In future, this report may be useful for vulnerability management, for
example.

This allows developers to quickly filter Renovate upgrades based on the
type.

This includes the renovate-truncated-versions.json file by
default. This way we don't need to set it in all projects where we
want to use truncated versions.

In some cases, for example `jsonnet-tool` we want to use truncated
versions, but we forgot to include this file. This means that the
dependencies no longer get updated. For example:
https://gitlab.com/gitlab-com/gl-infra/jsonnet-tool/-/jobs/9155867928

I think it is safe to use this as the default, because we limit the
number of packages we allow this for in
`renovate-truncated-versions.json`.

This configures Renovate to upgrade gitlab-ci YAML files in
`.gitlab/{ci,template}` subdirectories, as the default configuration
only checks the `.gitlab-ci.yml` file.

They're a bit noisy otherwise, everything's a feature!

Closes
https://gitlab.com/gitlab-com/gl-infra/common-template-copier/-/issues/5

This updates the `groupName` used for copier project updates, which
reads better on the eyes, but also avoids the horrible branch names
currently being used.

This helps Renovate Now to update stale MRs. The default setting, auto,
will avoid updating older MRs.

Copier updates are likely to conflict, and need to be kept up-to-date.
For this reason, we change this setting for copier upgrades.

This adds a warning when Soos is committing to a project they shouldn't
be.

Also, when the warning isn't issued, it includes a link to the Renovate
pipeline in which the job ran.

Finally, this switches the email address used for Renovate MRs so be
distinct from the Soos address which is currently
`ops-contact+gl-infra-dependency-bot@gitlab.com`
this may help avoid some confusion.

This is using the CLI flags to pass the options that are also part of
the `renovate-common.json` configuration.

The reason we're adding these here as well is because it seems like
the config options aren't being picked up by renovate in runs. Copier
isn't run with the expected `--trust` option.

I tried passing the same as ENV variables and that did succeed. See
capacity-planning-trackers/gitlab-dedicated-staging/jobs/7598883181
for a job that generated the update correctly and resulted in a
succeeded MR that ran the scripts
capacity-planning-trackers/gitlab-dedicated-staging!63

So this is another way of passing the same related arguments:
- https://docs.renovatebot.com/self-hosted-configuration/#allowscripts
- https://docs.renovatebot.com/configuration-options/#ignorescripts

For `self-hosted-configuration` we need to add things as a command
line option or an environment variable.

Instead of our own regexManager implementation.

This was implemented in
https://github.com/renovatebot/renovate/issues/25556 so we don't need
our custom implmentation anymore and we can get rid of
`.copier-version` in a separate MR.

To support this, we also need to set `"allowScripts": true` and
`"ignoreScripts": false` to allow the copier upgrade scripts to run.

https://docs.renovatebot.com/configuration-options/#ignorescripts
https://docs.renovatebot.com/self-hosted-configuration/#allowscripts

The `copier.sh` `postUpgradeTask` has been reduced to just run the
`update-asdf-version-variables.sh`. Running `copier update` a second
time would not do anything as the version in `.copier-answers.yml` has
already been updated.

This reintroduced the changes from
https://gitlab.com/gitlab-com/gl-infra/common-ci-tasks/-/merge_requests/669

But to prevent the issues we saw last time the following has been
changed:

1. We're using the correct key to select only the `copier`
   manager: `matchManagers` instead of `matchManager`.
2. The execution of the `postUpgradeTasks` for this manager are now
   wrapped in a condition to check if the script exists. This means
   that in the case where renovate runs using a newer configuration,
   but using an older container image, the merge request will still be
   created. Only the adsf-variable updates that would have been done
   by the script would not be included.

This reverts commit e5070d4f.

See https://gitlab.com/gitlab-com/gl-infra/common-ci-tasks/-/merge_requests/669#note_2047430245

Instead of our own regexManager implementation.

This was implemented in
https://github.com/renovatebot/renovate/issues/25556 so we don't need
our custom implmentation anymore and we can get rid of
`.copier-version` in a separate MR.

To support this, we also need to set `"allowScripts": true` and
`"ignoreScripts": false` to allow the copier upgrade scripts to run.

https://docs.renovatebot.com/configuration-options/#ignorescripts
https://docs.renovatebot.com/self-hosted-configuration/#allowscripts

The `copier.sh` `postUpgradeTask` has been reduced to just run the
`update-asdf-version-variables.sh`. Running `copier update` a second
time would not do anything as the version in `.copier-answers.yml` has
already been updated.

Updates the copier update script and moves it to a shell script, out of
the renovate configuration.

Previously this was configured, but since it was happening before other
configurations, it was being overridden. This is no longer the case.

In Terraform, group google-beta and google providers into the same
Renovate upgrade.

Part of https://gitlab.com/gitlab-com/runbooks/-/issues/134

Switches Renovate postUpgrade scripts to use mise instead of asdf.

Related to https://gitlab.com/groups/gitlab-com/gl-infra/gitlab-dedicated/-
/epics/483

Groups all Renovate Google Cloud SDK updates into a single MR, to
reduce the number of MRs.

There are currently numerous Renovate MRs which Renovate will not
update since the email address of the Renovate author has changed.

This MR updates the renovate config to ignore all known previous
Renovate bot author emails, so that Renovate will be willing to update
these MRs once again.

The list was generated using the following command:

```
glab api --paginate 'groups/gitlab-com%2fgl-infra/merge_requests'\
'?state=opened&order_by=created_at&sort=asc'\
'&label=maintenance::dependency'|
  jq -r '
    .[] |
    select(.title|contains("update dependency")) |
    "projects/\(.project_id)/merge_requests/\(.iid)/commits"'|
while read line; do
  glab api "$line" |
    jq -r '.[]|.author_email';
done|
sort -u
```

And then lightly edited.

As suggested by pguinoiseau, give Terraform major and minor updates
some time to settle before upgrading.

Automatically update Terraform docs when `required_provider` for a
Terraform module is updated, if the project contains a
`scripts/generate-terraform-docs.sh` script.

This disables Renovate updates for all projects that use the common-ci-
tasks/common renovate definitions.

This includes all Dedicated projects and some other infrastructure
projects.

This adds a configuration item to group all checkov updates together in
a single Renovate MR.

For this first attempt, this is an experiment. If it works, we'll
consider rolling this out for other updates too.

Since we're using Renovate's containerbase
(https://github.com/containerbase/base), we're now able to use
`binarySource=install` to match version numbers during Renovate
upgrades.

Eventually, this may allow us to reduce the size of our containers.

This is an experiment to see how that works.

More details in:
https://docs.renovatebot.com/self-hosted-configuration/#binarysource

If go.mod is upgraded independently of .tool-versions, things, like `go
mod tidy` can fail.

This configures Renovate to upgrade them in a single MR.

While common-ci-tasks supported Go 1.16, we added a -compat=1.17 flag for
`go mod tidy`.

This is now causing some issues in Go 1.20, but since we no longer need
Go 1.16 support, the flag should be safe to be dropped.

This fixes the incorrect renovate configuration to group all AWS Go SDK
updates together into a single MR.

This hasn't worked, and with the v2 SDK, has created a very large
number of update MRs.

The AWS Go SDK breaks services down into seperate Go modules.

This generates a lot of Renovate upgrade noise.

This change groups all related AWS Go SDK into a single Renovate
upgrade, for all projects.

In Renovate, this change bundles Pre-Commit upgrades alongside Pre-Commit
dependency upgrades.

This is aimed at reducing noise from Renovate upgrades.

This change marks more Renovate updates with the ~dependency::dev
label. This signals to engineers that this change will not effect
production code, and a lower level of risk assessment can be
undertaken.

This in turn speeds up the upgrade process.

On some low-touch projects such as asdf dependencies, Renovate generates
a great deal of noise though updates to pre-commit
dependencies.

These dependencies are always development-only and thus fairly low risk.
This change groups all these dependencies together to ensure that they
generate less noise as renovate creates updates for them.