chore: enable Renovate and alauda auto-release for harbor-cli

[chengjingtao]

Summary

Enable Renovate-driven dependency auto-update and automated alauda release publishing for the harbor-cli fork.

Renovate configuration

• Add renovate.json extending AlaudaDevops/renovate-config:base, targeting alauda-v* branches, with gomodTidy post-update and assignee configured.
• Renovate will auto-create PRs for go.mod dependency updates (patch/digest auto-merge via org preset).

Go version bump

• go.mod: go 1.24.8 → go 1.26.2
• .dagger/go.mod: go 1.25.0 → go 1.26.2
• The root go.mod change propagates to m.GoVersion, so every From("golang:"+m.GoVersion+"-alpine") call in .dagger/*.go picks up golang:1.26.2-alpine automatically.

Alauda auto-tag and release workflows

• alauda-auto-tag.yml: on push to alauda-v* branches, auto-creates vX.Y.Z-alauda-N tags with incremented N.
• release-alauda.yml: on v*-alauda-* tag push (or workflow_call/workflow_dispatch), builds and publishes GitHub Release via Dagger (build → archive → checksum → publish-release).
• default.yaml: added !contains(github.ref, '-alauda-') guard to publish-release job to prevent conflict with alauda release workflow.

Scope decisions

• publishimage.go is left unchanged (identical to upstream) — it handles container image publishing, not CLI binary releases.
• Only go.mod / .dagger/go.mod version bumps touch .dagger/ code, minimizing upstream merge conflict surface.

Test plan

• go build ./... passes with Go 1.26.2
• go vet ./... passes
• CI lint, test-code, vulnerability-check all pass
• Renovate config validates against schema
• First Renovate PR appears on alauda-v0.0.18 after merge
• First alauda tag and GitHub Release created after merge

Follow-up

• AlaudaDevops/renovate-config PR#16 adds AlaudaDevops/harbor-cli to the vX.Y.Z-alauda-N versioning whitelist (tracked separately).

🤖 Generated with Claude Code

[alaudabot]

🤖 AI Code Review

Property	Value
Model	opencode/minimax-m2.5-free
Style	strict
Issues Found	0
Config Source	centralized
Profile	❌ Not Found
Personalized Prompt	❌ No
Prompt Path	.github/review/profiles/alaudadevops/harbor-cli/pr-review.md
Alauda Skills	✅ base-sample-email-draft, base-skill-setup, builders-component-knowledge, builders-confluence, builders-jira, builders-sample-code-review, connectors-explore, connectors-poc-case, connectors-review, connectors-unit-test, connectors-write-user-docs, devops-autodns, devops-bulk-string-replace, devops-candidate-version-supervisor, devops-docker-keyword-analysis, devops-gen-advanced-form-descriptors, devops-go-vuln-fix, devops-knowledge-adoption, devops-refresh-alauda-tags, devops-sync-alauda-github-releases, devops-tekton-dynamic-form-optimizer, devops-tekton-operator-task-e2e, devops-tekton-task-generator, devops-tekton-task-overview-template, devops-tekton-task-version-upgrade, devops-tekton-upgrade-notes, devops-ui-e2e-code-audit, devops-ui-e2e-fix-base-on-report, devops-ui-e2e-regression-and-fix, devops-ui-generate-e2e-from-feature, devops-ui-pre-setup, devops-update-containerfile-digests, devops-upgrade-go
Reviewed at	2026-04-16 22:37:53 UTC

---

Summary

This PR enables Renovate-driven dependency auto-update and automated alauda release publishing for harbor-cli. The changes include Go version upgrades (1.24.8 → 1.26.2), new Renovate configuration, and two new GitHub Actions workflows for auto-tagging and releasing. The approach of adding guards to prevent workflow conflicts is well-designed.

Review Statistics

Category	Count
Critical Issues	0
Warnings	3
Suggestions	0
Files Reviewed	6

Critical Issues

Issues that MUST be addressed before merging (security, bugs, breaking changes)

None identified.

Warnings

Issues that SHOULD be addressed but are not blocking

• [.github/workflows/release-alauda.yml:14] Warning (reliability/unknown-action): The sagikazarmark/dagger-version-action@v0.0.1 is a relatively unknown third-party action. Consider verifying its maintenance status or pinning to a specific commit hash for reproducibility.

• [.github/workflows/release-alauda.yml:19] Warning (perf/missing-artifacts): The workflow builds binaries but doesn't upload them as artifacts. Consider adding an actions/upload-artifact step for debugging purposes.

• [.github/workflows/alauda-auto-tag.yml:49] Info (style/robustness): The tag extraction logic uses bash string manipulation. Consider adding validation to ensure the branch name matches expected format before processing.

Suggestions

Recommendations for improvement (nice to have)

None.

Positive Feedback

• Well-structured Renovate configuration extending the organization's base preset
• Proper separation between default release workflow and alauda-specific workflow using guards
• Good use of semantic versioning in the auto-tag workflow
• Clean Go version synchronization across go.mod and .dagger/go.mod

---

---

ℹ️ About this review

This review was automatically generated using the run-actions workflow.

• Shared prompt: .github/prompts/code-review.md
• Config source: centralized
• Profile path: Not Found
• Profile ref: 70116bce40f93e28716196a4b479fec1049b7950
• No repository-specific prompt configured
• Alauda skills: base-sample-email-draft, base-skill-setup, builders-component-knowledge, builders-confluence, builders-jira, builders-sample-code-review, connectors-explore, connectors-poc-case, connectors-review, connectors-unit-test, connectors-write-user-docs, devops-autodns, devops-bulk-string-replace, devops-candidate-version-supervisor, devops-docker-keyword-analysis, devops-gen-advanced-form-descriptors, devops-go-vuln-fix, devops-knowledge-adoption, devops-refresh-alauda-tags, devops-sync-alauda-github-releases, devops-tekton-dynamic-form-optimizer, devops-tekton-operator-task-e2e, devops-tekton-task-generator, devops-tekton-task-overview-template, devops-tekton-task-version-upgrade, devops-tekton-upgrade-notes, devops-ui-e2e-code-audit, devops-ui-e2e-fix-base-on-report, devops-ui-e2e-regression-and-fix, devops-ui-generate-e2e-from-feature, devops-ui-pre-setup, devops-update-containerfile-digests, devops-upgrade-go

[danielfbm]

PR Assist Bot — Owner Approval Needed

This PR targets release branch alauda-v0.0.18. Per policy, release-branch merges require explicit owner approval before the bot proceeds.

PR: AlaudaDevops/harbor-cli#2
Branch: alauda-v0.0.18
Type: Security / Dependency update (Renovate)

Please reply with /approve-merge or provide explicit approval for the bot to merge this PR on the next sweep.

[alaudabot]

Code review completed. See inline comments for suggestions.

[alaudabot]

Warning (reliability/unknown-action): The sagikazarmark/dagger-version-action@v0.0.1 is a version 0.0.1 action from an external maintainer. Consider pinning to a specific version or verifying the action's reliability in production.

[alaudabot]

Warning (perf/missing-artifacts): The workflow builds binaries but doesn't upload them as artifacts. If the release fails, there's no way to access the built artifacts for debugging. Consider adding an actions/upload-artifact step.

[alaudabot]

Info (style/robustness): The tag extraction logic uses bash string manipulation. Consider adding validation to handle malformed branch names gracefully.

[alaudabot]

Warning (reliability/unknown-action): The sagikazarmark/dagger-version-action@v0.0.1 is a relatively unknown third-party action. Consider verifying its maintenance status or pinning to a specific commit hash for reproducibility.

[alaudabot]

Warning (perf/missing-artifacts): The workflow builds binaries but doesn't upload them as artifacts. Consider adding an actions/upload-artifact step for debugging purposes.

[alaudabot]

Info (style/robustness): The tag extraction logic uses bash string manipulation. Consider adding validation to ensure the branch name matches expected format before processing.