Add Renovate bot (#10)

lehigh-university-libraries · Dec 17, 2024 · 17b14cf · 17b14cf
1 parent 61aee00
commit 17b14cf
Show file tree

Hide file tree

Showing 6 changed files with 118 additions and 19 deletions.
diff --git a/.github/workflows/github-release.yml b/.github/workflows/github-release.yml
@@ -28,4 +28,3 @@ jobs:
           gh workflow run goreleaser.yml --ref $TAG
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-
diff --git a/.github/workflows/goreleaser.yml b/.github/workflows/goreleaser.yml
@@ -20,7 +20,7 @@ jobs:
           fetch-depth: 0
       -
         name: Set up Go
-        uses: actions/setup-go@v3
+        uses: actions/setup-go@v5
       -
         name: Run GoReleaser
         uses: goreleaser/goreleaser-action@v4
@@ -30,4 +30,3 @@ jobs:
           args: release --clean
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-
diff --git a/.github/workflows/lint-test-build-push.yml b/.github/workflows/lint-test-build-push.yml
@@ -1,9 +1,7 @@
 name: lint-test
 on:
   push:
-  schedule:
-    # Mondays 7:15 EST
-    - cron: '15 11 * * 1'
+
 permissions:
   contents: read
 
@@ -15,6 +13,8 @@ jobs:
 
       - uses: actions/setup-go@v5
 
+      - uses: hadolint/[email protected]
+
       - name: golangci-lint
         uses: golangci/golangci-lint-action@v6
         with:

diff --git a/.github/workflows/validate-renovate.yml b/.github/workflows/validate-renovate.yml
@@ -0,0 +1,21 @@
+name: validate renovate.json5
+
+on:
+  pull_request:
+
+env:
+  LOG_LEVEL: debug
+
+jobs:
+  renovate-config-validator:
+    runs-on: ubuntu-latest
+    timeout-minutes: 10
+
+    steps:
+      - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4
+
+      - uses: actions/setup-node@1e60f620b9541d16bece96c5465dc8ee9832be0b # v4
+        with:
+          node-version: 20
+
+      - run: npx -p renovate renovate-config-validator renovate.json5
diff --git a/Dockerfile b/Dockerfile
@@ -2,21 +2,34 @@ FROM golang:1.22-bookworm
 
 WORKDIR /app
 
-RUN apt-get update \
-  && apt-get install -y curl git jq sudo ca-certificates \
-  && install -m 0755 -d /etc/apt/keyrings \
-  && curl -fsSL https://download.docker.com/linux/debian/gpg -o /etc/apt/keyrings/docker.asc \
-  && chmod a+r /etc/apt/keyrings/docker.asc \
-  && echo "deb [arch=$(dpkg --print-architecture) signed-by=/etc/apt/keyrings/docker.asc] https://download.docker.com/linux/debian $(. /etc/os-release && echo "$VERSION_CODENAME") stable" | tee /etc/apt/sources.list.d/docker.list > /dev/null \
-  && apt-get update \
-  && apt-get install -y docker-ce docker-ce-cli containerd.io docker-buildx-plugin docker-compose-plugin \
-  && apt-get clean \
-  && rm -rf /var/lib/apt/lists/*
+SHELL ["/bin/bash", "-o", "pipefail", "-c"]
+
+# hadolint ignore=SC1091
+RUN apt-get update && \
+    apt-get install -y --no-install-recommends \
+      curl=7.88.1-10+deb12u8 \
+      git=1:2.39.5-0+deb12u1 \
+      jq=1.6-2.1 \
+      sudo=1.9.13p3-1+deb12u1 \
+      ca-certificates=20230311 && \
+    install -m 0755 -d /etc/apt/keyrings && \
+    curl -fsSL https://download.docker.com/linux/debian/gpg -o /etc/apt/keyrings/docker.asc && \
+    chmod a+r /etc/apt/keyrings/docker.asc && \
+    echo "deb [arch=$(dpkg --print-architecture) signed-by=/etc/apt/keyrings/docker.asc] https://download.docker.com/linux/debian $(. /etc/os-release && echo "$VERSION_CODENAME") stable" | tee /etc/apt/sources.list.d/docker.list > /dev/null && \
+    apt-get update && \
+    apt-get install -y --no-install-recommends \
+      docker-ce=5:27.4.0-1~debian.12~bookworm \
+      docker-ce-cli=5:27.4.0-1~debian.12~bookworm \
+      containerd.io=1.7.24-1 \
+      docker-buildx-plugin=0.19.2-1~debian.12~bookworm \
+      docker-compose-plugin=2.31.0-1~debian.12~bookworm && \
+   apt-get clean && \
+   rm -rf /var/lib/apt/lists/*
 
 COPY . ./
 
-RUN go mod download \
-  && go build -o /app/rollout \
-  && go clean -cache -modcache
+RUN go mod download && \
+   go build -o /app/rollout && \
+   go clean -cache -modcache
 
 ENTRYPOINT [ "/app/rollout"]
diff --git a/renovate.json5 b/renovate.json5
@@ -0,0 +1,67 @@
+{
+  "extends": [
+    "config:best-practices",
+    ":rebaseStalePrs",
+    "regexManagers:dockerfileVersions"
+  ],
+  "packageRules": [
+    {
+      "matchPackagePatterns": [
+        "*"
+      ],
+      "matchUpdateTypes": [
+        "minor",
+        "patch",
+        "digest"
+      ],
+      "groupName": "all non-major dependencies",
+      "schedule": [
+        "after 10pm on Friday"
+      ]
+    },
+    {
+      "matchManagers": [
+        "gomod"
+      ],
+      "postUpdateOptions": [
+        "gomodTidy"
+      ],
+      "groupName": "gomod updates"
+    },
+    {
+      "matchManagers": [
+        "dockerfile"
+      ],
+      "groupName": "Dockerfile updates"
+    },
+    {
+      "matchManagers": [
+        "github-actions"
+      ],
+      "groupName": "GitHub Actions updates",
+      "schedule": [
+        "after 10pm on Friday"
+      ]
+    },
+    {
+      "matchPackagePatterns": [
+        "*"
+      ],
+      "matchUpdateTypes": [
+        "major"
+      ],
+      "groupName": "all major updates",
+      "schedule": [
+        "after 10pm on the first day of the month"
+      ]
+    }
+  ],
+  "labels": [
+    "dependencies"
+  ],
+  "osvVulnerabilityAlerts": true,
+  "dependencyDashboardOSVVulnerabilitySummary": "unresolved",
+  "vulnerabilityAlerts": {
+    "enabled": true
+  }
+}
Original file line number	Diff line number	Diff line change
Expand Up		@@ -28,4 +28,3 @@ jobs:
		gh workflow run goreleaser.yml --ref $TAG
		env:
		GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}