Reconfigure renovate

[LecrisUT]

In order to properly run renovate with python dependencies that require system packages (see failure) we have to run renovate as self-hosted and embed the dependencies needed in the renovate runner to be able to run uv sync.

A breakdown of how this works:

• containers/Containerfile.renovate: Inherits from upstream renovate image aka ghcr.io/renovatebot/renovate
• build-and-publish-renovate.yml: Whenever the file above is updated or if run manually, this workflow build the container as renovate-tmt:latest and publishes it to this repo's github container respository
• renovate.yml: Using the container above, this workflow basically runs renovate itself using the renovate-config.json for the runner, after which it is equivalent with the hosted renovate
• In order for Github Actions to be run on PRs created by a different github action, a token other than ${github.token} must be used. In this case a Github app will be created and owned at the teemtee organization which is then fed into actions/create-github-app-token to get the final token that renovate would be using. See renovatebot/github-action example for more explanation

Besides the workflow above, to make sure everything is working correctly this PR reconfigures renovate.json as well:

• Simplify the Documentation Dependencies flow. Something is probably still missing to properly make the PRs for these, but will continue this work afterwards
• Drop the hatch devDependencies
• Enable the python dependency update for everything. This probably needs more fine-tuning probably with lockFileMaintenance

[LecrisUT]

From the other PR, this is still relevant

It is a bit more complicated because even the suggested schedule may not be enough according to the last schedule attempt. Still tracking how to actually configure this in renovatebot/renovate#37720.

Btw, we can always trigger the current ones manually.

[renovate]

Reconfigure PR Results

This is a reconfigure PR comment to help you understand and re-configure your renovate bot settings. If this Reconfigure PR were to be merged, we'd expect to see the following outcome:

---

Detected Package Files

• containers/Containerfile.full (dockerfile)
• containers/Containerfile.mini (dockerfile)
• containers/alpine/Containerfile (dockerfile)
• containers/alpine/Containerfile.upstream (dockerfile)
• containers/centos/7/Containerfile (dockerfile)
• containers/centos/7/Containerfile.upstream (dockerfile)
• containers/centos/stream10/Containerfile (dockerfile)
• containers/centos/stream10/Containerfile.upstream (dockerfile)
• containers/centos/stream9/Containerfile (dockerfile)
• containers/centos/stream9/Containerfile.upstream (dockerfile)
• containers/debian/12.7/Containerfile.upstream (dockerfile)
• containers/fedora/42/Containerfile (dockerfile)
• containers/fedora/42/Containerfile.unprivileged (dockerfile)
• containers/fedora/42/Containerfile.upstream (dockerfile)
• containers/fedora/42/bootc/Containerfile (dockerfile)
• containers/fedora/43/Containerfile (dockerfile)
• containers/fedora/43/Containerfile.unprivileged (dockerfile)
• containers/fedora/43/Containerfile.upstream (dockerfile)
• containers/fedora/coreos/Containerfile (dockerfile)
• containers/fedora/coreos/ostree/Containerfile (dockerfile)
• containers/fedora/eln/Containerfile (dockerfile)
• containers/fedora/eln/Containerfile.unprivileged (dockerfile)
• containers/fedora/eln/Containerfile.upstream (dockerfile)
• containers/fedora/latest/Containerfile (dockerfile)
• containers/fedora/latest/Containerfile.unprivileged (dockerfile)
• containers/fedora/latest/Containerfile.upstream (dockerfile)
• containers/fedora/latest/bootc/Containerfile (dockerfile)
• containers/fedora/rawhide/Containerfile (dockerfile)
• containers/fedora/rawhide/Containerfile.unprivileged (dockerfile)
• containers/fedora/rawhide/Containerfile.upstream (dockerfile)
• containers/ubi/8/Containerfile.upstream (dockerfile)
• containers/ubuntu/22.04/Containerfile.upstream (dockerfile)
• .github/workflows/doc-tests.yml (github-actions)
• .github/workflows/pre-commit.yml (github-actions)
• .github/workflows/publish-images.yml (github-actions)
• .github/workflows/release.yml (github-actions)
• .github/workflows/shellcheck.yml (github-actions)
• pyproject.toml (pep621)
• .pre-commit-config.yaml (pre-commit)

Configuration Summary

Based on the default config's presets, Renovate will:

• Hopefully safe environment variables to allow users to configure.
• Show all Merge Confidence badges for pull requests.
• Enable Renovate Dependency Dashboard creation.
• Use semantic commit type fix for dependencies and chore for all others if semantic commits are in use.
• Ignore node_modules, bower_components, vendor and various test/tests (except for nuget) directories.
• Group known monorepo packages together.
• Use curated list of recommended non-monorepo package groupings.
• Show only the Age and Confidence Merge Confidence badges for pull requests.
• Apply crowd-sourced package replacement rules.
• Apply crowd-sourced workarounds for known problems with packages.
• Ensure that every dependency pinned by digest and sourced from GitHub.com contains a link to the commit-to-commit diff
• Correctly link to the source code for golang.org/x packages
• Link to pkg.go.dev/... for golang.org/x packages' title
• Enable the pre-commit manager.
• Disable semantic prefixes for commit messages and PR titles.

---

What to Expect

With your current configuration, Renovate will create 3 Pull Requests:

Update Pre-commit Dependencies

• Schedule: ["at any time"]
• Branch name: renovate/pre-commit-dependencies
• Merge into: main
• Upgrade ansible-community/ansible-lint to v26.3.0
• Upgrade astral-sh/uv-pre-commit to 0.10.9
• Upgrade charliermarsh/ruff-pre-commit to v0.15.5
• Upgrade codespell-project/codespell to v2.4.2
• Upgrade teemtee/tmt to 1.69.0

Update GitHub Actions

• Schedule: ["at any time"]
• Branch name: renovate/github-actions
• Merge into: main
• Upgrade actions/attest-build-provenance to v4
• Upgrade actions/download-artifact to v8
• Upgrade actions/upload-artifact to v7

Update Locked dependencies

• Schedule: ["at any time"]
• Branch name: renovate/locked-dependencies
• Merge into: main
• Upgrade setuptools to <83
• Upgrade types-requests to <2.32.4.20260108

🚸 PR creation will be limited to maximum 2 per hour, so it doesn't swamp any CI resources or overwhelm the project. See docs for prHourlyLimit for details.

[LecrisUT]

To investigate: Why are the docs no longer grouped? They are not grouped in main branch either: https://developer.mend.io/github/teemtee/tmt. Probably missing a flag to not separate the major releases.