Use Renovate to handle dependency updates at organization-level

[JamieMagee]

Description

Currently dependency update configuration is handled at the repository level using Dependabot configuration. This means that:

1. Dependency update tooling isn't enforced across all repositories in the sigstore organisation

   Dependency update tools are recommended by OSSF scorecard¹

2. There's a lot of manual effort going on to update dependencies that Dependabot doesn't handle

   For example this commit updating versions in helm charts can be done by Renovate. Our own helm-charts² are maintained this way.

I'm suggesting an organization-level configuration³ for Renovate, with repository level configuration overrides where required. It can evolve and grow over time to better fit the needs of sigstore maintainers, but a simple example might look like:

`sigstore/.github/default.json`

{
	"$schema": "https://docs.renovatebot.com/renovate-schema.json",
	"description": "Default preset for use with sigstore's repositories",
	"extends": ["config:base"]
}

In this repository, with renovate.json files in each individual repository that refer back to the organization-level configuration like so:

`sigstore/.github/default.json`

{
	"$schema": "https://docs.renovatebot.com/renovate-schema.json",
	"extends": ["github>sigstore/.github"],
}

I am happy to implement this, and narrow down a config that fits your existing workflow, if this would be a welcome contribution 😅

References

Repos that currently have Dependabot configured

• cosign
• sigstore
• helm-sigstore
• rekor
• root-signing
• rekor-operator
• cosign-installer
• sigstore-maven-plugin

Footnotes

1. https://github.com/ossf/scorecard/blob/38be00c31f4f078120219ec3aaa76560835199fb/docs/checks.md?plain=1#L293-L295 ↩

2. https://github.com/renovatebot/helm-charts/commit/d7505047211d5c20d7c73e4bf5cb0361c92bd615 ↩

3. https://docs.renovatebot.com/config-presets/#organization-level-presets ↩