"],
-      "schedule": ["after 1am and before 11am on the first day of the month"],
+      "schedule": ["after 1am and before 11am on the first day of the month"]
     },
 
     // Package version retraction (https://go.dev/ref/mod#go-mod-file-retract)
@@ -174,6 +196,16 @@ Validate this file before commiting with (from repository root):
       "allowedVersions": "!/v((1.0.0)|(1.0.1))$/"
     },
 
+    // Add CI:DOCS prefix to skip unnecessary tests for golangci updates in podman CI.
+    {
+      "matchPackageNames": ["golangci/golangci-lint"],
+      "commitMessagePrefix": "[CI:DOCS]"
+    },
+
+    /*************************************************
+    ************ CI configuration options ************
+    **************************************************/
+
     // Github-action updates cannot consistently be tested in a PR.
     // This is caused by an unfixable architecture-flaw: Execution
     // context always depends on trigger, and we (obvious) can't know
@@ -190,19 +222,13 @@ Validate this file before commiting with (from repository root):
     // example, flagging an important TODO or FIXME item.  Or, where CI VM
     // images are split across multiple IMG_SFX values that all need to be updated.
     {
-      "matchManagers": ["regex"],
-      "matchFileNames": [".cirrus.yml"],  // full-path exact-match
+      "matchManagers": ["custom.regex"],
+      "matchFileNames": [".cirrus.yml"],
       "groupName": "CI VM Image",
       // Somebody(s) need to check image update PRs as soon as they open.
       "reviewers": ["cevich"],
       // Don't wait, roll out CI VM Updates immediately
-      "schedule": ["at any time"],
+      "schedule": ["at any time"]
     },
-
-    // Add CI:DOCS prefix to skip unnecessary tests for golangci updates in podman CI.
-    {
-      "matchPackageNames": ["golangci/golangci-lint"],
-      "commitMessagePrefix": "[CI:DOCS]",
-    },
-  ],
+  ]
 }