chore(deps): switch from dependabot to renovate

[Cali0707]

Multiple times in the last month we have had dependabot updates not sync our dockerfile and our go deps, leading to a need for manual PRs.

This PR adds a self-hosted renovate action (inspired by https://github.com/kubernetes-sigs/external-dns/blob/master/.github/workflows/dependency-update.yaml). This has the advantage that it should update both Dockerfiles and go.mod at the same time, keeping our go versions in sync.

Summary by CodeRabbit

• Chores
  • Replaced existing dependency automation with a new Renovate-based system and added an automated workflow to run it.
  • New setup centralizes dependency updates, groups related updates, enforces consistent commit messages, pins action versions, and refines scheduling, PR behavior, labeling, and concurrency to improve update cadence and clarity.

[netlify]

✅ Deploy Preview for mcp-lifecycle-operator ready!

Name	Link
🔨 Latest commit	bf484e0
🔍 Latest deploy log	https://app.netlify.com/projects/mcp-lifecycle-operator/deploys/6a23164aec2dbb000893019c
😎 Deploy Preview	https://deploy-preview-232--mcp-lifecycle-operator.netlify.app
📱 Preview on mobile	Toggle QR Code... Use your smartphone camera to open QR code link.

---

To edit notification comments on pull requests, go to your Netlify project configuration.

[k8s-ci-robot]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: Cali0707

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Details

Needs approval from an approver in each of these files:

• OWNERS [Cali0707]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[Cali0707]

/cc @matzew @creydr

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 03e262b7-47ac-41ec-90dc-654087f2c652

📥 Commits

Reviewing files that changed from the base of the PR and between d91fae1 and bf484e0.

📒 Files selected for processing (3)

• .github/dependabot.yml
• .github/renovate-config.js
• .github/workflows/renovate.yml

💤 Files with no reviewable changes (1)

• .github/dependabot.yml

🚧 Files skipped from review as they are similar to previous changes (2)

• .github/workflows/renovate.yml
• .github/renovate-config.js

---

📝 Walkthrough

Walkthrough

Removes Dependabot config and adds Renovate: a new .github/renovate-config.js plus a scheduled and push-triggered GitHub Actions workflow .github/workflows/renovate.yml to run Renovate with repository-scoped permissions.

Changes

Dependency Management Migration

Layer / File(s)	Summary
Renovate configuration and package rules .github/renovate-config.js	Configures Renovate for kubernetes-sigs/mcp-lifecycle-operator: disables onboarding/rate limits, enables semantic commits, enables gomod/dockerfile/github-actions managers, runs go mod tidy and import-path updates post-update, adds dependency labels, and defines packageRules grouping k8s.io/*/sigs.k8s.io/*, syncing Go and Dockerfile updates, and grouping GitHub Actions updates.
Renovate automation workflow .github/workflows/renovate.yml	Adds a workflow triggered on pushes to main and daily cron, with job-level gating to the repository, minimal required write permissions (contents, pull-requests), a checkout step (persist-credentials: false), and a pinned renovatebot/github-action step that uses .github/renovate-config.js and GITHUB_TOKEN.

🎯 3 (Moderate) | ⏱️ ~20 minutes

🐰 A little hop, a tidy nudge, dependencies in line,
Renovate arrives at midnight and on push-time.
Grouping k8s modules and pinning action SHAs,
The rabbit cheers as updates find their ways.

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title 'chore(deps): switch from dependabot to renovate' accurately describes the main change—replacing Dependabot with Renovate for dependency management, which is clearly reflected in the deletions to dependabot.yml and additions of renovate-config.js and renovate.yml.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[k8s-ci-robot]

@Cali0707: GitHub didn't allow me to request PR reviews from the following users: creydr.

Note that only kubernetes-sigs members and repo collaborators can review this PR, and authors cannot review their own PRs.

Details

In response to this:

/cc @matzew @creydr

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

[coderabbitai]

Actionable comments posted: 1

🧹 Nitpick comments (2)

.github/renovate-config.js (2)

25-25: 💤 Low value

Redundant semanticCommits setting.

The :semanticCommits preset extended on line 8 already enables this. This explicit setting is unnecessary.

🧹 Proposed fix

   "rebaseWhen": "behind-base-branch",
   "baseBranchPatterns": ["main"],
   "recreateWhen": "always",
-  "semanticCommits": "enabled",
   "labels": ["dependencies"],

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/renovate-config.js at line 25, Remove the redundant
"semanticCommits" property from the renovate configuration since the preset
referenced (the :semanticCommits preset extended earlier) already enables it;
specifically delete the "semanticCommits": "enabled", entry from the object in
.github/renovate-config.js so the config relies on the preset only.

---

62-74: 💤 Low value

Redundant pinDigests and setup-go rule.

1. pinDigests: true (line 65) is redundant with the helpers:pinGitHubActionDigests preset extended on line 9.
2. The actions/setup-go rule (lines 69-73) only sets groupName: "github actions", which the preceding rule already applies to all GitHub Actions.

🧹 Proposed simplification

     // Pin GitHub Actions to SHA digests and group updates
     {
       "matchManagers": ["github-actions"],
-      "pinDigests": true,
       "groupName": "github actions",
     },
-    // For actions/setup-go, ensure compatibility with our Go version
-    {
-      "matchManagers": ["github-actions"],
-      "matchPackageNames": ["actions/setup-go"],
-      "groupName": "github actions",
-    },
   ],
 };

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/renovate-config.js around lines 62 - 74, Remove the redundant
Renovate rules: delete the "pinDigests": true property from the GitHub Actions
rule and remove the separate rule that matches "matchPackageNames":
["actions/setup-go"] which only repeats "groupName": "github actions"; rely on
the existing helpers:pinGitHubActionDigests preset and the broader GitHub
Actions rule that already assigns the groupName to cover setup-go.

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In @.github/workflows/renovate.yml:
- Around line 21-22: Update the checkout step that uses
actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 to add
persist-credentials: false so the action does not write the token into
.git/config; modify the step named "checkout" to include the
persist-credentials: false input (keeping the same uses value).

---

Nitpick comments:
In @.github/renovate-config.js:
- Line 25: Remove the redundant "semanticCommits" property from the renovate
configuration since the preset referenced (the :semanticCommits preset extended
earlier) already enables it; specifically delete the "semanticCommits":
"enabled", entry from the object in .github/renovate-config.js so the config
relies on the preset only.
- Around line 62-74: Remove the redundant Renovate rules: delete the
"pinDigests": true property from the GitHub Actions rule and remove the separate
rule that matches "matchPackageNames": ["actions/setup-go"] which only repeats
"groupName": "github actions"; rely on the existing
helpers:pinGitHubActionDigests preset and the broader GitHub Actions rule that
already assigns the groupName to cover setup-go.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: ac816c71-d146-4933-9ae3-92c14cff43c2

📥 Commits

Reviewing files that changed from the base of the PR and between fb066fa and d91fae1.

📒 Files selected for processing (3)

• .github/dependabot.yml
• .github/renovate-config.js
• .github/workflows/renovate.yml

💤 Files with no reviewable changes (1)

• .github/dependabot.yml