Skip to content

Renovate

Renovate #45175

Workflow file for this run

---
# yoinked from onedr0p and modified
# info in comments is accurate as of 2023-11-25
name: "Renovate"
on:
workflow_call:
workflow_dispatch:
inputs:
dryRun:
description: Dry-Run
default: "false"
required: false
logLevel:
description: Log-Level
default: debug
required: false
cache:
description: Use Renovate cache from GitHub repo's cache?
type: choice
default: "enabled"
options: ["enabled", "disabled", "reset"]
paths:
description: Paths to run Renovate on. Comma separated without spaces for multiple.
required: false
managers:
description: Managers that Renovate should use. Comma separated without spaces for multiple.
required: false
schedule:
- cron: "0 * * * *" # every hour
push:
branches: ["main"]
paths:
- renovate.json5
- .renovaterc.json5
- .renovate/**
- .github/renovate**
- .github/workflows/renovate.yaml
concurrency:
group: "${{ github.ref }}"
cancel-in-progress: true
env:
LOG_LEVEL: debug
RENOVATE_DRY_RUN: false
RENOVATE_PLATFORM: "github"
RENOVATE_PLATFORM_COMMIT: "true"
# for those forking: set your own secrets in your GitHub repo settings before running
# central Renovate for whole user/org
RENOVATE_AUTODISCOVER: true
RENOVATE_AUTODISCOVER_FILTER: "${{ github.repository_owner }}/*" # this is to prevent forks from running Renovate against upstream repo
RENOVATE_INHERIT_CONFIG: true
RENOVATE_INHERIT_CONFIG_REPO_NAME: "${{ github.repository }}"
RENOVATE_INHERIT_CONFIG_FILE_NAME: ".renovaterc.json5"
# run on all repos without needing config
RENOVATE_ONBOARDING: false
RENOVATE_REQUIRE_CONFIG: "optional"
# git user
RENOVATE_USERNAME: "${{ secrets.BOT_USERNAME }}[bot]"
RENOVATE_GIT_AUTHOR: "${{ secrets.BOT_USERNAME }} <${{ secrets.BOT_API_ID }}+${{ secrets.BOT_USERNAME }}[bot]@users.noreply.github.com>" # get $BOT_API_ID from `curl -s 'https://api.github.com/users/$(BOT_USERNAME)%5Bbot%5D' | yq .id`
RENOVATE_HOST_RULES: | # private registries/repos
[{"hostType": "docker", "matchHost": "ghcr.io", "username": "${{ github.actor }}", "password": "${{ secrets.GITHUB_TOKEN }}"}]
RENOVATE_REPOSITORY_CACHE: "enabled" # hopefully speed up Renovate
GH_CACHE_DIR: "/tmp/renovate/cache/renovate/repository"
jobs:
renovate:
name: Renovate
runs-on: ubuntu-latest
permissions:
packages: read # for private GHCR packages
steps:
- name: "Generate Short Lived OAuth App Token (ghs_*)"
uses: actions/create-github-app-token@c1a285145b9d317df6ced56c09f525b5c2b6f755 # v1.11.1
id: oauth-token
with:
app-id: "${{ secrets.BOT_APP_ID }}" # $BOT_APP_ID is found in GitHub App main settings page
private-key: "${{ secrets.BOT_JWT_PRIVATE_KEY }}" # $BOT_JWT_PRIVATE_KEY is generated in GitHub App main settings page, uses the X.509 private key format
owner: "${{ github.repository_owner }}"
- name: Checkout
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
with:
token: "${{ steps.oauth-token.outputs.token }}"
- name: Renovate Cache
id: renovate-cache
uses: actions/cache@v4
if: github.event.inputs.cache != 'disabled'
continue-on-error: true
with:
path: "${{ env.GH_CACHE_DIR }}"
key: "renovate-cache-${{ runner.os }}-${{ github.run_id }}"
restore-keys: |
renovate-cache-${{ runner.os }}
- name: Glue
shell: bash
run: |
# Override default config from dispatch variables
echo "RENOVATE_DRY_RUN=${{ github.event.inputs.dryRun || env.RENOVATE_DRY_RUN }}" >> "${GITHUB_ENV}"
echo "LOG_LEVEL=${{ github.event.inputs.logLevel || env.LOG_LEVEL }}" >> "${GITHUB_ENV}"
echo "RENOVATE_REPOSITORY_CACHE=${{ github.event.inputs.cache || env.RENOVATE_REPOSITORY_CACHE }}" >> "${GITHUB_ENV}"
if [[ ! -z "${{ github.event.inputs.paths }}" ]]; then echo "RENOVATE_INCLUDE_PATHS=${{ github.event.inputs.paths }}" >> "${GITHUB_ENV}"; fi
if [[ ! -z "${{ github.event.inputs.managers }}" ]]; then echo "RENOVATE_ENABLED_MANAGERS=${{ github.event.inputs.managers }}" >> "${GITHUB_ENV}"; fi
# chown /tmp/renovate due to cache screwing permissions
# UID from https://github.com/renovatebot/renovate/blob/9c999fb13e8746830a0c163bad9c244b0b926c6a/tools/docker/Dockerfile#L114
mkdir -p /tmp/renovate
sudo chown -R 12021:$(id -g) /tmp/renovate
- name: Renovate
uses: renovatebot/github-action@2be773c4be8361d8182cc1b750e75bbc75af71b0 # v41.0.7
with:
token: "${{ steps.oauth-token.outputs.token }}"