fix(ci): update workflows and renovate

Signed-off-by: Tyler Witlin <twitlin@witl.xyz>

.github/labeler.yaml

@@ -1,13 +1,12 @@
 ---
+# Area
 area/ansible:
   - changed-files:
       - any-glob-to-any-file: ansible/**/*
-area/pulumi:
-  - changed-files:
-      - any-glob-to-any-file: pulumi/**/*
 area/docs:
   - changed-files:
       - any-glob-to-any-file: docs/**/*
+      - any-glob-to-any-file: README.md
 area/github:
   - changed-files:
       - any-glob-to-any-file: .github/**/*
@@ -18,15 +17,17 @@ area/taskfile:
   - changed-files:
       - any-glob-to-any-file: .taskfiles/**/*
       - any-glob-to-any-file: Taskfile*
-area/terraform:
+area/pulumi:
   - changed-files:
-      - any-glob-to-any-file: terraform/**/*
+      - any-glob-to-any-file: pulumi/**/*
+# Cluster
 cluster/kyak:
   - changed-files:
+      - any-glob-to-any-file: talos/kyak/**/*
       - any-glob-to-any-file: kubernetes/kyak/**/*
+      - any-glob-to-any-file: pulimi/kyak/**/*
 cluster/sol:
   - changed-files:
+      - any-glob-to-any-file: ansible/sol/**/*
       - any-glob-to-any-file: kubernetes/sol/**/*
-cluster/cobra:
-  - changed-files:
-      - any-glob-to-any-file: kubernetes/cobra/**/*
+      - any-glob-to-any-file: pulumi/sol/**/*

.github/renovate.json5

@@ -3,39 +3,37 @@
   "extends": [
     "config:recommended",
     "docker:enableMajor",
+    "helpers:pinGitHubActionDigests",
     "replacements:k8s-registry-move",
+    ":automergeBranch",
     ":disableRateLimiting",
     ":dependencyDashboard",
     ":semanticCommits",
-    ":automergeDigest",
-    ":automergeBranch",
+    ":skipStatusChecks",
     ":timezone(America/New_York)",
     "github>coolguy1771/home-ops//.github/renovate/allowedVersions.json5",
     "github>coolguy1771/home-ops//.github/renovate/autoMerge.json5",
     "github>coolguy1771/home-ops//.github/renovate/clusters.json5",
     "github>coolguy1771/home-ops//.github/renovate/commitMessage.json5",
-    "github>coolguy1771/home-ops//.github/renovate/customDatasources.json5",
     "github>coolguy1771/home-ops//.github/renovate/customManagers.json5",
+    "github>coolguy1771/home-ops//.github/renovate/grafanaDashboards.json5",
     "github>coolguy1771/home-ops//.github/renovate/groups.json5",
     "github>coolguy1771/home-ops//.github/renovate/labels.json5",
     "github>coolguy1771/home-ops//.github/renovate/packageRules.json5",
-    "github>coolguy1771/home-ops//.github/renovate/semanticCommits.json5",
-    "helpers:pinGitHubActionDigests",
-    "security:openssf-scorecard"
+    "github>coolguy1771/home-ops//.github/renovate/semanticCommits.json5"
   ],
   "onboarding": false,
   "requireConfig": "optional",
   "dependencyDashboardTitle": "Renovate Dashboard 🤖",
-  "suppressNotifications": ["prIgnoreNotification"],
-  "vulnerabilityAlerts": {
-    "labels": ["security"],
-    "automerge": true,
-    "automergeType": "branch",
-    "schedule": ["at any time"]
-  },
-  "osvVulnerabilityAlerts": true,
-  "dependencyDashboardOSVVulnerabilitySummary": "all",
-  "ignorePaths": ["**/archive/**"],
+  "suppressNotifications": ["prEditedNotification", "prIgnoreNotification"],
+  "rebaseWhen": "conflicted",
+  "assigneesFromCodeOwners": true,
+  "reviewersFromCodeOwners": true,
+  "ignorePaths": [
+    "**/*.sops.*",
+    "**/.archive/**",
+    "**/resources/**"
+  ],
   "flux": {
     "fileMatch": [
       "(^|/)kubernetes/.+\\.ya?ml(\\.j2)?$"

.github/renovate/autoMerge.json5

@@ -2,20 +2,18 @@
   "$schema": "https://docs.renovatebot.com/renovate-schema.json",
   "packageRules": [
     {
-      "description": "Auto merge container digests",
+      "description": "Auto-merge container digests updates for trusted containers",
       "matchDatasources": ["docker"],
       "automerge": true,
-      "ignoreTests": true,
       "automergeType": "branch",
       "matchUpdateTypes": ["digest"],
       "matchPackagePatterns": ["ghcr.io/bjw-s", "ghcr.io/onedr0p", "ghcr.io/coolguy1771"]
     },
     {
-      "description": "Auto merge GitHub Actions",
+      "description": "Auto-merge GitHub Actions for minor and patch",
       "matchManagers": ["github-actions"],
       "matchDatasources": ["github-tags"],
       "automerge": true,
-      "ignoreTests": true,
       "automergeType": "branch",
       "matchUpdateTypes": ["minor", "patch"]
     }

.github/renovate/clusters.json5

@@ -2,29 +2,22 @@
   "$schema": "https://docs.renovatebot.com/renovate-schema.json",
   "packageRules": [
     {
-      "description": "Separate PRs for main cluster",
+      "description": "Separate PRs for kyak cluster",
       "matchFileNames": [
-        "**/kubernetes/kyak/**"
+        "**/kubernetes/kyak/**",
+        "**/ansible/kyak/**",
+        "**/pulumi/kyak/**"
       ],
-      "additionalBranchPrefix": "main-"
+      "additionalBranchPrefix": "kyak-"
     },
     {
-      "description": "Separate PRs for storage cluster",
+      "description": "Separate PRs for sol cluster",
       "matchFileNames": [
         "**/kubernetes/sol/**",
-        "**/ansible/storage/**",
-        "**/terraform/storage/**"
+        "**/ansible/sol/**",
+        "**/pulumi/sol/**"
       ],
-      "additionalBranchPrefix": "storage-"
-    },
-    {
-      "description": "Separate PRs for cobra cluster",
-      "matchFileNames": [
-        "**/kubernetes/cobra/**",
-        "**/ansible/cobra/**",
-        "**/terraform/cobra/**"
-      ],
-      "additionalBranchPrefix": "cobra-"
+      "additionalBranchPrefix": "sol-"
     }
   ]
 }

.github/renovate/commitMessage.json5

@@ -11,11 +11,6 @@
     {
       "matchDatasources": ["docker"],
       "commitMessageTopic": "image {{depName}}"
-    },
-    {
-      "matchDatasources": ["custom.grafana-dashboards"],
-      "commitMessageTopic": "dashboard {{depName}}",
-      "commitMessageExtra": "to revision {{newVersion}}"
     }
   ]
 }

.github/renovate/customManagers.json5

@@ -33,18 +33,6 @@
       ],
       "datasourceTemplate": "docker",
       "versioningTemplate": "redhat"
-    },
-    {
-      "customType": "regex",
-      "description": "Process Grafana dashboards",
-      "fileMatch": [
-        "(^|/)kubernetes/.+\\.ya?ml(\\.j2)?$"
-      ],
-      "matchStrings": [
-        "depName=\"(?<depName>.*)\"\\n\\s+gnetId:\\s+(?<packageName>.*?)\\n\\s+revision:\\s+(?<currentValue>.*)"
-      ],
-      "datasourceTemplate": "custom.grafana-dashboards",
-      "versioningTemplate": "regex:^(?<major>\\d+)$"
     }
   ]
 }

.github/renovate/grafanaDashboards.json5

@@ -0,0 +1,37 @@
+{
+  "$schema": "https://docs.renovatebot.com/renovate-schema.json",
+  "customDatasources": {
+    "grafana-dashboards": {
+      "defaultRegistryUrlTemplate": "https://grafana.com/api/dashboards/{{packageName}}",
+      "format": "json",
+      "transformTemplates": [
+        "{\"releases\":[{\"version\": $string(revision)}]}"
+      ]
+    }
+  },
+  "customManagers": [
+    {
+      "customType": "regex",
+      "description": "Process Grafana dashboards",
+      "fileMatch": [
+        "(^|/)kubernetes/.+\\.ya?ml(\\.j2)?$"
+      ],
+      "matchStrings": [
+        "depName=\"(?<depName>\\S+)\"\\n.*?gnetId: (?<packageName>\\d+)\\n.*?revision: (?<currentValue>\\d+)"
+      ],
+      "datasourceTemplate": "custom.grafana-dashboards",
+      "versioningTemplate": "regex:^(?<major>\\d+)$"
+    }
+  ],
+  "packageRules": [
+    {
+      "addLabels": ["renovate/grafana-dashboard"],
+      "commitMessageExtra": "to revision {{newVersion}}",
+      "commitMessageTopic": "dashboard {{depName}}",
+      "matchDatasources": ["grafana-dashboards", "custom.grafana-dashboards"],
+      "matchUpdateTypes": ["major"],
+      "semanticCommitScope": "grafana-dashboards",
+      "semanticCommitType": "chore"
+    }
+  ]
+}

.github/renovate/labels.json5

@@ -44,10 +44,6 @@
     {
       "matchDatasources": ["pypi"],
       "addLabels": ["renovate/pip"]
-    },
-    {
-      "matchDatasources": ["grafana-dashboards", "custom.grafana-dashboards"],
-      "addLabels": ["renovate/grafana-dashboard"]
     }
   ]
 }

.github/renovate/semanticCommits.json5

@@ -110,12 +110,6 @@
       "matchUpdateTypes": ["patch"],
       "semanticCommitType": "fix",
       "semanticCommitScope": "github-action"
-    },
-    {
-      "matchDatasources": ["custom.grafana-dashboards"],
-      "matchUpdateTypes": ["major"],
-      "semanticCommitType": "chore",
-      "semanticCommitScope": "grafana-dashboards"
     }
   ]
 }

.github/workflows/flux-diff.yaml

@@ -6,6 +6,12 @@ on:
     branches: ["main"]
     paths: ["kubernetes/**.yaml"]
 
+env:
+  DEBCONF_NONINTERACTIVE_SEEN: "true"
+  DEBIAN_FRONTEND: noninteractive
+  APT_KEY_DONT_WARN_ON_DANGEROUS_USAGE: DontWarn
+  NIX_FLAKE_PATH: ./.github/workflows/resources/nix
+
 jobs:
   flux-diff:
     name: Flux Diff
@@ -14,7 +20,7 @@ jobs:
       pull-requests: write
     strategy:
       matrix:
-        path: ["kubernetes/kyak", "kubernetes/cobra", "kubernetes/sol"]
+        path: ["kubernetes/kyak", "kubernetes/sol"]
         resource: ["helmrelease", "kustomization"]
     steps:
       - name: Generate Token
@@ -24,8 +30,24 @@ jobs:
           app-id: "${{ secrets.BOT_APP_ID }}"
           private-key: "${{ secrets.BOT_APP_PRIVATE_KEY }}"
 
-      - name: Setup Flux
-        uses: fluxcd/flux2/action@a18d4f345021182d6516bf3e8e00210567f46ab5 # v2.1.2
+      - name: Checkout
+        uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
+        with:
+          token: "${{ steps.app-token.outputs.token }}"
+
+      - name: Install OS Deps
+        shell: bash
+        run: sudo apt-get update && sudo apt-get install -y curl git xz-utils
+
+      - name: Install Nix
+        uses: cachix/install-nix-action@7ac1ec25491415c381d9b62f0657c7a028df52a7 # v24
+        with:
+          github_access_token: "${{ steps.app-token.outputs.token }}"
+
+      - name: Switch to Nix devShell
+        uses: nicknovitski/nix-develop@a2060d116a50b36dfab02280af558e73ab52427d # v1.1.0
+        with:
+          arguments: "${{ env.NIX_FLAKE_PATH }}"
 
       - name: Diff Resources
         # uses: allenporter/flux-local/action/diff@19bfc6920e8964a479363bc230e6c329120ead02 # 3.2.0