ci: bump repository configuration from template-refs/tags/v2.0.0 (#499)

* ci: common template rollout changes

* style: pre-commit run --all-files

* test: run only UI tests marked with sanity_test

---------

Co-authored-by: Artem Rys <rysartem@gmail.com>

.github/workflows/.ci-metadata.json

@@ -0,0 +1,3 @@
+{
+  "template-version": "v2.0.0"
+}

.github/workflows/agreements.yaml

@@ -4,10 +4,14 @@ on:
     types: [created]
   pull_request_target:
     types: [opened, closed, synchronize]
-
+permissions:
+  actions: read
+  contents: read
+  pull-requests: read
+  statuses: read
 jobs:
   call-workflow-agreements:
-    uses: splunk/addonfactory-github-workflows/.github/workflows/reusable-agreements.yaml@v1.3
+    uses: splunk/addonfactory-github-workflows/.github/workflows/reusable-agreements.yaml@v1
     secrets:
       GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
       PERSONAL_ACCESS_TOKEN: ${{ secrets.PAT_CLATOOL }}

.github/workflows/build-test-release.yml

@@ -14,19 +14,28 @@ on:
       - reopened
       - synchronize
       - labeled
-
+permissions:
+  actions: read
+  checks: write
+  contents: write
+  deployments: read
+  packages: write
+  pull-requests: read
+  statuses: write
 jobs:
   call-workflow:
-    if: github.event.action != 'labeled' || github.event.label.name == 'preserve_infra'
-    uses: splunk/addonfactory-workflow-addon-release/.github/workflows/reusable-build-test-release.yml@v3.7
+    if: github.event.action != 'labeled' || github.actor != 'renovate[bot]'
+    uses: splunk/addonfactory-workflow-addon-release/.github/workflows/reusable-build-test-release.yml@v4.0
     secrets:
       GH_TOKEN_ADMIN: ${{ secrets.GH_TOKEN_ADMIN }}
-      GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
       SEMGREP_PUBLISH_TOKEN: ${{ secrets.SEMGREP_PUBLISH_TOKEN }}
       AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }}
       AWS_DEFAULT_REGION: ${{ secrets.AWS_DEFAULT_REGION }}
       AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
       VT_API_KEY: ${{ secrets.VT_API_KEY }}
-      CODECOV_TOKEN: ${{ secrets.CODECOV_TOKEN }}
       OTHER_TA_REQUIRED_CONFIGS: ${{ secrets.OTHER_TA_REQUIRED_CONFIGS }}
       FOSSA_API_KEY: ${{ secrets.FOSSA_API_KEY }}
+      SA_GH_USER_NAME: ${{ secrets.SA_GH_USER_NAME }}
+      SA_GH_USER_EMAIL: ${{ secrets.SA_GH_USER_EMAIL }}
+      SA_GPG_PRIVATE_KEY: ${{ secrets.SA_GPG_PRIVATE_KEY }}
+      SA_GPG_PASSPHRASE: ${{ secrets.SA_GPG_PASSPHRASE }}

.github/workflows/publish-manual.yaml

@@ -6,9 +6,15 @@ on:
         description: 'Tag to release'
         required: true
 
+permissions:
+  contents: write
+  packages: write
+  pull-requests: read
+  statuses: write
+
 jobs:
   call-workflow:
-    uses: splunk/addonfactory-workflow-addon-manual-release/.github/workflows/reusable-publish-manual.yaml@v1.0
+    uses: splunk/addonfactory-workflow-addon-manual-release/.github/workflows/reusable-publish-manual.yaml@v1.1
     secrets:
       GH_TOKEN_ADMIN: ${{ secrets.GH_TOKEN_ADMIN }}
       GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}

pyproject.toml

@@ -9,7 +9,7 @@ license = "Splunk-1-2020"
 python = "^3.7"
 splunktaucclib = "^6.0.7"
 
-[tool.poetry.dev-dependencies]
+[tool.poetry.group.dev.dependencies]
 lovely-pytest-docker = "^0.2.1"
 pytest = "^6.2.4"
 pytest-expect = "^1.1.0"

renovate.json

@@ -1,89 +1,16 @@
 {
-  "$schema": "https://docs.renovatebot.com/renovate-schema.json",
   "extends": [
     "config:base",
-    ":semanticCommitTypeAll(ci)"
+    "group:all",
+    ":semanticCommitTypeAll(chore)",
+    "schedule:earlyMondays",
+    ":disableDependencyDashboard"
   ],
-  "prConcurrentLimit": 0,
-  "prHourlyLimit": 0,
-  "rangeStrategy": "pin",
-  "dependencyDashboardApproval": true,
-  "transitiveRemediation": true,
   "enabledManagers": ["poetry", "npm", "gradle"],
-  "separateMinorPatch": true,
-  "labels": ["dependencies"],
-  "semanticCommits": "enabled",
-  "lockFileMaintenance": {
-    "enabled": true,
-    "extends": [
-      "schedule:daily"
-      ]
-  },
-  "vulnerabilityAlerts": {
-    "labels": ["dependencies", "security"]
-  },
   "packageRules": [
     {
-      "groupName": "splunk dependencies",
-      "matchPackageNames": [
-        "splunktaucclib",
-        "splunktalib",
-        "splunk-add-on-ucc-framework",
-        "pytest-splunk-addon",
-        "splunk-packaging-toolkit",
-        "pytest-splunk-addon-ui-smartx",
-        "solnlib"
-        ],
-      "matchUpdateTypes": ["minor", "patch"],
-      "labels": ["dependencies", "splunk-packages", "minor", "patch"]
-    },
-    {
-      "matchUpdateTypes": ["patch"],
-      "matchManagers": ["poetry"],
-      "groupName": "python dependencies",
-      "labels": ["dependencies", "python", "patch"]
-    },
-    {
-      "matchUpdateTypes": ["minor"],
-      "matchManagers": ["poetry"],
-      "labels": ["dependencies", "python", "minor"]
-    },
-    {
-      "matchUpdateTypes": ["major"],
-      "matchManagers": ["poetry"],
-      "labels": ["dependencies", "python", "major"]
-    },
-    {
-      "matchUpdateTypes": ["patch"],
-      "matchManagers": ["npm"],
-      "groupName": "javascript dependencies",
-      "labels": ["dependencies", "javascript", "patch"]
-    },
-    {
-      "matchUpdateTypes": ["minor"],
-      "matchManagers": ["npm"],
-      "labels": ["dependencies", "javascript", "minor"]
-    },
-    {
-      "matchUpdateTypes": ["major"],
-      "matchManagers": ["npm"],
-      "labels": ["dependencies", "javascript", "major"]
-    },
-    {
-      "matchUpdateTypes": ["patch"],
-      "matchManagers": ["gradle"],
-      "groupName": "java dependencies",
-      "labels": ["dependencies", "java", "patch"]
-    },
-    {
-      "matchUpdateTypes": ["minor"],
-      "matchManagers": ["gradle"],
-      "labels": ["dependencies", "java", "minor"]
-    },
-    {
-      "matchUpdateTypes": ["major"],
-      "matchManagers": ["gradle"],
-      "labels": ["dependencies", "java", "major"]
+      "matchPackageNames": ["urllib3"],
+      "allowedVersions": "<2.0.0"
     }
   ]
 }