Skip to content

Renovate

Renovate #30033

Workflow file for this run

name: Renovate
on:
# This lets you dispatch a renovate job with different cache options if you want to reset or disable the cache manually.
workflow_dispatch:
inputs:
repoCache:
description: "Reset or disable the cache?"
type: choice
default: enabled
options:
- enabled
- disabled
- reset
schedule:
# Run every 30 minutes:
- cron: "0,30 * * * *"
# Adding these as env variables makes it easy to reuse them in different steps and in bash.
env:
cache_archive: renovate_cache.tar.gz
# This is the dir renovate provides -- if we set our own directory via cacheDir, we can run into permissions issues.
# It is also possible to cache a higher level of the directory, but it has minimal benefit. While renovate execution
# time gets faster, it also takes longer to upload the cache as it grows bigger.
cache_dir: /tmp/renovate/cache/renovate/repository
# This can be manually changed to bust the cache if necessary.
cache_key: renovate-cache
jobs:
renovate:
runs-on: ubuntu-latest
# Prevent running this workflow on forks, it's unnecessary for external contributors
if: github.repository_owner == 'WordPress'
steps:
- uses: actions/checkout@v4
- uses: actions/cache@v4
if: github.event.inputs.repoCache != 'disabled'
continue-on-error: true
with:
path: cache-download
key: ${{ env.cache_key }}
# Using tar to compress and extract the archive isn't strictly necessary, but it can improve
# performance significantly when uploading artifacts with lots of files.
- name: Extract renovate cache
run: |
set -x
# Skip if no cache is set, such as the first time it runs.
if [ ! -d cache-download ] ; then
echo "No cache found."
exit 0
fi
# Make sure the directory exists, and extract it there. Note that it's nested in the download directory.
mkdir -p "$cache_dir"
tar -xzf "cache-download/$cache_archive" -C "$cache_dir"
# Unfortunately, the permissions expected within renovate's docker container
# are different than the ones given after the cache is restored. We have to
# change ownership to solve this. We also need to have correct permissions in
# the entire /tmp/renovate tree, not just the section with the repo cache.
sudo chown -R runneradmin:root /tmp/renovate/
ls -R "$cache_dir"
- uses: renovatebot/[email protected]
with:
# Renovate recommends _not_ to use any of
# [these names](https://docs.renovatebot.com/configuration-options/).
configurationFile: .github/global-renovate.json5
token: ${{ secrets.ACCESS_TOKEN }}
env:
# This enables the cache -- if this is set, it's not necessary to add it to renovate.json.
RENOVATE_REPOSITORY_CACHE: ${{ github.event.inputs.repoCache || 'enabled' }}
# Debug logs to figure out why vulnerability updates aren't occurring
LOG_LEVEL: debug
# Compression helps performance in the upload step!
- name: Compress renovate cache
run: |
ls "$cache_dir"
# The -C is important -- otherwise we end up extracting the files with
# their full path, ultimately leading to a nested directory situation.
# To solve *that*, we'd have to extract to root (/), which isn't safe.
tar -czvf "$cache_archive" -C "$cache_dir" .
- uses: actions/upload-artifact@v4
if: github.event.inputs.repoCache != 'disabled'
with:
name: ${{ env.cache_key }}
path: ${{ env.cache_archive }}
# Since this is updated and restored on every run, we don't need to keep it
# for long. Just make sure this value is large enough that multiple renovate
# runs can happen before older cache archives are deleted.
retention-days: 1