Renovate #45175
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
--- | |
# yoinked from onedr0p and modified | |
# info in comments is accurate as of 2023-11-25 | |
name: "Renovate" | |
on: | |
workflow_call: | |
workflow_dispatch: | |
inputs: | |
dryRun: | |
description: Dry-Run | |
default: "false" | |
required: false | |
logLevel: | |
description: Log-Level | |
default: debug | |
required: false | |
cache: | |
description: Use Renovate cache from GitHub repo's cache? | |
type: choice | |
default: "enabled" | |
options: ["enabled", "disabled", "reset"] | |
paths: | |
description: Paths to run Renovate on. Comma separated without spaces for multiple. | |
required: false | |
managers: | |
description: Managers that Renovate should use. Comma separated without spaces for multiple. | |
required: false | |
schedule: | |
- cron: "0 * * * *" # every hour | |
push: | |
branches: ["main"] | |
paths: | |
- renovate.json5 | |
- .renovaterc.json5 | |
- .renovate/** | |
- .github/renovate** | |
- .github/workflows/renovate.yaml | |
concurrency: | |
group: "${{ github.ref }}" | |
cancel-in-progress: true | |
env: | |
LOG_LEVEL: debug | |
RENOVATE_DRY_RUN: false | |
RENOVATE_PLATFORM: "github" | |
RENOVATE_PLATFORM_COMMIT: "true" | |
# for those forking: set your own secrets in your GitHub repo settings before running | |
# central Renovate for whole user/org | |
RENOVATE_AUTODISCOVER: true | |
RENOVATE_AUTODISCOVER_FILTER: "${{ github.repository_owner }}/*" # this is to prevent forks from running Renovate against upstream repo | |
RENOVATE_INHERIT_CONFIG: true | |
RENOVATE_INHERIT_CONFIG_REPO_NAME: "${{ github.repository }}" | |
RENOVATE_INHERIT_CONFIG_FILE_NAME: ".renovaterc.json5" | |
# run on all repos without needing config | |
RENOVATE_ONBOARDING: false | |
RENOVATE_REQUIRE_CONFIG: "optional" | |
# git user | |
RENOVATE_USERNAME: "${{ secrets.BOT_USERNAME }}[bot]" | |
RENOVATE_GIT_AUTHOR: "${{ secrets.BOT_USERNAME }} <${{ secrets.BOT_API_ID }}+${{ secrets.BOT_USERNAME }}[bot]@users.noreply.github.com>" # get $BOT_API_ID from `curl -s 'https://api.github.com/users/$(BOT_USERNAME)%5Bbot%5D' | yq .id` | |
RENOVATE_HOST_RULES: | # private registries/repos | |
[{"hostType": "docker", "matchHost": "ghcr.io", "username": "${{ github.actor }}", "password": "${{ secrets.GITHUB_TOKEN }}"}] | |
RENOVATE_REPOSITORY_CACHE: "enabled" # hopefully speed up Renovate | |
GH_CACHE_DIR: "/tmp/renovate/cache/renovate/repository" | |
jobs: | |
renovate: | |
name: Renovate | |
runs-on: ubuntu-latest | |
permissions: | |
packages: read # for private GHCR packages | |
steps: | |
- name: "Generate Short Lived OAuth App Token (ghs_*)" | |
uses: actions/create-github-app-token@c1a285145b9d317df6ced56c09f525b5c2b6f755 # v1.11.1 | |
id: oauth-token | |
with: | |
app-id: "${{ secrets.BOT_APP_ID }}" # $BOT_APP_ID is found in GitHub App main settings page | |
private-key: "${{ secrets.BOT_JWT_PRIVATE_KEY }}" # $BOT_JWT_PRIVATE_KEY is generated in GitHub App main settings page, uses the X.509 private key format | |
owner: "${{ github.repository_owner }}" | |
- name: Checkout | |
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 | |
with: | |
token: "${{ steps.oauth-token.outputs.token }}" | |
- name: Renovate Cache | |
id: renovate-cache | |
uses: actions/cache@v4 | |
if: github.event.inputs.cache != 'disabled' | |
continue-on-error: true | |
with: | |
path: "${{ env.GH_CACHE_DIR }}" | |
key: "renovate-cache-${{ runner.os }}-${{ github.run_id }}" | |
restore-keys: | | |
renovate-cache-${{ runner.os }} | |
- name: Glue | |
shell: bash | |
run: | | |
# Override default config from dispatch variables | |
echo "RENOVATE_DRY_RUN=${{ github.event.inputs.dryRun || env.RENOVATE_DRY_RUN }}" >> "${GITHUB_ENV}" | |
echo "LOG_LEVEL=${{ github.event.inputs.logLevel || env.LOG_LEVEL }}" >> "${GITHUB_ENV}" | |
echo "RENOVATE_REPOSITORY_CACHE=${{ github.event.inputs.cache || env.RENOVATE_REPOSITORY_CACHE }}" >> "${GITHUB_ENV}" | |
if [[ ! -z "${{ github.event.inputs.paths }}" ]]; then echo "RENOVATE_INCLUDE_PATHS=${{ github.event.inputs.paths }}" >> "${GITHUB_ENV}"; fi | |
if [[ ! -z "${{ github.event.inputs.managers }}" ]]; then echo "RENOVATE_ENABLED_MANAGERS=${{ github.event.inputs.managers }}" >> "${GITHUB_ENV}"; fi | |
# chown /tmp/renovate due to cache screwing permissions | |
# UID from https://github.com/renovatebot/renovate/blob/9c999fb13e8746830a0c163bad9c244b0b926c6a/tools/docker/Dockerfile#L114 | |
mkdir -p /tmp/renovate | |
sudo chown -R 12021:$(id -g) /tmp/renovate | |
- name: Renovate | |
uses: renovatebot/github-action@2be773c4be8361d8182cc1b750e75bbc75af71b0 # v41.0.7 | |
with: | |
token: "${{ steps.oauth-token.outputs.token }}" |