Make Renovate suggest base image updates

[erikgb]

Pull Request Motivation

We all love more automation, and this PR should ensure Renovate suggests upgrades to our base images. Relates to #4033.

Kind

/kind cleanup

Release Note

NONE

[Copilot]

Pull Request Overview

This PR configures Renovate to automatically suggest updates for base container images used in the project. The changes enable Renovate to detect and update Docker image digests in the base images makefile.

Key changes:

• Removed autogeneration comment from base images makefile to allow Renovate management
• Added custom regex manager to detect Docker image references with SHA256 digests
• Configured package rules to group base image updates together

Reviewed Changes

Copilot reviewed 2 out of 2 changed files in this pull request and generated 1 comment.

File	Description
make/base_images.mk	Removed autogeneration comment to allow Renovate to manage the file
.github/renovate.json5	Added custom manager and package rules for base image updates

---

_{Tip: Customize your code reviews with copilot-instructions.md. Create the file or learn how to get started.}

[Copilot]

Pull Request Overview

Copilot reviewed 2 out of 2 changed files in this pull request and generated no new comments.

---

_{Tip: Customize your code reviews with copilot-instructions.md. Create the file or learn how to get started.}

[octo-sts]

Reconfigure PR Results

This is an reconfigure PR comment to help you understand and re-configure your renovate bot settings. If this Reconfigure PR were to be merged, we'd expect to see the following outcome:

---

Detected Package Files

• hack/containers/Containerfile.acmesolver (dockerfile)
• hack/containers/Containerfile.cainjector (dockerfile)
• hack/containers/Containerfile.controller (dockerfile)
• hack/containers/Containerfile.startupapicheck (dockerfile)
• hack/containers/Containerfile.webhook (dockerfile)
• make/config/pebble/Containerfile.pebble (dockerfile)
• make/config/samplewebhook/Containerfile.samplewebhook (dockerfile)
• .github/workflows/scorecards.yml (github-actions)
• cmd/acmesolver/go.mod (gomod)
• cmd/cainjector/go.mod (gomod)
• cmd/controller/go.mod (gomod)
• cmd/startupapicheck/go.mod (gomod)
• cmd/webhook/go.mod (gomod)
• go.mod (gomod)
• test/e2e/go.mod (gomod)
• test/integration/go.mod (gomod)
• make/config/pebble/chart/values.yaml (helm-values)
• make/config/samplewebhook/chart/values.yaml (helm-values)
• .github/renovate.json5 (renovate-config-presets)
• make/base_images.mk (regex)

Configuration Summary

Based on the default config's presets, Renovate will:

• Enable Renovate Dependency Dashboard creation.
• Use semantic commit type fix for dependencies and chore for all others if semantic commits are in use.
• Ignore node_modules, bower_components, vendor and various test/tests (except for nuget) directories.
• Group known monorepo packages together.
• Use curated list of recommended non-monorepo package groupings.
• Show only the Age and Confidence Merge Confidence badges for pull requests.
• Apply crowd-sourced package replacement rules.
• Apply crowd-sourced workarounds for known problems with packages.
• Pin Docker digests.
• Pin github-action digests.
• Enable Renovate configuration migration PRs when needed.
• Pin dependency versions for development dependencies.
• Update _VERSION environment variables in GitHub Action files.
• Append Signed-off-by: to signoff Git commits.
• Use semantic prefixes for commit messages and PR titles.
• Disable vulnerability alerts completely.
• Remove hourly and concurrent rate limits.
• Enable Renovate Dependency Dashboard creation.
• Use semantic commit type fix for dependencies and chore for all others if semantic commits are in use.
• Ignore node_modules, bower_components, vendor and various test/tests (except for nuget) directories.
• Group known monorepo packages together.
• Use curated list of recommended non-monorepo package groupings.
• Show only the Age and Confidence Merge Confidence badges for pull requests.
• Apply crowd-sourced package replacement rules.
• Apply crowd-sourced workarounds for known problems with packages.
• Pin Docker digests.
• Pin github-action digests.
• Enable Renovate configuration migration PRs when needed.
• Pin dependency versions for development dependencies.
• Update _VERSION environment variables in GitHub Action files.
• Append Signed-off-by: to signoff Git commits.
• Use semantic prefixes for commit messages and PR titles.
• Disable vulnerability alerts completely.
• Remove hourly and concurrent rate limits.

---

What to Expect

With your current configuration, Renovate will create 5 Pull Requests:

chore(deps): update base images

• Schedule: ["at any time"]
• Branch name: renovate/base-images
• Merge into: master
• Upgrade gcr.io/distroless/base-debian12 to sha256:d82d37df3bae85c6488d56f54ad5fc334ea15ff1e3f701af2866f7ab75d01e09
• Upgrade gcr.io/distroless/base-debian12 to sha256:dad1d3c6695a0cdd3274d58f73f82cf36ae8bad0bdb0497262f2e1039df5fcb8
• Upgrade gcr.io/distroless/base-debian12 to sha256:fa81a9ab9966083922a8465506accd01cad4ebb787f7e11309d464e19b94d097
• Upgrade gcr.io/distroless/base-debian12 to sha256:4b66c135f2d73c969783fcb918e3b224ea66dac43ce8d2bdd166f362d5dd248c
• Upgrade gcr.io/distroless/base-debian12 to sha256:b14f0d621bdfd1c967bca28f28ae7c1191e216ce0f34977c9f1e1f5081aae047
• Upgrade gcr.io/distroless/static-debian12 to sha256:17274770d835d14eddc4070a12bdbcf746991125b70acffbd65935d9d88ab2ac
• Upgrade gcr.io/distroless/static-debian12 to sha256:9b9ebe0472d908cc5f8ca03e437dd82f0984cc254eee59effd52aa539fe8a3d8
• Upgrade gcr.io/distroless/static-debian12 to sha256:0f30716c69ea9a9f62484fe3b284300ae67d136135312ee6d0f794c470b4fa27
• Upgrade gcr.io/distroless/static-debian12 to sha256:ed92139a33080a51ac2e0607c781a67fb3facf2e6b3b04a2238703d8bcf39c40
• Upgrade gcr.io/distroless/static-debian12 to sha256:6ceafbc2a9c566d66448fb1d5381dede2b29200d1916e03f5238a1c437e7d9ea

fix(deps): update k8s.io/kube-openapi digest to 589584f

• Schedule: ["at any time"]
• Branch name: renovate/k8s.io-kube-openapi-digest
• Merge into: master
• Upgrade k8s.io/kube-openapi to 589584f1c912

fix(deps): update cloud go deps

• Schedule: ["at any time"]
• Branch name: renovate/cloud-go-deps
• Merge into: master
• Upgrade github.com/Azure/azure-sdk-for-go/sdk/azidentity to v1.12.0
• Upgrade github.com/digitalocean/godo to v1.165.0

fix(deps): update module github.com/akamai/akamaiopen-edgegrid-golang/v11 to v12

• Schedule: ["at any time"]
• Branch name: renovate/github.com-akamai-akamaiopen-edgegrid-golang-v11-12.x
• Merge into: master
• Upgrade github.com/akamai/AkamaiOPEN-edgegrid-golang/v11 to v12.0.0

fix(deps): update module github.com/cloudflare/cloudflare-go/v5 to v6

• Schedule: ["at any time"]
• Branch name: renovate/github.com-cloudflare-cloudflare-go-v5-6.x
• Merge into: master
• Upgrade github.com/cloudflare/cloudflare-go/v5 to v6.0.1

[erikgb]

/cc @maelvls @ThatsMrTalbot

[hjoshi123]

🚀
/lgtm

[erikgb]

/approve

[cert-manager-prow]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: erikgb

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Details

Needs approval from an approver in each of these files:

• OWNERS [erikgb]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment