Dependabot use GO rc version

[Shubham82]

Problem: Depandabot uses the Go RC version to update the Golang version for updater, admission-controller, and recommender in VPA. It isn't recommended to use Golang rc version, so configure Dependabot to ignore the RC version of Go while updating the Golang version.

Ref: Here is the PR opened by Dependabot for the updater, admission-controller, and recommender to update the Golang version to the RC version:

7000 #7001 #7002

Proposed Solution: one of the solutions we can use is to use the Ignore option in depandabot.yaml to ignore rc version.

[Shubham82]

/kind bug /area vertical-pod-autoscaler

[Shubham82]

cc @voelzmo @kwiesmueller @adrianmoisey Your thoughts on this?

[adrianmoisey]

I'm happy with this. Those rc PRs are basically noise, avoiding creating them would be good.

[kwiesmueller]

Agree, we should not get those rc versions as suggestions.

[adrianmoisey]

/triage accepted

[k8s-ci-robot]

@adrianmoisey: The label triage/accepted cannot be applied. Only GitHub organization members can add the label.

In response to [this](https://github.com/kubernetes/autoscaler/issues/7029#issuecomment-2228734574): >/triage accepted Instructions for interacting with me using PR comments are available [here](https://git.k8s.io/community/contributors/guide/pull-requests.md). If you have questions or suggestions related to my behavior, please file an issue against the [kubernetes-sigs/prow](https://github.com/kubernetes-sigs/prow/issues/new?title=Prow%20issue:) repository.

[voelzmo]

/triage accepted

[Shubham82]

Hi, before raising the PR, Just want to confirm whether is it correct to use versions: [ "*.*rc*" ] for versions options under the ignore option. The first asterisk is for the major version. The second asterisk is for the minor version. The third asterisk is for different rc(release candidates) for the go version.

WDYT?

[adrianmoisey]

I think it's worth a try. I see someone else had issues here: https://stackoverflow.com/questions/78712896/how-to-instruct-dependabot-to-ignore-pre-releases-or-release-candidate-versions

[Shubham82]

I see someone else had issues here: https://stackoverflow.com/questions/78712896/how-to-instruct-dependabot-to-ignore-pre-releases-or-release-candidate-versions

@adrianmoisey, but versions: ["*.*.*-rc.*"] is used in the link you shared, in that *(third one) is used for the patch version but the release candidate is released before the actual release ( as close as possible to the actual release) so there is no need for patch release here and also instead of -rc it should be rc. (eg: go1.23rc1)

I think it's worth a try.

Sure, is there any way to check it locally, as depandabot is a GitHub action? so only the repository owner can check this IMO. @voelzmo @kwiesmueller

[adrianmoisey]

@adrianmoisey, but versions: ["*.*.*-rc.*"] is used in the link you shared, in that *(third one) is used for the patch version but the release candidate is released before the actual release ( as close as possible to the actual release) so there is no need for patch release here and also instead of -rc it should be rc. (eg: go1.23rc1)

Correct. Those options didn't for for the person posting that post. I like your idea better

[Shubham82]

Correct. Those options didn't for for the person posting that post. I like your idea better

Thanks @adrianmoisey for taking a look at it. I will open a PR for it, I am just waiting for the other members' views.

[Shubham82]

I will open a PR for it soon.

/assign

[Shubham82]

I have raised the PR #7084 for it. PTAL!