ci(renovate): hand workflow bumps to dependabot, disable dashboard

[njhensley]

Summary

Disable Renovate's github-actions manager (dependabot owns that lane), turn off the dependency dashboard issue, and add security-events: read to the renovate workflow so the dependabot/alerts call stops 403'ing.

Motivation / Context

Renovate has been running successfully each weekday morning but never producing PRs. Dependency dashboard issue #771 listed every pending update with a checkbox, and no renovate/* branches existed in the repo. Debug-level run 25503858535 showed two independent blockers:

1. Workflow-file push restriction. GitHub's auto-issued GITHUB_TOKEN cannot create or update files under .github/workflows/*, regardless of permissions: set in the workflow — this is a hard platform restriction. The renovate/github-actions group always bundles a workflow-file change, so the entire group's git push was rejected:

   [remote rejected] (refusing to allow a GitHub App to create or update workflow
   `.github/workflows/bom-refresh.yaml` without `workflows` permission)
   

   Confirmed on the fork run 25504554547: the fork has no ~ALL ruleset, so 10 non-workflow PRs land cleanly there, but renovate/github-actions still fails to push for the same reason. This is a credential-class restriction, not repo-specific config.

   Dependabot is already producing a workflow PR a day (recent merges: chore: deps: bump azure/setup-helm from 4.3.0 to 5.0.0 #767, chore: deps: bump renovatebot/github-action from 46.1.12 to 46.1.13 #768, chore: deps: bump actions/labeler from 6.0.1 to 6.1.0 #770, chore: deps: bump sigstore/cosign-installer from 4.1.1 to 4.1.2 #786) — letting it own that lane is simpler than introducing a GitHub App or PAT with workflows scope.

2. Vulnerability alerts 403. Each run logs WARN: Cannot access vulnerability alerts. Please ensure permissions have been granted. because the workflow's GITHUB_TOKEN is missing security-events: read. Functional but noisy. Note: this contradicts a comment in renovate.json5 claiming self-hosted Renovate can't consume vuln alerts — that was wrong; with the right scope, it can. Comment updated accordingly.

3. Dashboard churn. With github-actions out of scope and the remaining managers (gomod / npm / custom regex on .settings.yaml / dockerfile / kubernetes / helm-values / terraform) narrow enough to read at a glance from open PRs, the rollup issue isn't pulling its weight.

Fixes: N/A
Related: #737 (initial Renovate rollout), #771 (dependency dashboard, will auto-close once this lands)

Type of Change

• Build/CI/tooling

Component(s) Affected

• Other: .github/renovate.json5, .github/workflows/renovate.yaml

Implementation Notes

• github-actions manager disabled via packageRule with enabled: false (kept the rule discoverable next to the related grouping rules rather than using top-level enabledManagers allowlist, which would need every other manager re-asserted).
• Removed helpers:pinGitHubActionDigests from extends — dead config now that the manager is off.
• Removed :dependencyDashboard from extends and added dependencyDashboard: false with a comment explaining how to re-enable.
• security-events: read added to job-scoped permissions: (not workflow-level), keeping the existing contents: read default at the workflow scope.
• Stripped "github-actions" from the auto-merge matchManagers: ["gomod", "npm"] list — that entry was dead with the manager off but worth removing so future readers don't think it's load-bearing.

Testing

Configuration-only change to a self-hosted CI tool — no Go code, no docs, no tests. make qualify is unnecessary and the Go test-coverage gate doesn't apply.

Validation plan post-merge:

• Trigger the Renovate workflow via workflow_dispatch and confirm:
  • No WARN: Cannot access vulnerability alerts line in the run log.
  • No renovate/github-actions or renovate/major-github-actions branch is attempted (search log for branch=renovate/github-actions should yield nothing).
  • Dependency dashboard issue Dependency Dashboard #771 is closed by Renovate on next run.
• Continue to expect dependabot to land workflow-file PRs at the existing daily cadence.

Risk Assessment

• Low — Isolated change, well-tested, easy to revert

Rollout notes: Reverts cleanly via git revert. Re-enabling means restoring :dependencyDashboard in extends, deleting dependencyDashboard: false, removing the enabled: false packageRule for github-actions, and dropping the security-events: read permission. No data migration, no feature flag, no consumer impact — Renovate is internal CI tooling.

Checklist

• Tests pass locally (make test with -race) — N/A, configuration-only
• Linter passes (make lint) — N/A, no Go/YAML lint targets cover renovate.json5
• I did not skip/disable tests to make CI green
• I added/updated tests for new functionality — N/A
• I updated docs if user-facing behavior changed — N/A (internal CI tool)
• Changes follow existing patterns in the codebase
• Commits are cryptographically signed (git commit -S)

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: ASSERTIVE

Plan: Enterprise

Run ID: 1082ceff-8cb4-4ff9-9b43-e23642fb36ef

📥 Commits

Reviewing files that changed from the base of the PR and between c711a31 and 9c66122.

📒 Files selected for processing (2)

• .github/renovate.json5
• .github/workflows/renovate.yaml

---

📝 Walkthrough

Walkthrough

This pull request refines Renovate's dependency management configuration and GitHub Actions workflow permissions. The Renovate configuration disables the dependencyDashboard with updated commentary and clarifies that scheduling is exclusively controlled by the workflow cron. The packageRules for low-blast-radius updates are modified to exclude github-actions from auto-merge eligibility, leaving only gomod and npm. A new packageRules entry explicitly disables the github-actions manager to prevent digest update grouping. The Renovate workflow gains security-events: read permission to enable vulnerability lookup functionality without permission errors.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~8 minutes

🚥 Pre-merge checks | ✅ 4

✅ Passed checks (4 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title accurately summarizes the main changes: handing workflow bumps to dependabot and disabling the dashboard, which are the core objectives of the PR.
Description check	✅ Passed	The description is comprehensive and directly related to the changeset, detailing the motivation, implementation, testing, and risk assessment of the configuration changes.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}