Draft: Configure renovate to replace sast bot

What does this MR do?

As part of Replace sast-analyzer-deps-bot with renovate (gitlab-org/gitlab#557439), we are deprecating SASTBot in favor of Renovate for managing SAST analyzer dependencies.

This MR updates Semgrep with scripts required for Renovate.

Todo

• Once CI Template MR is merged, update ref to main

Overview of changes

This work spans several repos:

• Changelog Parser (MR1, MR2):
  • Added an update command to inject {{MERGE_REQUEST_ID}} placeholders into CHANGELOG.md
• Renovate gitlab bot (MR):
  • Added the Semgrep config to trigger dependency updates
  • Defined postUpgradeTasks to run download-changelog-parser.sh and the update command
• Semgrep (This MR):
  • Added download-changelog-parser.sh to download the changelog-parser binary
  • Added the update-changelog.yml CI template
• CI Templates (MR):
  • Added update-changelog.yml containing the update changelog mrid job
  • This job replaces {{MERGE_REQUEST_ID}} in the changelog with the actual MR ID

Renovate flow:

1. In Renovate's pipeline's semgrep job
   1. Creates a branch (renovate/all-dependencies) in the gitlab-renovate-forks/semgrep and opens an MR against semgrep.
   2. The postUpgradeTask will:
      1. Download the changelog-parser binary with download-changelog-parser.sh script
      2. Run the update command to add dependency details and {{MERGE_REQUEST_ID}} placeholders in CHANGELOG.md
2. In gitlab-renovate-forks/semgrep pipeline update changelog mrid job
   1. Replaces {{MERGE_REQUEST_ID}} with actual MR ID
   2. This job runs in gitlab-renovate-forks/semgrep repo and makes a merge request api call to semgrep to retrieve the MR ID.

Verification

1. Delete any existing renovate/all-dependencies branch in gitlab-renovate-forks/semgrep.
   1. This will close any existing renovate MRs and allow us to simulate the full Renovate dependency update flow.
2. Rerun this job from the renovate-gitlab-bot MR where I've
   1. Disabled dry run to trigger a full renovate job
   2. Temporarily removed all other projects
3. This creates the renovate/all-dependencies branch and an MR in semgrep
   1. It initially adds {{MERGE_REQUEST_ID}} placeholders in CHANGELOG.md
   2. Once update changelog mrid runs successfully, the {{MERGE_REQUEST_ID}} placeholders are replaced with the actual MR ID.
   3. Currently 3 pipelines are triggered due to a workaround for forked MRs targeting non default branches.
      1. I've temporarily targeted the smtan/configure-renovate branch to validate this flow
      2. Once we target the main branch, only a single pipeline will run (example CS MR)

What are the relevant issue numbers?

Replace sast-analyzer-deps-bot with renovate (gitlab-org/gitlab#557439)

Does this MR meet the acceptance criteria?

• Changelog entry added
• Documentation created/updated for GitLab EE, if necessary
• Documentation created/updated for this project, if necessary
• Documentation reviewed by technical writer or follow-up review issue created
• Tests updated/added for this feature/bug
• Job definition updated, if necessary
  • Auto-DevOps template
  • Job definition example
  • CI Templates
• Conforms to the code review guidelines
• Conforms to the Go guidelines
• Security reports checked/validated by reviewer