ci(renovate): restrict Go toolchain bumps to patch updates

[wuhuizuo]

Summary

• disable Renovate minor updates for Docker-based golang / go dependencies
• keep patch updates enabled for the same dependency scope
• preserve the existing separation behavior for Go update PRs

Why

PingCAP-QE/artifacts#897 shows that the current config still allows minor Go toolchain bumps like 1.25.8 -> 1.26.1. Repository policy is to let Renovate auto-create patch-only PRs for this dependency class.

Validation

• jq . .github/renovate.json >/dev/null
• git diff --check
• attempted npx --yes --package renovate renovate-config-validator .github/renovate.json, but the repo already has pre-existing validator errors on customManagers[*].managerFilePatterns, unrelated to this change

[ti-chi-bot]

I have already done a preliminary review for you, and I hope to help you do a better job.

Summary
This PR modifies the Renovate configuration to disable minor version updates for Docker-based Go toolchain dependencies (golang and go), restricting automatic updates to patch-level only. The approach adds a new rule in .github/renovate.json that disables minor updates specifically for these dependencies sourced from Docker. Overall, the change is focused, minimal, and aligns well with the stated repository policy.

---

Code Improvements

• Rule Specificity and Ordering (.github/renovate.json, lines ~14-30)
  The new rule disables minor updates for Docker-based golang/go dependencies, but does not explicitly enable patch updates. Since Renovate processes rules in order, ensure this rule does not unintentionally block patch updates or interfere with other rules.
  Suggestion: Add an explicit rule or note that patch updates remain enabled. Also, verify the ordering of rules so that this disabling rule applies only to minor updates and does not inadvertently block other updates. For example, consider adding:

  {
    "description": "Allow patch updates for Go Docker images",
    "matchDatasources": ["docker"],
    "matchDepNames": ["golang", "go"],
    "matchUpdateTypes": ["patch"],
    "enabled": true
  }

  placed before or after the disabling minor update rule, to make intent explicit.

• matchDepNames Accuracy
  Confirm that golang and go are the exact dependency names used by Renovate for the Go Docker images in your repository (case sensitivity and naming matter). Sometimes Docker images are named with namespaces or versions, e.g., golang, golang-alpine, or go. If Renovate uses a different naming scheme or if minor updates are triggered on related images, this rule might miss them.
  Suggestion: Cross-check actual Renovate logs or PRs to ensure these matchDepNames cover all relevant Go toolchain Docker images.

• matchDatasources Appropriateness
  The rule restricts updates for docker datasource only, which matches the intent. However, if the repository uses other datasources for Go toolchain updates (e.g., github-tags or docker variants), those should be considered.
  Suggestion: Confirm that all Go toolchain updates come from the docker datasource, or expand the rule accordingly.

---

Best Practices

• Documentation
  Add a brief comment or doc block inside .github/renovate.json near the new rule to explain why minor updates are disabled for Go Docker images, referencing the repository policy and linked issue (#897). This aids future maintainers. For example:

  // Disable minor updates for Go Docker images per PingCAP-QE/artifacts#897 policy; allow patch updates only

• Validation and Testing
  The PR description notes existing Renovate config validation errors unrelated to this change. It would be better to fix or suppress those unrelated errors in a separate PR to ensure clean validation runs. Clean validation increases confidence that this new rule is syntactically and semantically correct.
  Suggestion: Run renovate-config-validator after fixing unrelated errors, or test the new config with a dry run of Renovate to confirm expected behavior.

---

Minor

• PR Description Clarity
  The PR description is clear and well-structured; consider adding an example of a before/after Renovate PR version to illustrate the effect of this config change for reviewers.

---

Overall, the change is concise and targeted, but verifying rule ordering and completeness will ensure it fully meets the repository policy without unintended side effects.

[gemini-code-assist]

Code Review

This pull request updates the Renovate configuration in .github/renovate.json to restrict Go toolchain updates to patch levels by disabling minor updates for 'golang' and 'go' Docker images. A review comment suggests explicitly including 'major' updates in the disabled list to align with the rule's description and ensure the policy remains robust if global settings change.

[ti-chi-bot]

I have already done a preliminary review for you, and I hope to help you do a better job.

Summary
This PR modifies the Renovate configuration to disable minor and major updates for Docker-based Go toolchain dependencies (golang and go), effectively restricting updates to patch-level only. It does so by adding a new rule disabling Renovate PRs for major and minor updates on these dependencies while preserving existing behavior for patch updates. The change is straightforward, focused, and aligns well with the stated repository policy. The JSON syntax appears valid and the approach is appropriate.

---

Code Improvements

• File: .github/renovate.json (lines 15-30)
  The new rule disables both major and minor updates for Docker datasource golang/go dependencies. While this achieves the patch-only update goal, explicitly including "patch" in "matchUpdateTypes" with "enabled": true would make the intent clearer and safer if you want to explicitly whitelist patch updates. As is, patches remain enabled by inheritance, but explicit clarity helps future maintainers.

  Suggestion: Add an explicit patch update rule, for example:

  {
    "description": "Allow patch-level Go toolchain updates",
    "matchDatasources": ["docker"],
    "matchDepNames": ["golang", "go"],
    "matchUpdateTypes": ["patch"],
    "enabled": true
  },
  {
    "description": "Disable major and minor Go toolchain updates",
    "matchDatasources": ["docker"],
    "matchDepNames": ["golang", "go"],
    "matchUpdateTypes": ["major", "minor"],
    "enabled": false
  }

  This is more explicit and future-proofs configuration if Renovate defaults change.

---

Best Practices

• File: .github/renovate.json (new rule description)
  The "description" field is clear but could be more consistent with other entries by following a uniform style (e.g., starting with a capital letter but no trailing period). Minor, but helps maintain config readability.

• Validation note in PR description
  You mention pre-existing renovate-config-validator errors unrelated to this change. It would be ideal to address or document those errors separately, since they may cause confusion when running validation as part of CI or local testing.

---

No critical issues found. The PR correctly restricts Renovate updates as intended and uses expected config keys. The main improvement is to make patch updates explicitly enabled and documented for clarity and maintainability.

[wuhuizuo]

/approve

[ti-chi-bot]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: wuhuizuo

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Details

Needs approval from an approver in each of these files:

• OWNERS [wuhuizuo]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment