feat: track e2e dependencies

[olzemal]

What

related to opendefensecloud/artifact-conduit#386

Why

Currently e2e depedencies like cert-manager or zot are not tracked by renovate

Testing

make dev-cluster
# verify deployments of cert-manager, trust-manager and zot

Checklist

• Tests added/updated n/a
• No breaking changes (or upgrade path documented above)
• Readable commit history (squashed and cleaned up as desired)
• AI code review considered and comments resolved

Summary by CodeRabbit

• Chores
  • Pinned cert-manager, trust-manager, and Zot components to fixed versions for predictable builds and deployments.
  • Dev setup now enforces and uses those pinned versions during local cluster provisioning.
  • Automated dependency tracking enabled so component version updates are detected and proposed automatically.

[coderabbitai]

📝 Walkthrough

Walkthrough

Makefile now exports CERTMANAGER_VERSION, TRUSTMANAGER_VERSION, and ZOT_VERSION. hack/dev-cluster.sh requires and uses those variables for versioned Helm installs (including OCI chart URLs and --version flags). renovate.json adds regex customManagers to detect and update those Makefile variables from upstream releases.

Changes

Component version parameterization and automation

Layer / File(s)	Summary
Version variables declaration Makefile	Three exported version variables (CERTMANAGER_VERSION, TRUSTMANAGER_VERSION, ZOT_VERSION) with default values are added.
Component setup scripts using version variables hack/dev-cluster.sh	Script enforces the three version env vars, logs chosen versions, builds cert-manager manifest URL from CERTMANAGER_VERSION, and installs trust-manager, zot-discovery, and zot-deploy using --version with the specified versions and OCI chart URLs.
Automated version update configuration renovate.json	Adds three regex-based customManagers to extract versions from Makefile and map them to upstream datasources (github-releases for cert-manager/trust-manager; docker for zot) with semver versioning.

🎯 3 (Moderate) | ⏱️ ~20 minutes

Suggested reviewers:

• trevex

🐰 I sniffed three versions in the Makefile's breeze,
scripts sip them gently and Helm sings with ease,
Renovate watches closely, nudging updates on cue,
dependencies tidy, releases fresh and new,
hop, code, deploy — a carrot-shaped breakthrough! 🥕

🚥 Pre-merge checks | ✅ 4 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 16.67% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.

✅ Passed checks (4 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title 'feat: track e2e dependencies' directly reflects the main change: adding dependency tracking for end-to-end test components (cert-manager, trust-manager, zot) to Renovate.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Description check	✅ Passed	The PR description is mostly complete with What, Why, and Testing sections filled. Checklist items are marked. However, the 'What' section lacks a proper one-sentence summary and the 'Notes for reviewers' section is missing.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

📝 Generate docstrings

• Create stacked PR
• Commit on current branch

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch feature/track-e2e-dependencies

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coveralls]

Coverage Report for CI Build 26643092100

Coverage decreased (-0.4%) to 71.677%

Details

• Coverage decreased (-0.4%) from the base build.
• Patch coverage: No coverable lines changed in this PR.
• 15 coverage regressions across 1 file.

Uncovered Changes

No uncovered changes found.

Coverage Regressions

15 previously-covered lines in 1 file lost coverage.

File	Lines Losing Coverage	Coverage
pkg/controller/target_controller.go	15	67.19%

---

Coverage Stats

Relevant Lines:	3280
Covered Lines:	2351
Line Coverage:	71.68%
Coverage Strength:	24.44 hits per line

---

💛 - Coveralls

[olzemal]

@coderabbitai full review

[coderabbitai]

✅ Actions performed

Full review triggered.

[coderabbitai]

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (1)

hack/dev-cluster.sh (1)

5-14: ⚠️ Potential issue | 🟡 Minor | ⚡ Quick win

Guard the new version variables (script is no longer standalone-runnable).

With set -u active, the new ${CERTMANAGER_VERSION}, ${TRUSTMANAGER_VERSION}, and ${ZOT_VERSION} references (Lines 34, 67, 91/95, 107/111) abort with a cryptic "unbound variable" if the script is invoked directly rather than through the make targets that export them. The versions used to be hardcoded, so direct execution previously worked. Add explicit guards here so the failure is clear and the variable-handling stays consistent with the rest of this block.

🛡️ Proposed guards

 YQ="${YQ:-yq}"
+
+# Versions are exported by the Makefile; fail fast with a clear message when run standalone.
+CERTMANAGER_VERSION="${CERTMANAGER_VERSION:?must be set (see Makefile)}"
+TRUSTMANAGER_VERSION="${TRUSTMANAGER_VERSION:?must be set (see Makefile)}"
+ZOT_VERSION="${ZOT_VERSION:?must be set (see Makefile)}"

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@hack/dev-cluster.sh` around lines 5 - 14, The script now references
CERTMANAGER_VERSION, TRUSTMANAGER_VERSION, and ZOT_VERSION without defaults
which breaks under set -u; add the same guarded default assignments used for
KIND_CLUSTER/TAG (e.g. set CERTMANAGER_VERSION, TRUSTMANAGER_VERSION,
ZOT_VERSION using parameter expansion defaults) at the top of
hack/dev-cluster.sh so direct invocation won’t hit "unbound variable" errors and
behavior remains consistent with the rest of the environment-variable block.

🧹 Nitpick comments (1)

Makefile (1)

16-18: 💤 Low value

Note the assignment-operator coupling with renovate.json.

These use := while the other version pins (OCM_DEMO_VERSION, ENVTEST_K8S_VERSION) use ?=. That's fine here, but be aware the Renovate customManagers matchStrings hardcode :=, so switching these to ?= later would silently break version tracking. Worth a brief comment to prevent accidental drift.

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@Makefile` around lines 16 - 18, The three version exports
(CERTMANAGER_VERSION, TRUSTMANAGER_VERSION, ZOT_VERSION) use the ':=' assignment
which is required by Renovate's customManagers matchStrings; add a brief inline
comment above or beside these exports stating they must remain ':=' (not '?=')
to keep Renovate version detection working, referencing the Renovate pattern
(customManagers matchStrings expecting " :=") so future edits don't accidentally
switch the operator.

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Outside diff comments:
In `@hack/dev-cluster.sh`:
- Around line 5-14: The script now references CERTMANAGER_VERSION,
TRUSTMANAGER_VERSION, and ZOT_VERSION without defaults which breaks under set
-u; add the same guarded default assignments used for KIND_CLUSTER/TAG (e.g. set
CERTMANAGER_VERSION, TRUSTMANAGER_VERSION, ZOT_VERSION using parameter expansion
defaults) at the top of hack/dev-cluster.sh so direct invocation won’t hit
"unbound variable" errors and behavior remains consistent with the rest of the
environment-variable block.

---

Nitpick comments:
In `@Makefile`:
- Around line 16-18: The three version exports (CERTMANAGER_VERSION,
TRUSTMANAGER_VERSION, ZOT_VERSION) use the ':=' assignment which is required by
Renovate's customManagers matchStrings; add a brief inline comment above or
beside these exports stating they must remain ':=' (not '?=') to keep Renovate
version detection working, referencing the Renovate pattern (customManagers
matchStrings expecting " :=") so future edits don't accidentally switch the
operator.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: ad58f3cd-93fc-4268-a7fc-e6958581fc88

📥 Commits

Reviewing files that changed from the base of the PR and between ce460a3 and 4f9a3d6.

📒 Files selected for processing (3)

• Makefile
• hack/dev-cluster.sh
• renovate.json

[yocaba]

lgtm