-
Notifications
You must be signed in to change notification settings - Fork 382
75 lines (68 loc) · 3.01 KB
/
renovate.yaml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
name: Renovate
on:
# running every hour from 9h to 19h UTC on every working day
schedule:
- cron: '0 9-19 * * 1-5'
# allow to manually trigger this workflow
workflow_dispatch:
inputs:
renovate_log_level_debug:
type: boolean
default: true
push:
branches:
- main
paths:
- '.github/renovate.json5'
jobs:
renovate:
if: ${{ github.repository == 'cilium/tetragon' || github.event_name != 'schedule' }}
runs-on: ubuntu-latest
env:
buildx_version: 'v0.10.5'
steps:
# we need special permission to be able to operate renovate (view, list,
# create issues, PR, etc.) and we use a GitHub application with fine
# grained permissions installed in the repository for that.
- name: Get token
id: get_token
uses: cilium/actions-app-token@61a6271ce92ba02f49bf81c755685d59fb25a59a # v0.21.1
with:
APP_PEM: ${{ secrets.CILIUM_RENOVATE_PEM }}
APP_ID: ${{ secrets.CILIUM_RENOVATE_APP_ID }}
# buildx is not installed in the renovate container image and we need it
# for the postUpgradeTasks's commands. We take advantage of the fact that
# the renovate GitHub action mounts the /tmp folder in the container to
# transfer the docker CLI plugin binary.
- name: Cache Buildx CLI plugin download
id: cache-buildx
uses: actions/cache@1bd1e32a3bdc45362d1e726936510720a7c30a57 # v4.2.0
with:
path: /tmp/docker-buildx
key: ${{ runner.os }}-${{ env.buildx_version }}-buildx
- name: Download and set permissions for buildx
if: steps.cache-buildx.outputs.cache-hit != 'true'
run: |
curl -L -o /tmp/docker-buildx https://github.com/docker/buildx/releases/download/${{ env.buildx_version }}/buildx-${{ env.buildx_version }}.linux-amd64
chmod +x /tmp/docker-buildx
# this is not strictly necessary but makes the renovate
# postUpgradeTasks's commands shorter and understandable.
- name: Create and set permissions for install buildx bash script
run: |
echo '#!/bin/bash' > /tmp/install-buildx
echo 'DIR="$HOME/.docker/cli-plugins"' >> /tmp/install-buildx
echo 'mkdir -p "$DIR" && ln -sf /tmp/docker-buildx "$DIR/docker-buildx"' >> /tmp/install-buildx
chmod +x /tmp/install-buildx
# renovate clones the repository again in its container fs but it needs
# the renovate configuration to start.
- name: Checkout
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
- name: Self-hosted Renovate
uses: renovatebot/github-action@0984fb80fc633b17e57f3e8b6c007fe0dc3e0d62 # v40.3.6
env:
# default to DEBUG log level, this is always useful
LOG_LEVEL: ${{ github.event.inputs.renovate_log_level_debug == 'false' && 'INFO' || 'DEBUG' }}
with:
configurationFile: .github/renovate.json5
token: '${{ steps.get_token.outputs.app_token }}'
mount-docker-socket: true