Added AMI cleanup tool

.github/renovate-repo-config.js

@@ -0,0 +1,8 @@
+// A Javascript file is used instead of JSON so that environment variables can be pulled in
+// via `process.env.VARIABLE_NAME` if needed. This allows secrets to be stored in Github
+// then provided to the Renovate config here.
+module.exports = {
+    $schema: "https://docs.renovatebot.com/renovate-schema.json",
+    // This file is empty for now, but it may be useful to be able to add private registry
+    // authentication (i.e. ECR) or secrets at a later point.
+};

.github/renovate.json5

@@ -0,0 +1,63 @@
+{
+  "$schema": "https://docs.renovatebot.com/renovate-schema.json",
+  "extends": [
+    "config:recommended",
+    ":enableRenovate",
+    ":semanticCommits",
+    // TODO enable these after extensive testing
+    // ":automergeDigest",
+    // ":automergeMinor",
+    // ":automergeAll",
+    // ":automergeRequireAllStatusChecks",
+    ":enableVulnerabilityAlerts",
+    ":ignoreUnstable",
+    ":label(dependency-update)",
+    ":prConcurrentLimitNone",
+    ":prHourlyLimitNone",
+    ":prImmediately",
+    ":rebaseStalePrs",
+    ":renovatePrefix",
+    "helpers:pinGitHubActionDigests", // This ensures that underlying tags are not replaced with a separate commit (tags are immutable but commits are not)
+    "preview:dockerVersions",
+    "regexManagers:githubActionsVersions", // See https://docs.renovatebot.com/presets-regexManagers/#regexmanagersgithubactionsversions for how to use this
+    "github>gravitational/shared-workflows//.github/renovate/commitMessage.json5",
+    "github>gravitational/shared-workflows//.github/renovate/labels.json5",
+    "github>gravitational/shared-workflows//.github/renovate/languages.json5",
+    "github>gravitational/shared-workflows//.github/renovate/renovate.json5",
+    // Presets for each project
+    "github>gravitational/shared-workflows//tools/ami-cleanup/renovate.json5"
+  ],
+  "useBaseBranchConfig": "merge", // This is set to allow for some degree of testing PRs, see https://github.com/renovatebot/renovate/discussions/16108
+  "pinDigest": {
+    // TODO enable this after extensive testing
+    // "automerge": true
+  },
+  // This is used so that not everything in the entire repo is setup for Renovate at once
+  // Initially this configuration is designed to only support the new GHA EKS clusters
+  "enabledManagers": [
+    "github-actions",
+    "custom.regex",
+    "gomod"
+  ],
+  // Unfortunatly Renovate can only override manager defaults via a blacklist instead of a whitelist
+  "ignorePaths": [
+    // These predate RFD 0001 and are managed by dependabot
+    "bot/**", 
+    "github/workflows/codeql.yml",
+    "github/workflows/csv-lint.yaml",
+    "github/workflows/dependency-review.yaml",
+    "github/workflows/github-action-lint.yaml",
+    "github/workflows/govulncheck.yaml",
+    "github/workflows/json-lint.yaml",
+    "github/workflows/terraform-lint.yaml",
+    "github/workflows/trivy.yaml"
+  ],
+  "vulnerabilityAlerts": {
+    "dependencyDashboardApproval": true,
+    "rangeStrategy": "auto",
+    "commitMessageSuffix": "[SECURITY]",
+    "branchTopic": "{{{datasource}}}-{{{depName}}}-vulnerability",
+    "prCreation": "immediate",
+    "enabled": true
+  }
+}

.github/renovate/commitMessage.json5

@@ -0,0 +1,14 @@
+{
+    "$schema": "https://docs.renovatebot.com/renovate-schema.json",
+    // See https://docs.renovatebot.com/configuration-options/#commitmessage for details
+    "commitMessageTopic": "{{depName}}",
+    "commitMessageExtra": "to {{newVersion}}",
+    "packageRules": [
+        {
+            "matchManagers": [
+                "github-actions"
+            ],
+            "commitMessageTopic": "action {{depName}}"
+        }
+    ]
+}

.github/renovate/labels.json5

@@ -0,0 +1,86 @@
+{
+  "$schema": "https://docs.renovatebot.com/renovate-schema.json",
+  "packageRules": [
+    // Labels for specific version change types
+    {
+      "matchUpdateTypes": [
+        "major"
+      ],
+      "addLabels": [
+        "renovate/type/major"
+      ]
+    },
+    {
+      "matchUpdateTypes": [
+        "minor"
+      ],
+      "addLabels": [
+        "renovate/type/minor"
+      ]
+    },
+    {
+      "matchUpdateTypes": [
+        "patch"
+      ],
+      "addLabels": [
+        "renovate/type/patch"
+      ]
+    },
+    {
+      "matchUpdateTypes": [
+        "digest"
+      ],
+      "addLabels": [
+        "renovate/type/digest"
+      ]
+    },
+    // Labels for specific artifact types
+    {
+      "matchDatasources": [
+        "github-releases",
+        "github-tags"
+      ],
+      "addLabels": [
+        "renovate/github-release"
+      ]
+    },
+    {
+      "matchManagers": [
+        "github-actions"
+      ],
+      "addLabels": [
+        "renovate/github-action"
+      ]
+    },
+    {
+      "matchManagers": [
+        "gomod"
+      ],
+      "addLabels": [
+        "renovate/golang"
+      ]
+    },
+    // Labels for specific directories
+    {
+      "description": "Label Github workflow PRs",
+      "matchFileNames": [
+        "**/workflows/*.yml",
+        "**/workflows/*.yaml"
+      ],
+      "addLabels": [
+        "renovate/workflow/{{{ replace '\\.ya?ml$' '' (replace '^\\.github\\/workflows\\/' '' packageFile) }}}"
+      ]
+    },
+    {
+      "description": "Label Renovate PRs",
+      "matchFileNames": [
+        ".github/renovate*",
+        ".github/renovate/**",
+        "renovate.json5"
+      ],
+      "addLabels": [
+        "renovate/config/{{{ replace '\\.js(?:on5?)?$' '' (replace '^\\.github\\/' '' packageFile) }}}"
+      ]
+    }
+  ]
+}

.github/renovate/languages.json5

@@ -0,0 +1,54 @@
+{
+    "$schema": "https://docs.renovatebot.com/renovate-schema.json",
+    "gomod": {
+        "postUpdateOptions": [
+            "gomodTidy",
+            "gomodUpdateImportPaths"
+        ]
+    },
+    "customManagers": [
+        // Earthfiles
+        {
+            "description": "Earthly language version - Earthfiles",
+            "customType": "regex",
+            "fileMatch": [
+                "Earthfile$"
+            ],
+            "matchStrings": [
+                "^\\s*VERSION(?:.*(?:\\\\\\n)?)*(?<currentValue>\\d+\\.\\d)+$"
+            ],
+            "datasourceTemplate": "github-releases",
+            "depNameTemplate": "earthly/earthly",
+            "packageNameTemplate": "earthly/earthly",
+            "versioningTemplate": "semver-coerced",
+            // Extract the major and minor version from the latest GH release
+            "extractVersionTemplate": "^v?(?<version>\\d+\\.\\d+).*$"
+        },
+        {
+            "description": "Earthly version - setup action in GHA workflows",
+            "customType": "regex",
+            "fileMatch": [
+                "^.*/workflows/[^/].ya?ml$"
+            ],
+            "matchStrings": [
+                "# renovate: earthly-version\\s*\\n\\s*version: \\s*(?<currentValue>.*?)\\s*\\n"
+            ],
+            "datasourceTemplate": "github-releases",
+            "depNameTemplate": "earthly/earthly",
+            "packageNameTemplate": "earthly/earthly",
+            "versioningTemplate": "semver-coerced"
+        },
+        {
+            "description": "Container images - Earthfiles",
+            "customType": "regex",
+            "fileMatch": [
+                "Earthfile$"
+            ],
+            "matchStrings": [
+                "\\s*FROM \\s*.*?(?<depName>\\S+):(?<currentValue>[^\\s\\$]+)"
+            ],
+            "datasourceTemplate": "docker",
+            "versioningTemplate": "docker"
+        }
+    ]
+}

.github/renovate/renovate.json5

@@ -0,0 +1,19 @@
+{
+    "$schema": "https://docs.renovatebot.com/renovate-schema.json",
+    "github-actions": {
+        "fileMatch": [
+            "^\\.github/workflows/renovate(?:-bypass)?\\.ya?ml$"
+        ]
+    },
+    "packageRules": [
+        {
+            "description": "Assign to maintainer",
+            "matchFileNames": [
+                ".github/workflows/renovate*.yaml"
+            ],
+            "extends": [
+                ":assignAndReview(fheinecke)",
+            ]
+        }
+    ]
+}

.github/workflows/ami-cleanup-cd.yaml

@@ -0,0 +1 @@
+../../tools/ami-cleanup/workflows/cd.yaml

.github/workflows/ami-cleanup-ci.yaml

@@ -0,0 +1 @@
+../../tools/ami-cleanup/workflows/ci.yaml