diff --git a/.github/workflows/_renovate.yml b/.github/workflows/_renovate.yml index 7782768cb..3d45e29b3 100644 --- a/.github/workflows/_renovate.yml +++ b/.github/workflows/_renovate.yml @@ -6,7 +6,7 @@ on: type: string repoCache: description: "Reset or disable the cache?" - default: 'enabled' + default: "enabled" required: false type: string dependencyDashboardTitle: @@ -30,13 +30,14 @@ on: permissions: {} env: - RENOVATE_REPO: 4m-mazi/gh-test + RENOVATE_REPOSITORY_OWNER: 4m-mazi + RENOVATE_REPOSITORY_NAME: gh-test jobs: trigger-renovate: if: >- ${{ - contains(fromJSON('["push", "schedule", "workflow_dispatch"]'), github.event_name) + contains(fromJSON('["push", "workflow_dispatch"]'), github.event_name) || ( github.actor != inputs.renovate_actor && ( @@ -59,12 +60,19 @@ jobs: id: generate_token uses: actions/create-github-app-token@c8f55efbd427e7465d6da1106e7979bc8aaee856 # v1.10.1 with: + # [permissions]───────────────────────────────────── + # [read and write] + # repo: Contents + # ────────────────────────────────────────────────── app-id: ${{ secrets.app-id }} private-key: ${{ secrets.private-key }} + owner: ${{ env.RENOVATE_REPOSITORY_OWNER }} + repositories: ${{ env.RENOVATE_REPOSITORY_NAME }} - - name: 'Create a repository dispatch event' + - name: "Create a repository dispatch event" env: GH_TOKEN: ${{ steps.generate_token.outputs.token }} + RENOVATE_REPO: ${{ env.RENOVATE_REPOSITORY_OWNER }}/${{ env.RENOVATE_REPOSITORY_NAME }} CACHE: ${{ inputs.repoCache }} run: | gh api \ diff --git a/.github/workflows/renovate.yml b/.github/workflows/renovate.yml index 568bdb450..67a753751 100644 --- a/.github/workflows/renovate.yml +++ b/.github/workflows/renovate.yml @@ -8,15 +8,10 @@ on: permissions: {} -# Adding these as env variables makes it easy to re-use them in different steps and in bash. env: - # This is the dir renovate provides -- if we set our own directory via cacheDir, we can run into permissions issues. - # It is also possible to cache a higher level of the directory, but it has minimal benefit. While renovate execution - # time gets faster, it also takes longer to upload the cache as it grows bigger. - # cache_dir: /tmp/renovate/cache/renovate/repository cache_dir: /tmp/renovate/cache - # This can be manually changed to bust the cache if neccessary. cache_key: renovate-cache + config_file: config.yaml # tool versions # renovate: datasource=docker depName=renovate packageName=ghcr.io/renovatebot/renovate RENOVATE_VERSION: 37.419.1 @@ -29,6 +24,7 @@ jobs: runs-on: ubuntu-latest permissions: actions: write + contents: read steps: - uses: actions/cache/restore@0c45773b623bea8c8e75f6c82b208c3cf94ea4f9 # v4.0.2 id: restore-cache @@ -44,8 +40,23 @@ jobs: id: generate_token uses: actions/create-github-app-token@c8f55efbd427e7465d6da1106e7979bc8aaee856 # v1.10.1 with: + # [permissions]───────────────────────────────────────────────────────────────── + # [read-only] + # repo: Administration, Dependabot alerts, Metadata, Packages + # org: Members + # [read and write] + # repo: Checks, Commit statuses, Contents, Issues, Pull requests, Workflows + # ────────────────────────────────────────────────────────────────────────────── app-id: ${{ vars.MAZI_RENOVATE_APP_ID }} private-key: ${{ secrets.MAZI_RENOVATE_PRIVATE_KEY }} + owner: ${{ github.repository_owner }} + + - name: 'Checkout ${{ env.config_file }}' + uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 + with: + sparse-checkout: | + ${{ env.config_file }} + sparse-checkout-cone-mode: false - uses: renovatebot/github-action@21d88b0bf0183abcee15f990011cca090dfc47dd # v40.1.12 with: @@ -56,7 +67,6 @@ jobs: # This enables the cache -- if this is set, it's not necessary to add it to renovate.json. RENOVATE_REPOSITORY_CACHE: ${{ github.event.client_payload.repoCache || 'enabled' }} RENOVATE_AUTODISCOVER: true # Renovate runs NOT only on this repository. - RENOVATE_AUTODISCOVER_FILTER: "${{ github.repository_owner }}/*" RENOVATE_DEPENDENCY_DASHBOARD_FOOTER: "- [ ] Check this box to trigger a request for Renovate to run again on this repository" RENOVATE_PLATFORM_COMMIT: true FORCE_COLOR: 3 # chalk.supportsColor @@ -64,10 +74,9 @@ jobs: # customize RENOVATE_PR_FOOTER: "This PR has been generated by [Renovate Bot](https://github.com/renovatebot/renovate/tree/${{ env.RENOVATE_VERSION }}). - [View logs](${{ github.event.repository.html_url }}/actions/runs/${{ github.run_id }})" - RENOVATE_ALLOWED_POST_UPGRADE_COMMANDS: '["^pnpm install --frozen-lockfile --ignore-scripts$", "^pnpm run build$"]' - RENOVATE_ONBOARDING_CONFIG_FILE_NAME: .renovaterc.json + RENOVATE_CONFIG_FILE: ${{ env.config_file }} - - run: tree -L 5 -h --du -F "${cache_dir}" + - run: tree -L 5 -h --du -F -C -- "${cache_dir}" - name: delete old cache if: github.event.client_payload.repoCache != 'disabled' && github.ref_name == github.event.repository.default_branch diff --git a/.github/workflows/trigger_renovate.yml b/.github/workflows/trigger_renovate.yml index b9f4e03dc..c369a4947 100644 --- a/.github/workflows/trigger_renovate.yml +++ b/.github/workflows/trigger_renovate.yml @@ -1,4 +1,4 @@ -name: trigger Renovate +name: Trigger Renovate on: issues: # Dependency Dashboard @@ -42,5 +42,9 @@ jobs: renovate_actor: "mazi-renovate[bot]" repoCache: ${{ inputs.repoCache }} secrets: - app-id: ${{ vars.MAZI_RENOVATE_APP_ID }} - private-key: ${{ secrets.MAZI_RENOVATE_PRIVATE_KEY }} + # [permissions]───────────────────────────────────── + # [read and write] + # repo: Contents + # ────────────────────────────────────────────────── + app-id: ${{ vars.MAZI_TRIGGER_APP_ID }} + private-key: ${{ secrets.MAZI_TRIGGER_PRIVATE_KEY }} diff --git a/config.yaml b/config.yaml new file mode 100644 index 000000000..04ee65fe9 --- /dev/null +++ b/config.yaml @@ -0,0 +1,6 @@ +# yaml-language-server: $schema=https://docs.renovatebot.com/renovate-schema.json + +allowedPostUpgradeCommands: + - "^pnpm install --frozen-lockfile --ignore-scripts$" + - "^pnpm run build$" +onboardingConfigFileName: .renovaterc.json