Added AMI cleanup tool

.github/renovate-repo-config.js

@@ -0,0 +1,8 @@
+// A Javascript file is used instead of JSON so that environment variables can be pulled in
+// via `process.env.VARIABLE_NAME` if needed. This allows secrets to be stored in Github
+// then provided to the Renovate config here.
+module.exports = {
+    $schema: "https://docs.renovatebot.com/renovate-schema.json",
+    // This file is empty for now, but it may be useful to be able to add private registry
+    // authentication (i.e. ECR) or secrets at a later point.
+};

.github/renovate.json5

@@ -0,0 +1,63 @@
+{
+  "$schema": "https://docs.renovatebot.com/renovate-schema.json",
+  "extends": [
+    "config:recommended",
+    ":enableRenovate",
+    ":semanticCommits",
+    // TODO enable these after extensive testing
+    // ":automergeDigest",
+    // ":automergeMinor",
+    // ":automergeAll",
+    // ":automergeRequireAllStatusChecks",
+    ":enableVulnerabilityAlerts",
+    ":ignoreUnstable",
+    ":label(dependency-update)",
+    ":prConcurrentLimitNone",
+    ":prHourlyLimitNone",
+    ":prImmediately",
+    ":rebaseStalePrs",
+    ":renovatePrefix",
+    "helpers:pinGitHubActionDigests", // This ensures that underlying tags are not replaced with a separate commit (tags are immutable but commits are not)
+    "preview:dockerVersions",
+    "regexManagers:githubActionsVersions", // See https://docs.renovatebot.com/presets-regexManagers/#regexmanagersgithubactionsversions for how to use this
+    "github>gravitational/shared-workflows//.github/renovate/commitMessage.json5",
+    "github>gravitational/shared-workflows//.github/renovate/labels.json5",
+    "github>gravitational/shared-workflows//.github/renovate/languages.json5",
+    "github>gravitational/shared-workflows//.github/renovate/renovate.json5",
+    // Presets for each project
+    "github>gravitational/shared-workflows//tools/ami-cleanup/renovate.json5"
+  ],
+  "useBaseBranchConfig": "merge", // This is set to allow for some degree of testing PRs, see https://github.com/renovatebot/renovate/discussions/16108
+  "pinDigest": {
+    // TODO enable this after extensive testing
+    // "automerge": true
+  },
+  // This is used so that not everything in the entire repo is setup for Renovate at once
+  // Initially this configuration is designed to only support the new GHA EKS clusters
+  "enabledManagers": [
+    "github-actions",
+    "custom.regex",
+    "gomod"
+  ],
+  // Unfortunatly Renovate can only override manager defaults via a blacklist instead of a whitelist
+  "ignorePaths": [
+    // These predate RFD 0001 and are managed by dependabot
+    "bot/**", 
+    ".github/workflows/codeql.yml",
+    ".github/workflows/csv-lint.yaml",
+    ".github/workflows/dependency-review.yaml",
+    ".github/workflows/github-action-lint.yaml",
+    ".github/workflows/govulncheck.yaml",
+    ".github/workflows/json-lint.yaml",
+    ".github/workflows/terraform-lint.yaml",
+    ".github/workflows/trivy.yaml"
+  ],
+  "vulnerabilityAlerts": {
+    "dependencyDashboardApproval": true,
+    "rangeStrategy": "auto",
+    "commitMessageSuffix": "[SECURITY]",
+    "branchTopic": "{{{datasource}}}-{{{depName}}}-vulnerability",
+    "prCreation": "immediate",
+    "enabled": true
+  }
+}

.github/renovate/commitMessage.json5

@@ -0,0 +1,14 @@
+{
+    "$schema": "https://docs.renovatebot.com/renovate-schema.json",
+    // See https://docs.renovatebot.com/configuration-options/#commitmessage for details
+    "commitMessageTopic": "{{depName}}",
+    "commitMessageExtra": "to {{newVersion}}",
+    "packageRules": [
+        {
+            "matchManagers": [
+                "github-actions"
+            ],
+            "commitMessageTopic": "action {{depName}}"
+        }
+    ]
+}

.github/renovate/labels.json5

@@ -0,0 +1,86 @@
+{
+  "$schema": "https://docs.renovatebot.com/renovate-schema.json",
+  "packageRules": [
+    // Labels for specific version change types
+    {
+      "matchUpdateTypes": [
+        "major"
+      ],
+      "addLabels": [
+        "renovate/type/major"
+      ]
+    },
+    {
+      "matchUpdateTypes": [
+        "minor"
+      ],
+      "addLabels": [
+        "renovate/type/minor"
+      ]
+    },
+    {
+      "matchUpdateTypes": [
+        "patch"
+      ],
+      "addLabels": [
+        "renovate/type/patch"
+      ]
+    },
+    {
+      "matchUpdateTypes": [
+        "digest"
+      ],
+      "addLabels": [
+        "renovate/type/digest"
+      ]
+    },
+    // Labels for specific artifact types
+    {
+      "matchDatasources": [
+        "github-releases",
+        "github-tags"
+      ],
+      "addLabels": [
+        "renovate/github-release"
+      ]
+    },
+    {
+      "matchManagers": [
+        "github-actions"
+      ],
+      "addLabels": [
+        "renovate/github-action"
+      ]
+    },
+    {
+      "matchManagers": [
+        "gomod"
+      ],
+      "addLabels": [
+        "renovate/golang"
+      ]
+    },
+    // Labels for specific directories
+    {
+      "description": "Label Github workflow PRs",
+      "matchFileNames": [
+        "**/workflows/*.yml",
+        "**/workflows/*.yaml"
+      ],
+      "addLabels": [
+        "renovate/workflow/{{{ replace '\\.ya?ml$' '' (replace '^\\.github\\/workflows\\/' '' packageFile) }}}"
+      ]
+    },
+    {
+      "description": "Label Renovate PRs",
+      "matchFileNames": [
+        ".github/renovate*",
+        ".github/renovate/**",
+        "renovate.json5"
+      ],
+      "addLabels": [
+        "renovate/config/{{{ replace '\\.js(?:on5?)?$' '' (replace '^\\.github\\/' '' packageFile) }}}"
+      ]
+    }
+  ]
+}

.github/renovate/languages.json5

@@ -0,0 +1,54 @@
+{
+    "$schema": "https://docs.renovatebot.com/renovate-schema.json",
+    "gomod": {
+        "postUpdateOptions": [
+            "gomodTidy",
+            "gomodUpdateImportPaths"
+        ]
+    },
+    "customManagers": [
+        // Earthfiles
+        {
+            "description": "Earthly language version - Earthfiles",
+            "customType": "regex",
+            "fileMatch": [
+                "Earthfile$"
+            ],
+            "matchStrings": [
+                "^\\s*VERSION(?:.*(?:\\\\\\n)?)*(?<currentValue>\\d+\\.\\d)+$"
+            ],
+            "datasourceTemplate": "github-releases",
+            "depNameTemplate": "earthly/earthly",
+            "packageNameTemplate": "earthly/earthly",
+            "versioningTemplate": "semver-coerced",
+            // Extract the major and minor version from the latest GH release
+            "extractVersionTemplate": "^v?(?<version>\\d+\\.\\d+).*$"
+        },
+        {
+            "description": "Earthly version - setup action in GHA workflows",
+            "customType": "regex",
+            "fileMatch": [
+                "^.*/workflows/[^/].ya?ml$"
+            ],
+            "matchStrings": [
+                "# renovate: earthly-version\\s*\\n\\s*version: \\s*(?<currentValue>.*?)\\s*\\n"
+            ],
+            "datasourceTemplate": "github-releases",
+            "depNameTemplate": "earthly/earthly",
+            "packageNameTemplate": "earthly/earthly",
+            "versioningTemplate": "semver-coerced"
+        },
+        {
+            "description": "Container images - Earthfiles",
+            "customType": "regex",
+            "fileMatch": [
+                "Earthfile$"
+            ],
+            "matchStrings": [
+                "\\s*FROM \\s*.*?(?<depName>\\S+):(?<currentValue>[^\\s\\$]+)"
+            ],
+            "datasourceTemplate": "docker",
+            "versioningTemplate": "docker"
+        }
+    ]
+}

.github/renovate/renovate.json5

@@ -0,0 +1,19 @@
+{
+    "$schema": "https://docs.renovatebot.com/renovate-schema.json",
+    "github-actions": {
+        "fileMatch": [
+            "^\\.github/workflows/renovate(?:-bypass)?\\.ya?ml$"
+        ]
+    },
+    "packageRules": [
+        {
+            "description": "Assign to maintainer",
+            "matchFileNames": [
+                ".github/workflows/renovate*.yaml"
+            ],
+            "extends": [
+                ":assignAndReview(fheinecke)",
+            ]
+        }
+    ]
+}

.github/workflows/ami-cleanup-cd.yaml

@@ -0,0 +1,42 @@
+name: AMI cleanup tool CD
+on:
+  push:
+    tags:
+      - "ami-cleanup-v[0-9]+.[0-9]+.[0-9]+**"
+
+concurrency:
+  group: "Only run one instance of AMI cleanup CD for ${{ github.ref_name }}"
+
+jobs:
+  cut-release:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout repo
+        uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
+      - name: Install Earthly
+        uses: earthly/actions-setup@be3fe0c1f84e9776b5a184d21bf7a4a779ea2e6b # v1.0.8
+        with:
+          # renovate: earthly-version
+          version: v0.7.23
+      - name: Determine actual release semver
+        env:
+          # This is copy/pasted from https://semver.org/#is-there-a-suggested-regular-expression-regex-to-check-a-semver-string
+          SEMVER_TAG_REGEX: ^(?P<major>0|[1-9]\d*)\.(?P<minor>0|[1-9]\d*)\.(?P<patch>0|[1-9]\d*)(?:-(?P<prerelease>(?:0|[1-9]\d*|\d*[a-zA-Z-][0-9a-zA-Z-]*)(?:\.(?:0|[1-9]\d*|\d*[a-zA-Z-][0-9a-zA-Z-]*))*))?(?:\+(?P<buildmetadata>[0-9a-zA-Z-]+(?:\.[0-9a-zA-Z-]+)*))?$
+          GIT_TAG: ${{ github.ref_name }}
+        run: |
+          # Remove the tool name from the front of the tag
+          SEMVER_TAG=$(echo "$GIT_TAG" | sed 's/^ami-cleanup-v//')
+          echo "Extracted $SEMVER_TAG from git tag"
+
+          # Check if the extracted version is a valid semver
+          if ! $(echo "$SEMVER_TAG" | grep --perl-regexp --quiet "$SEMVER_TAG_REGEX"); then
+            echo "Extracted version $SEMVER_TAG is not a valid semver" >&2
+            exit 1
+          fi
+
+          echo "SEMVER_TAG=$SEMVER_TAG" >> $GITHUB_OUTPUT
+      - name: Cut a new release for ${{ env.SEMVER_TAG }}
+        env:
+          GIT_TAG: ${{ github.ref_name }}
+        working-directory: tools/ami-cleanup
+        run: earthly -ci +release --GIT_TAG="$SEMVER_TAG"

.github/workflows/ami-cleanup-ci.yaml

@@ -0,0 +1,43 @@
+name: AMI cleanup tool CI
+on:
+  pull_request:
+    branches:
+      - main
+
+concurrency:
+  cancel-in-progress: true
+  group: "Only run one instance of AMI cleanup CI for PR #${{ github.event.number }}"
+
+jobs:
+  check-if-should-run:
+    runs-on: ubuntu-latest
+    permissions:
+      pull-requests: read
+    outputs:
+      should-verify-pr: ${{ steps.filter.outputs.changed }} # True if the AMI cleanup tool changed, false otherwise
+    steps:
+      - name: Filter out unrelated changes
+        uses: dorny/paths-filter@4512585405083f25c027a35db413c2b3b9006d50 # v2.11.1
+        id: filter
+        with:
+          filters: |
+            changed: "tools/ami-cleanup/**"
+  verify-pr:
+    runs-on: ubuntu-latest
+    needs:
+      - check-if-should-run
+    if: ${{ needs.check-if-should-run.outputs.should-verify-pr }}
+    steps:
+      - name: Checkout repo
+        uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
+      - name: Install Earthly
+        uses: earthly/actions-setup@be3fe0c1f84e9776b5a184d21bf7a4a779ea2e6b # v1.0.8
+        with:
+          # renovate: earthly-version
+          version: v0.7.23
+      - name: Lint Go code
+        working-directory: tools/ami-cleanup
+        run: earthly -ci +lint --OUTPUT_FORMAT=github-actions
+      - name: Run Go tests
+        working-directory: tools/ami-cleanup
+        run: earthly -ci +test --OUTPUT_FORMAT=github-actions