chore(deps): update dependency gitlab-com/gl-infra/jsonnet-tool to v1.18.0

See merge request !1382

chore(deps): update dependency zricethezav/gitleaks to v8.30.1

See merge request !1385

chore(deps): update ghcr.io/containerbase/base docker tag to v14.6.6

See merge request !1381

chore(deps): update dependency renovate to v43.86.0

See merge request !1383

chore(deps): update dependency bridgecrewio/checkov to v3.2.510

See merge request !1380

chore(deps): update dependency gitlab-com/gl-infra/jsonnet-tool to v1.18.1

See merge request !1386

Renovate v43 changed how postUpgradeTasks commands are executed -
they are now spawned directly as child processes rather than through
a shell. This breaks commands using shell builtins (export, if) and
compound statements.

Wrapping the affected commands in 'bash -c' restores shell execution.

This fixes 'spawn export ENOENT' and 'spawn if ENOENT' errors that
have been causing renovate-ci pipeline failures since the v43 upgrade.

Co-authored-by: Pierre Guinoiseau <pguinoiseau@gitlab.com>

Adds a 3-day minimum release age for packages from PyPI, npm, and
RubyGems as a supply chain security best practice. This provides a
quarantine window for newly published packages before they are
proposed for upgrade, reducing exposure to compromised releases.

This follows the same pattern already used for Terraform upgrades
in this config. Individual projects can override this default for
specific packages where faster adoption is needed.

See https://docs.renovatebot.com/key-concepts/minimum-release-age/

Extends the minimum release age quarantine to dependencies sourced
from GitHub releases and tags, not just package registries.

chore(renovate): relax minimumReleaseAge behaviour and replace matchDepPatterns package rules in common Renovate config

chore(renovate): relax minimumReleaseAge behaviour and replace matchDepPatterns package rules in common Renovate config

See merge request !1391

The jpath input was defined in the spec but never connected to the
JSONNETLINT_JPATH environment variable that the script reads. Wire
the input to the script with deprecation warning for users still
setting the variable directly.

AI-assisted: GitLab Duo Agentic Chat (Claude Opus 4.6)

Fix pre-existing lint issues found by jsonnet-lint 0.21.0:
- std.manifestJsonEx: remove third argument (newline), not supported
- Remove unused local variable 'packages' in known-versions.jsonnet

AI-assisted: GitLab Duo Agentic Chat (Claude Opus 4.6)

Create the Jsonnet CI component library (rules, job, component, includes,
auth) and convert shellcheck.yml as the first component. Extends generate.sh
to use jsonnet-tool yaml for multi-document YAML generation with priority
key ordering.

Includes manitests for all library modules and the shellcheck component.
Adds docs/jsonnet-components.md with the Jsonnet workflow documentation.

AI-assisted: GitLab Duo Agentic Chat (Claude Opus 4.6)

Co-authored-by: Greg Myers <3645992-greg@users.noreply.gitlab.com>

feat(deps): update runway to dependency gitlab-com/gl-infra/platform/runway/runwayctl to v4.20.0

See merge request !1390

## [3.14.0](https://gitlab.com/gitlab-com/gl-infra/common-ci-tasks/-/compare/...) (2026-03-25)

### Features

* **deps:** update runway to dependency gitlab-com/gl-infra/platform/runway/runwayctl to v4.20.0 ([af9b2dd8](af9b2dd8))

### Others

* **renovate:** relax minimumReleaseAge behaviour and replace matchDepPatterns package rules in common Renovate config ([2ac5d33f](2ac5d33f))

### Dependencies

* **deps:** update dependency bridgecrewio/checkov to v3.2.510 ([ef2a49c4](ef2a49c4))
* **deps:** update dependency gitlab-com/gl-infra/jsonnet-tool to v1.18.0 ([65796dfc](65796dfc))
* **deps:** update dependency gitlab-com/gl-infra/jsonnet-tool to v1.18.1 ([fdbeb755](fdbeb755))
* **deps:** update dependency renovate to v43.86.0 ([7139b26c](7139b26c))
* **deps:** update dependency zricethezav/gitleaks to v8.30.1 ([66692e0d](66692e0d))
* **deps:** update ghcr.io/containerbase/base docker tag to v14.6.6 ([08924014](08924014))

Jsonnet library and shellcheck PoC

See merge request !1377

## [3.14.1](https://gitlab.com/gitlab-com/gl-infra/common-ci-tasks/-/compare/...) (2026-03-26)

### Fixes

* resolve jsonnet-lint errors in renovate config ([46f4ea46](46f4ea46))
* wire jsonnetlint jpath input to JSONNETLINT_JPATH variable ([bdc1ea2e](bdc1ea2e))

### Others

* Jsonnet library and shellcheck PoC ([0b4a970e](0b4a970e))

chore(deps): update pre-commit hook gitlab-com/gl-infra/common-ci-tasks to v3.14

See merge request !1392

Add default minimum release age for third-party dependencies

See merge request !1389

## [3.14.2](https://gitlab.com/gitlab-com/gl-infra/common-ci-tasks/-/compare/...) (2026-03-26)

### Fixes

* add timestamp-optional from MR feedback ([b35c73d6](b35c73d6))

### Others

* add default minimum release age for third-party dependencies ([392d4215](392d4215))
* add github-releases and github-tags to minimum release age rule ([496441c2](496441c2))

### Dependencies

* **deps:** update pre-commit hook gitlab-com/gl-infra/common-ci-tasks to v3.14 ([64e3e2e4](64e3e2e4))

chore(deps): update dependency jdx/mise to v2026.3.15

See merge request !1384

fix: wrap postUpgradeTasks shell commands in bash -c for Renovate v43 compat

See merge request !1387

## [3.14.3](https://gitlab.com/gitlab-com/gl-infra/common-ci-tasks/-/compare/...) (2026-03-27)

### Fixes

* wrap postUpgradeTasks shell commands in bash -c for Renovate v43 compat ([3a408715](3a408715))

### Dependencies

* **deps:** update dependency jdx/mise to v2026.3.15 ([87547d75](87547d75))

Convert 19 straightforward components that use the library's standard
patterns (rules.standard, rules.linterRules, rules.mrOnly, job.new).

Components: yamllint, editorconfig-check, hclfmt, shfmt, jsonnetfmt,
jsonnetlint, jsonfmt, promlint, yamlfmt, rubocop, terraform-format,
terraform-validate, tflint, terraform-docs, helm-lint, helm-unittest,
gitleaks, gitlint, conftest.

AI-assisted: GitLab Duo Agentic Chat (Claude Opus 4.6)

Convert simple linter, terraform, and helm components to Jsonnet

See merge request !1378

fix: yamllint.yml should use docker_hub_host input so downstream repos can set that variable to CI_DEPENDENCY_PROXY_GROUP_IMAGE_PREFIX and avoid Docker Hub rate limiting

fix: yamllint.yml should use docker_hub_host input so downstream repos can set that variable to CI_DEPENDENCY_PROXY_GROUP_IMAGE_PREFIX and avoid Docker Hub rate limiting

See merge request !1396

## [3.14.4](https://gitlab.com/gitlab-com/gl-infra/common-ci-tasks/-/compare/...) (2026-04-01)

### Fixes

* forgot to add it to input specs ([a0920d8c](a0920d8c))
* forgot to add it to input specs ([426d04e5](426d04e5))
* yamllint.yml should use docker_hub_host input so downstream repos can set that variable to CI_DEPENDENCY_PROXY_GROUP_IMAGE_PREFIX and avoid Docker Hub rate limiting ([7e94b6c9](7e94b6c9))

### Others

* convert simple linter, terraform, and helm components to Jsonnet ([4b0154f5](4b0154f5))