NO-JIRA: Add renovate config validation workflow and make target

[jeff-roche]

Summary

• Add a GitHub Actions workflow to validate renovate.json on PRs and pushes to main
• Add a validate-renovate-config make target in release/konflux.make for local validation using the quay.io/konflux-ci/mintmaker-renovate-image container
• Update renovate.json to extend mintmaker-presets for rpm-lockfile refresh and disable-minor-updates

Important Note

I don't actually know if this will work as intended. The addition to the extends should trigger the PR to do container and RPMs together but I don't know if our other configs override that functionality. I will monitor after merge and open follow up PRs if it overlaps. There is no way to test this prior to merge unfortunately.

🤖 Generated with Claude Code

Summary by CodeRabbit

• Chores
  • Added a CI workflow to validate the repository's Renovate configuration on PRs and pushes to main.
  • Added a local make target to run Renovate configuration validation containerized.
  • Updated Renovate configuration to include additional preset extensions and remove a deprecated lockfile option.

[openshift-ci-robot]

@jeff-roche: This pull request explicitly references no jira issue.

Details

In response to this:

Summary

• Add a GitHub Actions workflow to validate renovate.json on PRs and pushes to main
• Add a validate-renovate-config make target in release/konflux.make for local validation using the quay.io/konflux-ci/mintmaker-renovate-image container
• Update renovate.json to extend mintmaker-presets for rpm-lockfile refresh and disable-minor-updates

Test plan

• Run make -f release/konflux.make validate-renovate-config locally to verify the config passes validation
• Verify the GitHub Actions workflow triggers on PRs that modify renovate.json

🤖 Generated with Claude Code

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[coderabbitai]

Walkthrough

This PR introduces renovate.json validation infrastructure and updates the renovate configuration. A GitHub Actions workflow and make target are added to validate the renovate config via Konflux CI's validator. The renovate.json file is updated with two additional Mintmaker presets, reformatted for compactness, and the rebaseStalePrs option is removed from lock file maintenance.

Changes

Renovate config validation and updates

Layer / File(s)	Summary
Validation infrastructure (workflow and make target) .github/workflows/renovate-config-validation.yaml, release/konflux.make	GitHub Actions workflow validates renovate.json on push/pull_request to main; make target provides local validation via containerized renovate-config-validator with read-only mount.
Renovate config presets and cleanup renovate.json	Extends configuration with refresh-rpm-lockfiles and disable-minor-updates Mintmaker presets, removes rebaseStalePrs from lockFileMaintenance, and reformats JSON arrays and fields into single-line compact forms.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~10 minutes

Suggested reviewers

• eggfoobar
• jaypoulz

🚥 Pre-merge checks | ✅ 12

✅ Passed checks (12 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title accurately describes the main changes: adding a GitHub Actions workflow and make target for renovate config validation.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Stable And Deterministic Test Names	✅ Passed	PR contains only configuration files (GitHub Actions workflow, Makefile, JSON config) with no Ginkgo tests, so the stability requirement doesn't apply.
Test Structure And Quality	✅ Passed	No Ginkgo test code in PR. Changes are configuration/workflow files (.github/workflows, renovate.json, Makefile), not test files.
Microshift Test Compatibility	✅ Passed	No Ginkgo e2e tests were added in this PR. Changes are limited to GitHub Actions workflow, Makefile, and renovate.json configuration files.
Single Node Openshift (Sno) Test Compatibility	✅ Passed	This PR does not add any Ginkgo e2e tests. It only adds a GitHub Actions workflow, a Makefile target, and updates a JSON configuration file for Renovate. The SNO compatibility check is not applicable.
Topology-Aware Scheduling Compatibility	✅ Passed	PR modifies only CI/build infrastructure (GitHub Actions workflow, Makefile) and Renovate config; no Kubernetes deployment manifests or operator code with scheduling constraints are introduced.
Ote Binary Stdout Contract	✅ Passed	OTE Binary Stdout Contract check is not applicable—PR contains no Go test binaries, main processes, or test suite setup code; only CI/CD configuration files.
Ipv6 And Disconnected Network Test Compatibility	✅ Passed	PR does not add any Ginkgo e2e tests; modified files are workflow YAML, makefile, and JSON config only.
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[openshift-ci]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: jeff-roche

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Details

Needs approval from an approver in each of these files:

• OWNERS [jeff-roche]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[coderabbitai]

Actionable comments posted: 2

🧹 Nitpick comments (1)

release/konflux.make (1)

51-51: ⚡ Quick win

Pin image tag to immutable digest for reproducible validation.

Line 51 uses :latest, which can cause validation behavior to drift over time. Replace with a pinned digest via a variable for deterministic, reproducible builds.

Suggested fix

+MINTMAKER_RENOVATE_IMAGE ?= quay.io/konflux-ci/mintmaker-renovate-image@sha256:01cfae2158374cab0349842b035f4afe1f4037118e4c98a9c574cc96af2643d2
+
 .PHONY: validate-renovate-config
 validate-renovate-config:
 	$(IMAGE_BUILD_CMD) run --rm \
 	-v $(shell pwd)/renovate.json:/workspace/renovate.json:ro,Z \
-	quay.io/konflux-ci/mintmaker-renovate-image:latest \
+	$(MINTMAKER_RENOVATE_IMAGE) \
 	renovate-config-validator /workspace/renovate.json

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@release/konflux.make` at line 51, Replace the floating tag
"quay.io/konflux-ci/mintmaker-renovate-image:latest" with an immutable digest
variable to ensure reproducible validation; update the reference in the
release/konflux.make target that uses
"quay.io/konflux-ci/mintmaker-renovate-image:latest" to use a pinned variable
(e.g., MINTMAKER_RENOVATE_IMAGE) that contains the full image@sha256:... digest
and read that variable where the image is consumed so builds always use the
exact digest rather than :latest.

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In @.github/workflows/renovate-config-validation.yaml:
- Line 24: The workflow's config_file setting currently points to
test/renovate.json which doesn't match the workflow trigger on the root
renovate.json; update the config_file value under the Renovate validation step
(the config_file key) to the intended path (e.g., renovate.json) or make it
parameterized so the workflow validates the same file the trigger watches.
- Around line 21-22: Replace floating refs for the GitHub Actions with pinned
commit SHAs: change uses: actions/checkout@v4 to uses:
actions/checkout@<commit-sha> and uses:
konflux-ci/renovate-config-validator-action@main to uses:
konflux-ci/renovate-config-validator-action@<commit-sha>, and harden the
checkout step by adding the persist-credentials: false option to the
actions/checkout invocation; update the workflow occurrences referencing
actions/checkout and konflux-ci/renovate-config-validator-action accordingly.

---

Nitpick comments:
In `@release/konflux.make`:
- Line 51: Replace the floating tag
"quay.io/konflux-ci/mintmaker-renovate-image:latest" with an immutable digest
variable to ensure reproducible validation; update the reference in the
release/konflux.make target that uses
"quay.io/konflux-ci/mintmaker-renovate-image:latest" to use a pinned variable
(e.g., MINTMAKER_RENOVATE_IMAGE) that contains the full image@sha256:... digest
and read that variable where the image is consumed so builds always use the
exact digest rather than :latest.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Repository YAML (base), Central YAML (inherited)

Review profile: CHILL

Plan: Enterprise

Run ID: 3fe55358-5e5f-4298-9827-0df4178450a7

📥 Commits

Reviewing files that changed from the base of the PR and between b3c2128 and 9e5665b.

📒 Files selected for processing (3)

• .github/workflows/renovate-config-validation.yaml
• release/konflux.make
• renovate.json

[jeff-roche]

/override ci/prow/unit-test

[openshift-ci]

@jeff-roche: Overrode contexts on behalf of jeff-roche: ci/prow/unit-test

Details

In response to this:

/override ci/prow/unit-test

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

[openshift-ci]

@jeff-roche: The following tests failed, say /retest to rerun all failed tests or /retest-required to rerun all mandatory failed tests:

Test name	Commit	Details	Required	Rerun command
ci/prow/e2e-aws-hypershift	a7f5185	link	true	/test e2e-aws-hypershift
ci/prow/snyk-deps	a7f5185	link	false	/test snyk-deps
ci/prow/e2e-aws	a7f5185	link	true	/test e2e-aws
ci/prow/e2e-aws-single-node	a7f5185	link	true	/test e2e-aws-single-node

Full PR test history. Your PR dashboard.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.

[pacevedom]

Should this be persist-credentials? https://github.com/actions/checkout/blob/v4/action.yml#L52