From c08aa7f52853de0cea4636ae3305560755c3056c Mon Sep 17 00:00:00 2001
From: Grzegorz Piotrowski <geopiotrowski@gmail.com>
Date: Wed, 30 Jul 2025 23:07:50 +0100
Subject: [PATCH] NE-2074: UPSTREAM: <carry>: Configure Renovate updates of
 images and CVEs

Configures base and builder images updates restricted to be only within
the major version 9.
Go version updates restricted to be within the minor version 1.22.
Disables go module updates except for CVE related ones.
---
 renovate.json | 54 ++++++++++++++++++++++++++++++++++++++++++++++++---
 1 file changed, 51 insertions(+), 3 deletions(-)

diff --git a/renovate.json b/renovate.json
index 4ef778c4a4..a0bc46dbb5 100644
--- a/renovate.json
+++ b/renovate.json
@@ -1,6 +1,54 @@
 {
-  "gomod": {
-    "enabled": false
+  "$schema": "https://docs.renovatebot.com/renovate-schema.json",
+  "enabledManagers": ["dockerfile", "gomod"],
+  "commitMessagePrefix": "UPSTREAM: <carry>: ",
+  "packageRules": [
+    {
+      "description": "Disable all Dockerfile updates by default. Only specific files will get targeted.",
+      "matchManagers": ["dockerfile"],
+      "enabled": false
+    },
+    {
+      "description": "Enable Docker image updates for Red Hat UBI images on major version 9 only in OpenShift files",
+      "matchManagers": ["dockerfile"],
+      "matchFileNames": [
+        "Containerfile.aws-load-balancer-controller",
+        "Dockerfile.openshift",
+        "drift-cache/Dockerfile.openshift"
+      ],
+      "matchDatasources": ["docker"],
+      "matchPackageNames": [
+        "registry.access.redhat.com/ubi9/ubi-minimal",
+        "registry.access.redhat.com/ubi9/ubi"
+      ],
+      "enabled": true,
+      "versioning": "redhat",
+      "allowedVersions": "/^9(\\.|$)/"
+    },
+    {
+      "description": "Keep Go toolset on minor version 1.22 only in OpenShift files",
+      "matchManagers": ["dockerfile"],
+      "matchFileNames": [
+        "Containerfile.aws-load-balancer-controller",
+        "Dockerfile.openshift",
+        "drift-cache/Dockerfile.openshift"
+      ],
+      "matchDatasources": ["docker"],
+      "matchPackageNames": [
+        "registry.access.redhat.com/ubi9/go-toolset"
+      ],
+      "enabled": true,
+      "versioning": "redhat",
+      "allowedVersions": "/^1\\.22(\\.|$)/"
+    },
+    {
+      "description": "Disable regular Go module updates, only allow vulnerability alerts",
+      "matchManagers": ["gomod"],
+      "enabled": false
+    }
+  ],
+  "vulnerabilityAlerts": {
+    "enabled": true
   },
-  "commitMessagePrefix": "UPSTREAM: <carry>: "
+  "osvVulnerabilityAlerts": true
 }