Skip to content

Commit

Permalink
feat: launch Renovate workflow
Browse files Browse the repository at this point in the history
  • Loading branch information
Mogyuchi committed Jun 27, 2024
1 parent fe86987 commit 1167cf6
Show file tree
Hide file tree
Showing 9 changed files with 302 additions and 0 deletions.
16 changes: 16 additions & 0 deletions .editorconfig
Original file line number Diff line number Diff line change
@@ -0,0 +1,16 @@
# https://editorconfig.org

root = true

[*]
charset = utf-8
indent_style = tab
indent_size = unset
end_of_line = lf
trim_trailing_whitespace = true
insert_final_newline = true
max_line_length = 80

[*.yml]
indent_style = space
indent_size = 2
1 change: 1 addition & 0 deletions .github/CODEOWNERS
Validating CODEOWNERS rules …
Original file line number Diff line number Diff line change
@@ -0,0 +1 @@
* @Mogyuchi
84 changes: 84 additions & 0 deletions .github/workflows/_renovate.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,84 @@
on:
workflow_call:
inputs:
renovate_actor:
default: "mazi-renovate[bot]"
required: true
type: string
repoCache:
description: "Reset or disable the cache?"
default: "enabled"
required: false
type: string
dependencyDashboardTitle:
default: "Dependency Dashboard"
required: false
type: string
rebaseLabel:
default: "rebase"
required: false
type: string
stopUpdatingLabel:
default: "stop-updating"
required: false
type: string
secrets:
app-id:
required: true
private-key:
required: true

permissions: {}

env:
RENOVATE_REPOSITORY_OWNER: 4m-mazi
RENOVATE_REPOSITORY_NAME: renovate-workflow

jobs:
trigger-renovate:
if: >-
${{
contains(fromJSON('["push", "workflow_dispatch"]'), github.event_name)
|| (
github.actor != inputs.renovate_actor
&& (
(github.event.issue.title == inputs.dependencyDashboardTitle && github.event.issue.user.login == inputs.renovate_actor)
|| (
github.event.pull_request.user.login == inputs.renovate_actor
&& github.event.pull_request.merged == false
&& (
(github.event.action == 'labeled' && github.event.label.name == inputs.rebaseLabel)
|| (github.event.action == 'unlabeled' && github.event.label.name == inputs.stopUpdatingLabel)
|| contains(fromJSON('["edited", "closed", "synchronize"]'), github.event.action)
)
)
)
)
}}
runs-on: ubuntu-latest
steps:
- name: Generate a token
id: generate_token
uses: actions/create-github-app-token@ad38cffc07bac6e3857755914c4c88bfd2db4da4 # v1.10.2
with:
# [permissions]─────────────────────────────────────
# [read and write]
# repo: Contents
# ──────────────────────────────────────────────────
app-id: ${{ secrets.app-id }}
private-key: ${{ secrets.private-key }}
owner: ${{ env.RENOVATE_REPOSITORY_OWNER }}
repositories: ${{ env.RENOVATE_REPOSITORY_NAME }}

- name: "Create a repository dispatch event"
env:
GH_TOKEN: ${{ steps.generate_token.outputs.token }}
RENOVATE_REPO: ${{ env.RENOVATE_REPOSITORY_OWNER }}/${{ env.RENOVATE_REPOSITORY_NAME }}
CACHE: ${{ inputs.repoCache }}
run: |
gh api \
--method POST \
-H "Accept: application/vnd.github+json" \
-H "X-GitHub-Api-Version: 2022-11-28" \
/repos/$RENOVATE_REPO/dispatches \
-f "event_type=renovate" -F "client_payload[repoCache]=$CACHE"
93 changes: 93 additions & 0 deletions .github/workflows/renovate.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,93 @@
name: Renovate
on:
repository_dispatch:
types: [renovate]
schedule:
# Run every 30 minutes:
- cron: "0,30 * * * *"

permissions: {}

env:
cache_dir: /tmp/renovate/cache
cache_key: renovate-cache
config_file: config.yaml
# tool versions
# renovate: datasource=docker depName=renovate packageName=ghcr.io/renovatebot/renovate
RENOVATE_VERSION: 37.420.0

jobs:
renovate:
name: Renovate
concurrency:
group: ${{ github.workflow }}
runs-on: ubuntu-latest
permissions:
actions: write
contents: read
steps:
- uses: actions/cache/restore@0c45773b623bea8c8e75f6c82b208c3cf94ea4f9 # v4.0.2
id: restore-cache
if: github.event.client_payload.repoCache != 'disabled'
with:
key: ${{ env.cache_key }}
path: ${{ env.cache_dir }}

- run: sudo chown -R runneradmin:root /tmp/renovate/
continue-on-error: true

- name: Generate a token
id: generate_token
uses: actions/create-github-app-token@ad38cffc07bac6e3857755914c4c88bfd2db4da4 # v1.10.2
with:
# [permissions]─────────────────────────────────────────────────────────────────
# [read-only]
# repo: Administration, Dependabot alerts, Metadata, Packages
# org: Members
# [read and write]
# repo: Checks, Commit statuses, Contents, Issues, Pull requests, Workflows
# ──────────────────────────────────────────────────────────────────────────────
app-id: ${{ vars.MAZI_RENOVATE_APP_ID }}
private-key: ${{ secrets.MAZI_RENOVATE_PRIVATE_KEY }}
owner: ${{ github.repository_owner }}

- name: "Checkout ${{ env.config_file }}"
uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
with:
sparse-checkout: |
${{ env.config_file }}
sparse-checkout-cone-mode: false

- uses: renovatebot/github-action@21d88b0bf0183abcee15f990011cca090dfc47dd # v40.1.12
with:
token: ${{ steps.generate_token.outputs.token }}
renovate-version: ${{ env.RENOVATE_VERSION }}
env-regex: "^(?:RENOVATE_\\w+|FORCE_COLOR|LOG_LEVEL)$"
env:
# This enables the cache -- if this is set, it's not necessary to add it to renovate.json.
RENOVATE_REPOSITORY_CACHE: ${{ github.event.client_payload.repoCache || 'enabled' }}
RENOVATE_AUTODISCOVER: true # Renovate runs NOT only on this repository.
RENOVATE_DEPENDENCY_DASHBOARD_FOOTER: "- [ ] <!-- manual job -->Check this box to trigger a request for Renovate to run again on this repository"
RENOVATE_PLATFORM_COMMIT: true
FORCE_COLOR: 3 # chalk.supportsColor
LOG_LEVEL: debug

# customize
RENOVATE_CONFIG_FILE: ${{ env.config_file }}
RENOVATE_PR_FOOTER: "This PR has been generated by [Renovate Bot](https://github.com/renovatebot/renovate/tree/${{ env.RENOVATE_VERSION }}). - [View logs](${{ github.event.repository.html_url }}/actions/runs/${{ github.run_id }})"

- run: tree -L 5 -h --du -F -- "${cache_dir}"

- name: delete old cache
if: github.event.client_payload.repoCache != 'disabled' && github.ref_name == github.event.repository.default_branch
env:
GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
GH_REPO: ${{ github.repository }}
run: gh cache delete ${{ steps.restore-cache.outputs.cache-primary-key }}
continue-on-error: true

- uses: actions/cache/save@0c45773b623bea8c8e75f6c82b208c3cf94ea4f9 # v4.0.2
if: github.event.client_payload.repoCache != 'disabled' && github.ref_name == github.event.repository.default_branch
with:
key: ${{ steps.restore-cache.outputs.cache-primary-key }}
path: ${{ env.cache_dir }}
49 changes: 49 additions & 0 deletions .github/workflows/trigger-renovate.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,49 @@
name: Trigger Renovate
on:
issues:
# Dependency Dashboard
types: [edited]
pull_request_target:
types:
# rebaseLabel
- labeled
# stopUpdatingLabel
- unlabeled
# PrControls
- edited
# ignore update
- closed
# Edited/Blocked
- synchronize
branches: ["main"]
push:
branches:
- "main"
# https://docs.renovatebot.com/config-validation/#validation-of-renovate-config-change-prs
- "renovate/reconfigure"
# This lets you dispatch a renovate job with different cache options if you want to reset or disable the cache manually.
workflow_dispatch:
inputs:
repoCache:
description: "Reset or disable the cache?"
type: choice
default: enabled
options:
- enabled
- disabled
- reset

permissions: {}

jobs:
renovate:
uses: 4m-mazi/renovate-workflow/.github/workflows/_renovate.yml@main
with:
repoCache: ${{ inputs.repoCache }}
secrets:
# [permissions]─────────────────────────────────────
# [read and write]
# repo: Contents
# ──────────────────────────────────────────────────
app-id: ${{ vars.MAZI_TRIGGER_APP_ID }}
private-key: ${{ secrets.MAZI_TRIGGER_PRIVATE_KEY }}
3 changes: 3 additions & 0 deletions .prettierrc.json
Original file line number Diff line number Diff line change
@@ -0,0 +1,3 @@
{
"$schema": "https://json.schemastore.org/prettierrc"
}
34 changes: 34 additions & 0 deletions .renovaterc.json
Original file line number Diff line number Diff line change
@@ -0,0 +1,34 @@
{
"$schema": "https://docs.renovatebot.com/renovate-schema.json",
"extends": [
"config:best-practices",
":disableRateLimiting",
":disablePrControls",
":prHourlyLimitNone",
":semanticCommits",
"customManagers:githubActionsVersions",
"security:openssf-scorecard"
],
"platformAutomerge": true,
"automergeStrategy": "squash",
"automergeType": "branch",
"assigneesFromCodeOwners": true,
"commitBodyTable": true,
"reviewersFromCodeOwners": true,
"packageRules": [
{
"matchManagers": ["custom.regex"],
"pinDigests": false
},
{
"matchFileNames": [".github/workflows/**"],
"semanticCommitType": "deps",
"semanticCommitScope": null
},
{
"matchPackageNames": ["ghcr.io/renovatebot/renovate"],
"automerge": true,
"ignoreTests": true
}
]
}
7 changes: 7 additions & 0 deletions README.md
Original file line number Diff line number Diff line change
@@ -0,0 +1,7 @@
# Renovate workflow

Run Renovate on GitHub Actions

## Usage

see [trigger-renovate.yml](.github/workflows/trigger-renovate.yml)
15 changes: 15 additions & 0 deletions config.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,15 @@
# yaml-language-server: $schema=https://docs.renovatebot.com/renovate-schema.json

allowedPostUpgradeCommands:
- "^corepack use"
- "^pnpm install --frozen-lockfile --ignore-scripts$"
- "^pnpm run build$"
onboardingConfigFileName: .renovaterc.json

# HACK
packageRules:
# support corepack integrity
- matchDepTypes: [packageManager]
postUpgradeTasks:
commands:
- "corepack use '{{{depName}}}@{{{newVersion}}}'"

0 comments on commit 1167cf6

Please sign in to comment.