From 17b14cf51c97d0c8ecf8c1d69039ea1c2b446b17 Mon Sep 17 00:00:00 2001 From: Joe Corall Date: Tue, 17 Dec 2024 17:13:41 -0500 Subject: [PATCH] Add Renovate bot (#10) --- .github/workflows/github-release.yml | 1 - .github/workflows/goreleaser.yml | 3 +- .github/workflows/lint-test-build-push.yml | 6 +- .github/workflows/validate-renovate.yml | 21 +++++++ Dockerfile | 39 ++++++++----- renovate.json5 | 67 ++++++++++++++++++++++ 6 files changed, 118 insertions(+), 19 deletions(-) create mode 100644 .github/workflows/validate-renovate.yml create mode 100644 renovate.json5 diff --git a/.github/workflows/github-release.yml b/.github/workflows/github-release.yml index d84fe51..c954579 100644 --- a/.github/workflows/github-release.yml +++ b/.github/workflows/github-release.yml @@ -28,4 +28,3 @@ jobs: gh workflow run goreleaser.yml --ref $TAG env: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - diff --git a/.github/workflows/goreleaser.yml b/.github/workflows/goreleaser.yml index 1351163..d88f13d 100644 --- a/.github/workflows/goreleaser.yml +++ b/.github/workflows/goreleaser.yml @@ -20,7 +20,7 @@ jobs: fetch-depth: 0 - name: Set up Go - uses: actions/setup-go@v3 + uses: actions/setup-go@v5 - name: Run GoReleaser uses: goreleaser/goreleaser-action@v4 @@ -30,4 +30,3 @@ jobs: args: release --clean env: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - diff --git a/.github/workflows/lint-test-build-push.yml b/.github/workflows/lint-test-build-push.yml index 4a72a65..984c40a 100644 --- a/.github/workflows/lint-test-build-push.yml +++ b/.github/workflows/lint-test-build-push.yml @@ -1,9 +1,7 @@ name: lint-test on: push: - schedule: - # Mondays 7:15 EST - - cron: '15 11 * * 1' + permissions: contents: read @@ -15,6 +13,8 @@ jobs: - uses: actions/setup-go@v5 + - uses: hadolint/hadolint-action@v3.1.0 + - name: golangci-lint uses: golangci/golangci-lint-action@v6 with: diff --git a/.github/workflows/validate-renovate.yml b/.github/workflows/validate-renovate.yml new file mode 100644 index 0000000..e47a269 --- /dev/null +++ b/.github/workflows/validate-renovate.yml @@ -0,0 +1,21 @@ +name: validate renovate.json5 + +on: + pull_request: + +env: + LOG_LEVEL: debug + +jobs: + renovate-config-validator: + runs-on: ubuntu-latest + timeout-minutes: 10 + + steps: + - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4 + + - uses: actions/setup-node@1e60f620b9541d16bece96c5465dc8ee9832be0b # v4 + with: + node-version: 20 + + - run: npx -p renovate renovate-config-validator renovate.json5 \ No newline at end of file diff --git a/Dockerfile b/Dockerfile index 93931fa..1b5ef69 100644 --- a/Dockerfile +++ b/Dockerfile @@ -2,21 +2,34 @@ FROM golang:1.22-bookworm WORKDIR /app -RUN apt-get update \ - && apt-get install -y curl git jq sudo ca-certificates \ - && install -m 0755 -d /etc/apt/keyrings \ - && curl -fsSL https://download.docker.com/linux/debian/gpg -o /etc/apt/keyrings/docker.asc \ - && chmod a+r /etc/apt/keyrings/docker.asc \ - && echo "deb [arch=$(dpkg --print-architecture) signed-by=/etc/apt/keyrings/docker.asc] https://download.docker.com/linux/debian $(. /etc/os-release && echo "$VERSION_CODENAME") stable" | tee /etc/apt/sources.list.d/docker.list > /dev/null \ - && apt-get update \ - && apt-get install -y docker-ce docker-ce-cli containerd.io docker-buildx-plugin docker-compose-plugin \ - && apt-get clean \ - && rm -rf /var/lib/apt/lists/* +SHELL ["/bin/bash", "-o", "pipefail", "-c"] + +# hadolint ignore=SC1091 +RUN apt-get update && \ + apt-get install -y --no-install-recommends \ + curl=7.88.1-10+deb12u8 \ + git=1:2.39.5-0+deb12u1 \ + jq=1.6-2.1 \ + sudo=1.9.13p3-1+deb12u1 \ + ca-certificates=20230311 && \ + install -m 0755 -d /etc/apt/keyrings && \ + curl -fsSL https://download.docker.com/linux/debian/gpg -o /etc/apt/keyrings/docker.asc && \ + chmod a+r /etc/apt/keyrings/docker.asc && \ + echo "deb [arch=$(dpkg --print-architecture) signed-by=/etc/apt/keyrings/docker.asc] https://download.docker.com/linux/debian $(. /etc/os-release && echo "$VERSION_CODENAME") stable" | tee /etc/apt/sources.list.d/docker.list > /dev/null && \ + apt-get update && \ + apt-get install -y --no-install-recommends \ + docker-ce=5:27.4.0-1~debian.12~bookworm \ + docker-ce-cli=5:27.4.0-1~debian.12~bookworm \ + containerd.io=1.7.24-1 \ + docker-buildx-plugin=0.19.2-1~debian.12~bookworm \ + docker-compose-plugin=2.31.0-1~debian.12~bookworm && \ + apt-get clean && \ + rm -rf /var/lib/apt/lists/* COPY . ./ -RUN go mod download \ - && go build -o /app/rollout \ - && go clean -cache -modcache +RUN go mod download && \ + go build -o /app/rollout && \ + go clean -cache -modcache ENTRYPOINT [ "/app/rollout"] diff --git a/renovate.json5 b/renovate.json5 new file mode 100644 index 0000000..e772b12 --- /dev/null +++ b/renovate.json5 @@ -0,0 +1,67 @@ +{ + "extends": [ + "config:best-practices", + ":rebaseStalePrs", + "regexManagers:dockerfileVersions" + ], + "packageRules": [ + { + "matchPackagePatterns": [ + "*" + ], + "matchUpdateTypes": [ + "minor", + "patch", + "digest" + ], + "groupName": "all non-major dependencies", + "schedule": [ + "after 10pm on Friday" + ] + }, + { + "matchManagers": [ + "gomod" + ], + "postUpdateOptions": [ + "gomodTidy" + ], + "groupName": "gomod updates" + }, + { + "matchManagers": [ + "dockerfile" + ], + "groupName": "Dockerfile updates" + }, + { + "matchManagers": [ + "github-actions" + ], + "groupName": "GitHub Actions updates", + "schedule": [ + "after 10pm on Friday" + ] + }, + { + "matchPackagePatterns": [ + "*" + ], + "matchUpdateTypes": [ + "major" + ], + "groupName": "all major updates", + "schedule": [ + "after 10pm on the first day of the month" + ] + } + ], + "labels": [ + "dependencies" + ], + "osvVulnerabilityAlerts": true, + "dependencyDashboardOSVVulnerabilitySummary": "unresolved", + "vulnerabilityAlerts": { + "enabled": true + } +}