Enable automated CVE/security patching for Go modules

[clcollins]

Summary

This PR enables automated security updates for Go module dependencies by leveraging Renovate's security:only-security-updates preset. PRs will only be created when CVEs or security vulnerabilities are detected in Go dependencies.

What Changed

Updated .github/renovate.json to:

• Add security:only-security-updates preset for CVE-only dependency updates
• Enable gomod manager (was disabled by boilerplate's config)
• Re-enable tekton manager to maintain regular pipeline task updates

Behavior

Go Module Updates (gomod)

• ✅ CVE/Security fixes only - PRs created when vulnerabilities detected
• ✅ Uses GitHub vulnerability alerts
• ✅ Uses OSV (Open Source Vulnerability) database
• ✅ PRs tagged with [SECURITY] suffix
• ❌ No regular version bump PRs

Tekton Updates (tekton)

• ✅ Regular pipeline task bundle digest updates
• ✅ Automerge enabled (inherited from boilerplate)
• ✅ Labeled with lgtm and approved

Testing

After merge, monitor for:

1. Konflux PRs created only for Go modules with known CVEs
2. Regular tekton task bundle updates continue
3. No PRs for routine Go dependency version bumps

Expected timeline: 24-48 hours for MintMaker to detect and create first PR (when CVEs exist)

Related Work

• Investigation: SREP-3403
• Implementation: SREP-3419

Documentation References

Renovate Configuration

• security:only-security-updates preset - Official preset for CVE-only updates
• vulnerabilityAlerts option - GitHub vulnerability alert integration
• osvVulnerabilityAlerts option - OSV database integration
• packageRules configuration - Rule-based package update control
• enabledManagers option - Control which dependency managers are active

Konflux/MintMaker

• Konflux MintMaker user guide - How MintMaker discovers and updates dependencies
• MintMaker default config - Base configuration for Konflux Renovate

Technical Details

• Renovate enabledManagers precedence - How enabledManagers override behavior (non-mergeable, last-wins)
• Go modules vulnerability handling - Renovate's approach to Go transitive dependency vulnerabilities

---

🤖 Created with assistance from Claude Code

[openshift-ci]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: clcollins

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Details

Needs approval from an approver in each of these files:

• OWNERS [clcollins]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[openshift-ci]

@clcollins: all tests passed!

Full PR test history. Your PR dashboard.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.