experiment: enable renovate

holyspectral · Jan 6, 2025 · 910a57f · 910a57f
1 parent cdc7f63
commit 910a57f
Show file tree

Hide file tree

Showing 2 changed files with 100 additions and 0 deletions.
diff --git a/.github/renovate.json b/.github/renovate.json
@@ -0,0 +1,19 @@
+{
+  "extends": ["github>rancher/renovate-config#release"],
+  "baseBranches": ["main"],
+  "packageRules": [
+    {
+      "matchManagers": ["github-actions"],
+      "matchUpdateTypes": ["minor", "patch"],
+      "automerge": true,
+      "pinDigests": true,
+      "schedule": ["every weekend after 4am"]
+    },
+    {
+      "matchPackageNames": ["renovate/renovate"],
+      "matchUpdateTypes": ["minor", "patch"],
+      "automerge": true,
+      "schedule": ["every weekend after 4am"]
+    }
+  ]
+}
diff --git a/.github/workflows/renovate.yml b/.github/workflows/renovate.yml
@@ -0,0 +1,81 @@
+name: Renovate
+on:
+  workflow_call:
+    inputs:
+      logLevel:
+        description: "Override default log level"
+        required: false
+        default: "info"
+        type: string
+      overrideSchedule:
+        description: "Override all schedules"
+        required: false
+        default: "false"
+        type: string
+      runner:
+        description: "Value to be used on runs-on"
+        required: false
+        default: '["ubuntu-latest"]'
+        type: string
+  workflow_dispatch:
+    inputs:
+      logLevel:
+        description: "Override default log level"
+        required: false
+        default: "info"
+        type: string
+      overrideSchedule:
+        description: "Override all schedules"
+        required: false
+        default: "false"
+        type: string
+      runner:
+        description: "Value to be used on runs-on"
+        required: false
+        default: '["ubuntu-latest"]'
+        type: string
+  schedule:
+    - cron: '30 4,6 * * 6,0'
+
+concurrency: renovate
+
+env:
+  # Specify what Renovate version to use (this is separate from the github-action version)
+  RENOVATE_VERSION: "37.440.7"
+  # Repository taken from variable to keep configuration file generic
+  RENOVATE_REPOSITORIES: ${{ github.repository }}
+  # Onboarding not needed for self hosted
+  RENOVATE_ONBOARDING: "false"
+  # Username for GitHub authentication (should match GitHub App name + [bot])
+  RENOVATE_USERNAME: "renovate-neuvector[bot]"
+  # Git commit author used, must match GitHub App
+  RENOVATE_GIT_AUTHOR: "renovate-neuvector <renovate-neuvector[bot]@users.noreply.github.com>"
+  # Use GitHub API to create commits (this allows for signed commits from GitHub App)
+  RENOVATE_PLATFORM_COMMIT: "true"
+  # Override schedule if set
+  RENOVATE_FORCE: ${{ github.event.inputs.overrideSchedule == 'true' && '{''schedule'':null}' || '' }}
+  # Override loglevel if set
+  LOG_LEVEL: ${{ inputs.logLevel || 'info' }}
+  RENOVATE_CONFIG_FILE: .github/renovate.json
+
+jobs:
+  renovate:
+    runs-on: ${{fromJSON(inputs.runner)}}
+    steps:
+      - name: Checkout
+        uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
+      - name: Validate and printout config
+        run: jq -e . "${RENOVATE_CONFIG_FILE}"
+      - name: Get token
+        id: get_token
+        uses: actions/create-github-app-token@5d869da34e18e7287c1daad50e0b8ea0f506ce69 # v1.11.0
+        with:
+          app-id: ${{ secrets.RENOVATE_APP_ID }}
+          private-key: ${{ secrets.RENOVATE_PRIVATE_KEY }}
+      - name: Self-hosted Renovate
+        uses: renovatebot/github-action@e1db501385ddcccbaae6fb9c06befae04f379f23 # v40.2.10
+        with:
+          renovate-version: ${{ env.RENOVATE_VERSION }}
+          configurationFile: ${{ env.RENOVATE_CONFIG_FILE }}
+          token: "${{ steps.get_token.outputs.token }}"
+