diff --git a/.editorconfig b/.editorconfig new file mode 100644 index 0000000..cc75321 --- /dev/null +++ b/.editorconfig @@ -0,0 +1,16 @@ +# https://editorconfig.org + +root = true + +[*] +charset = utf-8 +indent_style = tab +indent_size = unset +end_of_line = lf +trim_trailing_whitespace = true +insert_final_newline = true +max_line_length = 80 + +[*.yml] +indent_style = space +indent_size = 2 diff --git a/.github/CODEOWNERS b/.github/CODEOWNERS new file mode 100644 index 0000000..7a8f4eb --- /dev/null +++ b/.github/CODEOWNERS @@ -0,0 +1 @@ +* @Mogyuchi diff --git a/.github/workflows/_renovate.yml b/.github/workflows/_renovate.yml new file mode 100644 index 0000000..b8c2c14 --- /dev/null +++ b/.github/workflows/_renovate.yml @@ -0,0 +1,84 @@ +on: + workflow_call: + inputs: + renovate_actor: + default: "mazi-renovate[bot]" + required: true + type: string + repoCache: + description: "Reset or disable the cache?" + default: "enabled" + required: false + type: string + dependencyDashboardTitle: + default: "Dependency Dashboard" + required: false + type: string + rebaseLabel: + default: "rebase" + required: false + type: string + stopUpdatingLabel: + default: "stop-updating" + required: false + type: string + secrets: + app-id: + required: true + private-key: + required: true + +permissions: {} + +env: + RENOVATE_REPOSITORY_OWNER: 4m-mazi + RENOVATE_REPOSITORY_NAME: renovate-workflow + +jobs: + trigger-renovate: + if: >- + ${{ + contains(fromJSON('["push", "workflow_dispatch"]'), github.event_name) + || ( + github.actor != inputs.renovate_actor + && ( + (github.event.issue.title == inputs.dependencyDashboardTitle && github.event.issue.user.login == inputs.renovate_actor) + || ( + github.event.pull_request.user.login == inputs.renovate_actor + && github.event.pull_request.merged == false + && ( + (github.event.action == 'labeled' && github.event.label.name == inputs.rebaseLabel) + || (github.event.action == 'unlabeled' && github.event.label.name == inputs.stopUpdatingLabel) + || contains(fromJSON('["edited", "closed", "synchronize"]'), github.event.action) + ) + ) + ) + ) + }} + runs-on: ubuntu-latest + steps: + - name: Generate a token + id: generate_token + uses: actions/create-github-app-token@ad38cffc07bac6e3857755914c4c88bfd2db4da4 # v1.10.2 + with: + # [permissions]───────────────────────────────────── + # [read and write] + # repo: Contents + # ────────────────────────────────────────────────── + app-id: ${{ secrets.app-id }} + private-key: ${{ secrets.private-key }} + owner: ${{ env.RENOVATE_REPOSITORY_OWNER }} + repositories: ${{ env.RENOVATE_REPOSITORY_NAME }} + + - name: "Create a repository dispatch event" + env: + GH_TOKEN: ${{ steps.generate_token.outputs.token }} + RENOVATE_REPO: ${{ env.RENOVATE_REPOSITORY_OWNER }}/${{ env.RENOVATE_REPOSITORY_NAME }} + CACHE: ${{ inputs.repoCache }} + run: | + gh api \ + --method POST \ + -H "Accept: application/vnd.github+json" \ + -H "X-GitHub-Api-Version: 2022-11-28" \ + /repos/$RENOVATE_REPO/dispatches \ + -f "event_type=renovate" -F "client_payload[repoCache]=$CACHE" diff --git a/.github/workflows/renovate.yml b/.github/workflows/renovate.yml new file mode 100644 index 0000000..d77237c --- /dev/null +++ b/.github/workflows/renovate.yml @@ -0,0 +1,93 @@ +name: Renovate +on: + repository_dispatch: + types: [renovate] + schedule: + # Run every 30 minutes: + - cron: "0,30 * * * *" + +permissions: {} + +env: + cache_dir: /tmp/renovate/cache + cache_key: renovate-cache + config_file: config.yaml + # tool versions + # renovate: datasource=docker depName=renovate packageName=ghcr.io/renovatebot/renovate + RENOVATE_VERSION: 37.420.0 + +jobs: + renovate: + name: Renovate + concurrency: + group: ${{ github.workflow }} + runs-on: ubuntu-latest + permissions: + actions: write + contents: read + steps: + - uses: actions/cache/restore@0c45773b623bea8c8e75f6c82b208c3cf94ea4f9 # v4.0.2 + id: restore-cache + if: github.event.client_payload.repoCache != 'disabled' + with: + key: ${{ env.cache_key }} + path: ${{ env.cache_dir }} + + - run: sudo chown -R runneradmin:root /tmp/renovate/ + continue-on-error: true + + - name: Generate a token + id: generate_token + uses: actions/create-github-app-token@ad38cffc07bac6e3857755914c4c88bfd2db4da4 # v1.10.2 + with: + # [permissions]───────────────────────────────────────────────────────────────── + # [read-only] + # repo: Administration, Dependabot alerts, Metadata, Packages + # org: Members + # [read and write] + # repo: Checks, Commit statuses, Contents, Issues, Pull requests, Workflows + # ────────────────────────────────────────────────────────────────────────────── + app-id: ${{ vars.MAZI_RENOVATE_APP_ID }} + private-key: ${{ secrets.MAZI_RENOVATE_PRIVATE_KEY }} + owner: ${{ github.repository_owner }} + + - name: "Checkout ${{ env.config_file }}" + uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 + with: + sparse-checkout: | + ${{ env.config_file }} + sparse-checkout-cone-mode: false + + - uses: renovatebot/github-action@21d88b0bf0183abcee15f990011cca090dfc47dd # v40.1.12 + with: + token: ${{ steps.generate_token.outputs.token }} + renovate-version: ${{ env.RENOVATE_VERSION }} + env-regex: "^(?:RENOVATE_\\w+|FORCE_COLOR|LOG_LEVEL)$" + env: + # This enables the cache -- if this is set, it's not necessary to add it to renovate.json. + RENOVATE_REPOSITORY_CACHE: ${{ github.event.client_payload.repoCache || 'enabled' }} + RENOVATE_AUTODISCOVER: true # Renovate runs NOT only on this repository. + RENOVATE_DEPENDENCY_DASHBOARD_FOOTER: "- [ ] Check this box to trigger a request for Renovate to run again on this repository" + RENOVATE_PLATFORM_COMMIT: true + FORCE_COLOR: 3 # chalk.supportsColor + LOG_LEVEL: debug + + # customize + RENOVATE_CONFIG_FILE: ${{ env.config_file }} + RENOVATE_PR_FOOTER: "This PR has been generated by [Renovate Bot](https://github.com/renovatebot/renovate/tree/${{ env.RENOVATE_VERSION }}). - [View logs](${{ github.event.repository.html_url }}/actions/runs/${{ github.run_id }})" + + - run: tree -L 5 -h --du -F -- "${cache_dir}" + + - name: delete old cache + if: github.event.client_payload.repoCache != 'disabled' && github.ref_name == github.event.repository.default_branch + env: + GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} + GH_REPO: ${{ github.repository }} + run: gh cache delete ${{ steps.restore-cache.outputs.cache-primary-key }} + continue-on-error: true + + - uses: actions/cache/save@0c45773b623bea8c8e75f6c82b208c3cf94ea4f9 # v4.0.2 + if: github.event.client_payload.repoCache != 'disabled' && github.ref_name == github.event.repository.default_branch + with: + key: ${{ steps.restore-cache.outputs.cache-primary-key }} + path: ${{ env.cache_dir }} diff --git a/.github/workflows/trigger-renovate.yml b/.github/workflows/trigger-renovate.yml new file mode 100644 index 0000000..8843f79 --- /dev/null +++ b/.github/workflows/trigger-renovate.yml @@ -0,0 +1,49 @@ +name: Trigger Renovate +on: + issues: + # Dependency Dashboard + types: [edited] + pull_request_target: + types: + # rebaseLabel + - labeled + # stopUpdatingLabel + - unlabeled + # PrControls + - edited + # ignore update + - closed + # Edited/Blocked + - synchronize + branches: ["main"] + push: + branches: + - "main" + # https://docs.renovatebot.com/config-validation/#validation-of-renovate-config-change-prs + - "renovate/reconfigure" + # This lets you dispatch a renovate job with different cache options if you want to reset or disable the cache manually. + workflow_dispatch: + inputs: + repoCache: + description: "Reset or disable the cache?" + type: choice + default: enabled + options: + - enabled + - disabled + - reset + +permissions: {} + +jobs: + renovate: + uses: 4m-mazi/renovate-workflow/.github/workflows/_renovate.yml@main + with: + repoCache: ${{ inputs.repoCache }} + secrets: + # [permissions]───────────────────────────────────── + # [read and write] + # repo: Contents + # ────────────────────────────────────────────────── + app-id: ${{ vars.MAZI_TRIGGER_APP_ID }} + private-key: ${{ secrets.MAZI_TRIGGER_PRIVATE_KEY }} diff --git a/.prettierrc.json b/.prettierrc.json new file mode 100644 index 0000000..81f0005 --- /dev/null +++ b/.prettierrc.json @@ -0,0 +1,3 @@ +{ + "$schema": "https://json.schemastore.org/prettierrc" +} diff --git a/.renovaterc.json b/.renovaterc.json new file mode 100644 index 0000000..a899a27 --- /dev/null +++ b/.renovaterc.json @@ -0,0 +1,34 @@ +{ + "$schema": "https://docs.renovatebot.com/renovate-schema.json", + "extends": [ + "config:best-practices", + ":disableRateLimiting", + ":disablePrControls", + ":prHourlyLimitNone", + ":semanticCommits", + "customManagers:githubActionsVersions", + "security:openssf-scorecard" + ], + "platformAutomerge": true, + "automergeStrategy": "squash", + "automergeType": "branch", + "assigneesFromCodeOwners": true, + "commitBodyTable": true, + "reviewersFromCodeOwners": true, + "packageRules": [ + { + "matchManagers": ["custom.regex"], + "pinDigests": false + }, + { + "matchFileNames": [".github/workflows/**"], + "semanticCommitType": "deps", + "semanticCommitScope": null + }, + { + "matchPackageNames": ["ghcr.io/renovatebot/renovate"], + "automerge": true, + "ignoreTests": true + } + ] +} diff --git a/README.md b/README.md new file mode 100644 index 0000000..a02068a --- /dev/null +++ b/README.md @@ -0,0 +1,7 @@ +# Renovate workflow + +Run Renovate on GitHub Actions + +## Usage + +see [trigger-renovate.yml](.github/workflows/trigger-renovate.yml) diff --git a/config.yaml b/config.yaml new file mode 100644 index 0000000..fc4fc8e --- /dev/null +++ b/config.yaml @@ -0,0 +1,15 @@ +# yaml-language-server: $schema=https://docs.renovatebot.com/renovate-schema.json + +allowedPostUpgradeCommands: + - "^corepack use" + - "^pnpm install --frozen-lockfile --ignore-scripts$" + - "^pnpm run build$" +onboardingConfigFileName: .renovaterc.json + +# HACK +packageRules: + # support corepack integrity + - matchDepTypes: [packageManager] + postUpgradeTasks: + commands: + - "corepack use '{{{depName}}}@{{{newVersion}}}'"