ci(github-actions): update to latest reusable github-workflows

.github/renovate.json

@@ -13,13 +13,22 @@
       "versioningTemplate": "{{#if versioning}}{{{versioning}}}{{else}}semver{{/if}}"
     }
   ],
+  "configMigration": true,
+  "dependencyDashboard": true,
   "extends": [
-    "config:best-practices",
-    "group:linters",
+    ":ignoreModulesAndTests",
+    "abandonments:recommended",
+    "docker:pinDigests",
+    "helpers:pinGitHubActionDigests",
+    "mergeConfidence:age-confidence-badges",
     "mergeConfidence:all-badges",
+    "github>aquaproj/aqua-renovate-config#2.8.2",
+    "github>suzuki-shunsuke/renovate-config:yaml-language-server#3.2.2",
     "github>ppat/renovate-presets#v0.0.3",
     "github>ppat/renovate-presets:dev-tools#v0.0.3",
     "github>ppat/renovate-presets:github-actions#v0.0.3",
+    "github>ppat/coder//.github/renovate/aqua-cli-tools",
+    "github>ppat/coder//.github/renovate/aqua-registry",
     "github>ppat/coder//.github/renovate/template-terraform-provider",
     "github>ppat/coder//.github/renovate/image-cli-tools",
     "github>ppat/coder//.github/renovate/exceptions"
@@ -28,8 +37,13 @@
   "labels": [
     "pr-type:renovate"
   ],
-  "prConcurrentLimit": 20,
+  "prConcurrentLimit": 0,
   "prHourlyLimit": 0,
+  "printConfig": true,
   "rebaseWhen": "behind-base-branch",
+  "suppressNotifications": [
+    "prEditedNotification",
+    "prIgnoreNotification"
+  ],
   "timezone": "US/Eastern"
 }

.github/renovate/aqua-cli-tools.json

@@ -0,0 +1,63 @@
+{
+  "$schema": "https://docs.renovatebot.com/renovate-schema.json",
+  "packageRules": [
+    {
+      "addLabels": [
+        "dependency-type:cli-tools"
+      ],
+      "matchFileNames": [
+        "**/aqua.yaml"
+      ],
+      "matchManagers": [
+        "custom.regex"
+      ],
+      "matchPackageNames": [
+        "!aquaproj/aqua-registry"
+      ],
+      "semanticCommitScope": "cli-tools",
+      "separateMajorMinor": true,
+      "separateMinorPatch": false,
+      "separateMultipleMajor": false,
+      "separateMultipleMinor": false
+    },
+    {
+      "automerge": true,
+      "groupName": "cli-tools",
+      "matchFileNames": [
+        "**/aqua.yaml"
+      ],
+      "matchManagers": [
+        "custom.regex"
+      ],
+      "matchPackageNames": [
+        "!aquaproj/aqua-registry"
+      ],
+      "matchUpdateTypes": [
+        "minor",
+        "patch"
+      ],
+      "minimumReleaseAge": "7 days",
+      "semanticCommitType": "fix"
+    },
+    {
+      "automerge": false,
+      "commitBody": "BREAKING CHANGE",
+      "commitMessageTopic": "{{packageName}}",
+      "groupName": "{{packageName}}",
+      "matchFileNames": [
+        "**/aqua.yaml"
+      ],
+      "matchManagers": [
+        "custom.regex"
+      ],
+      "matchPackageNames": [
+        "!aquaproj/aqua-registry"
+      ],
+      "matchUpdateTypes": [
+        "major"
+      ],
+      "minimumReleaseAge": "60 days",
+      "semanticCommitType": "feat"
+    }
+  ]
+}

.github/renovate/aqua-registry.json

@@ -0,0 +1,62 @@
+{
+  "$schema": "https://docs.renovatebot.com/renovate-schema.json",
+  "packageRules": [
+    {
+      "addLabels": [
+        "dependency-type:aqua-registry"
+      ],
+      "commitMessageTopic": "aqua registry: {{packageName}}",
+      "groupName": "{{packageName}}",
+      "matchFileNames": [
+        "**/aqua.yaml"
+      ],
+      "matchManagers": [
+        "custom.regex"
+      ],
+      "matchPackageNames": [
+        "aquaproj/aqua-registry"
+      ],
+      "semanticCommitScope": "aqua-registry",
+      "separateMajorMinor": true,
+      "separateMinorPatch": false,
+      "separateMultipleMajor": true,
+      "separateMultipleMinor": false
+    },
+    {
+      "automerge": true,
+      "matchFileNames": [
+        "**/aqua.yaml"
+      ],
+      "matchManagers": [
+        "custom.regex"
+      ],
+      "matchPackageNames": [
+        "aquaproj/aqua-registry"
+      ],
+      "matchUpdateTypes": [
+        "minor",
+        "patch"
+      ],
+      "minimumReleaseAge": "7 days",
+      "semanticCommitType": "fix"
+    },
+    {
+      "automerge": false,
+      "commitBody": "BREAKING CHANGE",
+      "matchFileNames": [
+        "**/aqua.yaml"
+      ],
+      "matchManagers": [
+        "custom.regex"
+      ],
+      "matchPackageNames": [
+        "aquaproj/aqua-registry"
+      ],
+      "matchUpdateTypes": [
+        "major"
+      ],
+      "minimumReleaseAge": "30 days",
+      "semanticCommitType": "feat"
+    }
+  ]
+}

.github/workflows/lint.yaml

@@ -17,53 +17,42 @@ permissions:
 
 jobs:
   detect-changes:
+    uses: ppat/github-workflows/.github/workflows/detect-changed-files.yaml@cb285d6ad5b04e96daba7a39cce99d1235415523 # v1.1.1
+    with:
+      # yamllint disable-line rule:indentation
+      files_yaml: |
+        actions:
+        - .github/workflows/**
+        docker:
+        - '**/Dockerfile'
+        markdown:
+        - '**.md'
+        renovate:
+        - .github/renovate.json
+        - .github/renovate/**
+        shellscripts:
+        - '**.sh'
+        terraform:
+        - '**.tf'
+        - '**/.terraform-version'
+        - '**/.terraform.lock.hcl'
+        - '.tflint.hcl'
+        yaml:
+        - '**.yaml'
+      git_ref: ${{ github.head_ref || github.ref }}
+
+  terraform-dirs:
+    needs: [detect-changes]
+    runs-on: ubuntu-24.04
+    timeout-minutes: 2
     outputs:
-      actions_any_changed: ${{ steps.changed-files-yaml.outputs.actions_any_changed }}
-      actions_all_changed_files: ${{ steps.changed-files-yaml.outputs.actions_all_changed_files}}
-      docker_any_changed: ${{ steps.changed-files-yaml.outputs.docker_any_changed }}
-      docker_all_changed_files: ${{ steps.changed-files-yaml.outputs.docker_all_changed_files}}
-      markdown_any_changed: ${{ steps.changed-files-yaml.outputs.markdown_any_changed }}
-      markdown_all_changed_files: ${{ steps.changed-files-yaml.outputs.markdown_all_changed_files}}
-      renovate_any_changed: ${{ steps.changed-files-yaml.outputs.renovate_any_changed }}
-      renovate_all_changed_files: ${{ steps.changed-files-yaml.outputs.renovate_all_changed_files}}
-      shellscripts_any_changed: ${{ steps.changed-files-yaml.outputs.shellscripts_any_changed }}
-      shellscripts_all_changed_files: ${{ steps.changed-files-yaml.outputs.shellscripts_all_changed_files}}
-      terraform_any_changed: ${{ steps.changed-files-yaml.outputs.terraform_any_changed }}
-      terraform_all_changed_files: ${{ steps.changed-files-yaml.outputs.terraform_all_changed_files}}
       terraform_dirs: ${{ steps.determine-tf-dirs.outputs.dirs }}
-      yaml_any_changed: ${{ steps.changed-files-yaml.outputs.yaml_any_changed }}
-      yaml_all_changed_files: ${{ steps.changed-files-yaml.outputs.yaml_all_changed_files}}
-    runs-on: ubuntu-24.04
-    timeout-minutes: 5
     steps:
     - name: Checkout
       uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4
       with:
         fetch-depth: 1
-
-    - name: Determine what files types have changed
-      id: changed-files-yaml
-      uses: tj-actions/changed-files@2f7c5bfce28377bc069a65ba478de0a74aa0ca32 # v46
-      with:
-        files_yaml: |
-          actions:
-          - .github/workflows/**
-          docker:
-          - '**/Dockerfile'
-          markdown:
-          - '**.md'
-          renovate:
-          - .github/renovate.json
-          - .github/renovate/**
-          shellscripts:
-          - '**.sh'
-          terraform:
-          - '**.tf'
-          - '**/.terraform-version'
-          - '**/.terraform.lock.hcl'
-          - '.tflint.hcl'
-          yaml:
-          - '**.yaml'
+        persist-credentials: false
 
     - name: Determine Terraform directories to validate
       id: determine-tf-dirs
@@ -72,9 +61,9 @@ jobs:
         if [[ "${{ github.event_name }}" != "pull_request" ]]; then
           # For workflow_dispatch, validate all terraform directories
           TF_DIRS=$(find templates/ -maxdepth 2 -mindepth 2 -type d -not -name '.*' 2>/dev/null | sort | jq -R -s -c 'split("\n") | map(select(length > 0))')
-        elif [[ "${{ steps.changed-files-yaml.outputs.terraform_any_changed }}" == "true" ]]; then
+        elif [[ "${{ fromJSON(needs.detect-changes.outputs.results).terraform_any_changed }}" == "true" ]]; then
           # For pull requests, check which files changed
-          CHANGED_FILES="${{ steps.changed-files-yaml.outputs.terraform_all_changed_files }}"
+          CHANGED_FILES="${{ fromJSON(needs.detect-changes.outputs.results).terraform_all_changed_files }}"
           TEMPLATE_CHANGES=$(echo "$CHANGED_FILES" | tr ' ' '\n' | grep '^templates/' || true)
           # Otherwise only validate affected templates
           TF_DIRS=$(echo "$TEMPLATE_CHANGES" | grep -o 'templates/[^/]*' | sort | uniq | tr -d ' ' | jq -R -s -c 'split("\n") | map(select(length > 0))')
@@ -86,7 +75,7 @@ jobs:
 
   commit-messages:
     if: ${{ github.event_name == 'pull_request' }}
-    uses: ppat/github-workflows/.github/workflows/lint-commit-messages.yaml@dc55978a6b8efbc82d89b78caa1f41647a02da3c # v0.1.1
+    uses: ppat/github-workflows/.github/workflows/lint-commit-messages.yaml@cb285d6ad5b04e96daba7a39cce99d1235415523 # v1.1.1
     with:
       git_ref: ${{ github.head_ref }}
       fetch_depth: ${{ github.event.pull_request.commits || 0 }}
@@ -95,61 +84,61 @@ jobs:
 
   github-actions:
     needs: [detect-changes]
-    if: ${{ github.event_name != 'pull_request' || needs.detect-changes.outputs.actions_any_changed == 'true' }}
-    uses: ppat/github-workflows/.github/workflows/lint-github-actions.yaml@dc55978a6b8efbc82d89b78caa1f41647a02da3c # v0.1.1
+    if: ${{ github.event_name != 'pull_request' || fromJSON(needs.detect-changes.outputs.results).actions_any_changed == 'true' }}
+    uses: ppat/github-workflows/.github/workflows/lint-github-actions.yaml@cb285d6ad5b04e96daba7a39cce99d1235415523 # v1.1.1
     with:
       git_ref: ${{ github.head_ref || github.ref }}
-      files: ${{ github.event_name != 'pull_request' && 'ALL' || needs.detect-changes.outputs.actions_all_changed_files }}
+      files: ${{ github.event_name != 'pull_request' && 'ALL' || fromJSON(needs.detect-changes.outputs.results).actions_all_changed_files }}
 
   markdown:
     needs: [detect-changes]
-    if: ${{ github.event_name != 'pull_request' || needs.detect-changes.outputs.markdown_any_changed == 'true' }}
-    uses: ppat/github-workflows/.github/workflows/lint-markdown.yaml@dc55978a6b8efbc82d89b78caa1f41647a02da3c # v0.1.1
+    if: ${{ github.event_name != 'pull_request' || fromJSON(needs.detect-changes.outputs.results).markdown_any_changed == 'true' }}
+    uses: ppat/github-workflows/.github/workflows/lint-markdown.yaml@cb285d6ad5b04e96daba7a39cce99d1235415523 # v1.1.1
     with:
       git_ref: ${{ github.head_ref || github.ref }}
-      files: ${{ github.event_name != 'pull_request' && 'ALL' || needs.detect-changes.outputs.markdown_all_changed_files }}
+      files: ${{ github.event_name != 'pull_request' && 'ALL' || fromJSON(needs.detect-changes.outputs.results).markdown_all_changed_files }}
 
   docker-files:
     needs: [detect-changes]
-    if: ${{ github.event_name != 'pull_request' || needs.detect-changes.outputs.docker_any_changed == 'true' }}
-    uses: ppat/github-workflows/.github/workflows/lint-hadolint.yaml@dc55978a6b8efbc82d89b78caa1f41647a02da3c # v0.1.1
+    if: ${{ github.event_name != 'pull_request' || fromJSON(needs.detect-changes.outputs.results).docker_any_changed == 'true' }}
+    uses: ppat/github-workflows/.github/workflows/lint-hadolint.yaml@cb285d6ad5b04e96daba7a39cce99d1235415523 # v1.1.1
     with:
       git_ref: ${{ github.head_ref || github.ref }}
-      files: ${{ github.event_name != 'pull_request' && 'ALL' || needs.detect-changes.outputs.docker_all_changed_files }}
+      files: ${{ github.event_name != 'pull_request' && 'ALL' || fromJSON(needs.detect-changes.outputs.results).docker_all_changed_files }}
 
   pre-commit:
-    uses: ppat/github-workflows/.github/workflows/lint-pre-commit.yaml@dc55978a6b8efbc82d89b78caa1f41647a02da3c # v0.1.1
+    uses: ppat/github-workflows/.github/workflows/lint-pre-commit.yaml@cb285d6ad5b04e96daba7a39cce99d1235415523 # v1.1.1
     with:
       git_ref: ${{ github.head_ref || github.ref }}
 
   renovate-config-check:
     needs: [detect-changes]
-    if: ${{ github.event_name != 'pull_request' || needs.detect-changes.outputs.renovate_any_changed == 'true' }}
-    uses: ppat/github-workflows/.github/workflows/lint-renovate-config-check.yaml@dc55978a6b8efbc82d89b78caa1f41647a02da3c # v0.1.1
+    if: ${{ github.event_name != 'pull_request' || fromJSON(needs.detect-changes.outputs.results).renovate_any_changed == 'true' }}
+    uses: ppat/github-workflows/.github/workflows/lint-renovate-config-check.yaml@cb285d6ad5b04e96daba7a39cce99d1235415523 # v1.1.1
     with:
       git_ref: ${{ github.head_ref || github.ref }}
-      files: ${{ github.event_name != 'pull_request' && 'ALL' || needs.detect-changes.outputs.renovate_all_changed_files }}
+      files: ${{ github.event_name != 'pull_request' && 'ALL' || fromJSON(needs.detect-changes.outputs.results).renovate_all_changed_files }}
 
   shellcheck:
     needs: [detect-changes]
-    if: ${{ github.event_name != 'pull_request' || needs.detect-changes.outputs.shellscripts_any_changed == 'true' }}
-    uses: ppat/github-workflows/.github/workflows/lint-shellcheck.yaml@dc55978a6b8efbc82d89b78caa1f41647a02da3c # v0.1.1
+    if: ${{ github.event_name != 'pull_request' || fromJSON(needs.detect-changes.outputs.results).shellscripts_any_changed == 'true' }}
+    uses: ppat/github-workflows/.github/workflows/lint-shellcheck.yaml@cb285d6ad5b04e96daba7a39cce99d1235415523 # v1.1.1
     with:
       git_ref: ${{ github.head_ref || github.ref }}
-      files: ${{ github.event_name != 'pull_request' && 'ALL' || needs.detect-changes.outputs.shellscripts_all_changed_files }}
+      files: ${{ github.event_name != 'pull_request' && 'ALL' || fromJSON(needs.detect-changes.outputs.results).shellscripts_all_changed_files }}
 
   terraform:
-    needs: [detect-changes]
-    if: ${{ github.event_name != 'pull_request' || needs.detect-changes.outputs.terraform_any_changed == 'true' }}
-    uses: ppat/github-workflows/.github/workflows/lint-terraform.yaml@dc55978a6b8efbc82d89b78caa1f41647a02da3c # v0.1.1
+    needs: [terraform-dirs]
+    if: ${{ github.event_name != 'pull_request' || needs.terraform-dirs.outputs.terraform_dirs != '[]' }}
+    uses: ppat/github-workflows/.github/workflows/lint-terraform.yaml@cb285d6ad5b04e96daba7a39cce99d1235415523 # v1.1.1
     with:
       git_ref: ${{ github.head_ref || github.ref }}
-      tf_dirs: ${{ needs.detect-changes.outputs.terraform_dirs }}
+      tf_dirs: ${{ needs.terraform-dirs.outputs.terraform_dirs }}
 
   yaml:
     needs: [detect-changes]
-    if: ${{ github.event_name != 'pull_request' || needs.detect-changes.outputs.yaml_any_changed == 'true' }}
-    uses: ppat/github-workflows/.github/workflows/lint-yaml.yaml@dc55978a6b8efbc82d89b78caa1f41647a02da3c # v0.1.1
+    if: ${{ github.event_name != 'pull_request' || fromJSON(needs.detect-changes.outputs.results).yaml_any_changed == 'true' }}
+    uses: ppat/github-workflows/.github/workflows/lint-yaml.yaml@cb285d6ad5b04e96daba7a39cce99d1235415523 # v1.1.1
     with:
       git_ref: ${{ github.head_ref || github.ref }}
-      files: ${{ github.event_name != 'pull_request' && 'ALL' || needs.detect-changes.outputs.yaml_all_changed_files }}
+      files: ${{ github.event_name != 'pull_request' && 'ALL' || fromJSON(needs.detect-changes.outputs.results).yaml_all_changed_files }}