Skip to content

ci: Renaming EE group #569

ci: Renaming EE group

ci: Renaming EE group #569

Workflow file for this run

---
name: 'Renovate'
on: # yamllint disable-line rule:truthy
workflow_dispatch:
inputs:
repoCache:
description: 'Reset or disable the cache?'
type: 'choice'
default: 'enabled'
options:
- 'enabled'
- 'disabled'
- 'reset'
renovateLogLevel:
description: 'Renovate Log Level'
type: 'choice'
default: 'debug'
options:
- 'debug'
- 'info'
- 'warn'
- 'error'
- 'fatal'
schedule:
- cron: '0 */3 * * *'
pull_request_target:
types:
- 'opened'
- 'synchronize'
paths:
- '.github/workflows/renovate.yml'
- '.github/renovate.json5'
- '.github/renovate_global.js'
push:
branches:
- 'main'
paths:
- '.github/workflows/renovate.yml'
- '.github/renovate.json5'
- '.github/renovate_global.js'
# Declare default permissions as read only
permissions: 'read-all'
# Adding these as env variables makes it easy to re-use them in different steps and in bash.
env:
# cache for the actual renovate run
cache_archive: 'renovate_cache.tar.gz'
# This is the dir renovate provides
# If we set our own directory via cacheDir, we can run into permissions issues.
# It is also possible to cache a higher level of the directory, but it has minimal benefit. While renovate execution
# time gets faster, it also takes longer to upload the cache as it grows bigger.
cache_dir: '/tmp/renovate/cache/renovate/repository'
# This can be manually changed to bust the cache if neccessary.
# cache for the actual renovate run
cache_key: 'renovate-cache'
jobs:
validate-config:
# run the schedule only on the main repository - manual runs via workflow_dispatch still work
if: >-
(
github.event_name == 'schedule' &&
github.repository == 'sscheib/ansible-role-file_deployment'
) || (
github.event_name != 'schedule'
)
runs-on: 'ubuntu-latest'
steps:
- name: 'Harden Runner'
uses: 'step-security/harden-runner@17d0e2bd7d51742c71671bd19fa12bdc9d40a3d6' # v2.8.1
with:
disable-sudo: true
egress-policy: 'block'
allowed-endpoints: >
api.github.com:443
github.com:443
nodejs.org:443
objects.githubusercontent.com:443
registry.npmjs.org:443
- name: 'Checkout the repository'
uses: 'actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332' # v4.1.7
- name: 'Install NodeJS'
uses: 'actions/setup-node@1e60f620b9541d16bece96c5465dc8ee9832be0b' # v4.0.3
with:
# renovate dep: datasource=npm depName=node
node-version: '20.15.1'
- name: 'Install renovate and run renovate-config-validator'
run: |
# renovate: datasource=npm
npm install [email protected]
npx --yes --package renovate -- renovate-config-validator --strict || exit 1
check-user-permissions:
runs-on: 'ubuntu-latest'
needs: 'validate-config'
outputs:
require-result: '${{ steps.check-access.outputs.require-result }}'
steps:
- name: 'Harden Runner'
uses: 'step-security/harden-runner@17d0e2bd7d51742c71671bd19fa12bdc9d40a3d6' # v2.8.1
with:
egress-policy: 'block'
allowed-endpoints: >
api.github.com:443
github.com:443
- name: 'Get User Permissions'
id: 'check-access'
uses: 'actions-cool/check-user-permission@956b2e73cdfe3bcb819bb7225e490cb3b18fd76e' # v2.2.1
with:
require: 'write'
username: '${{ github.triggering_actor }}'
env:
GITHUB_TOKEN: '${{ secrets.GITHUB_TOKEN }}'
- name: 'Check User Permission'
if: "steps.check-access.outputs.require-result == 'false'"
run: |
echo "${{ github.triggering_actor }} does not have permissions on this repo."
echo "Current permission level is ${{ steps.check-access.outputs.user-permission }}"
echo "Job originally triggered by ${{ github.actor }}"
renovate:
runs-on: 'ubuntu-latest'
needs: 'check-user-permissions'
if: "needs.check-user-permissions.outputs.require-result == 'true'"
permissions:
contents: 'write'
pull-requests: 'write'
steps:
- name: 'Harden Runner'
uses: 'step-security/harden-runner@17d0e2bd7d51742c71671bd19fa12bdc9d40a3d6' # v2.8.1
with:
egress-policy: 'block'
allowed-endpoints: >
api.github.com:443
console.redhat.com:443
cdn.quay.io:443
cdn01.quay.io:443
cdn02.quay.io:443
cdn03.quay.io:443
galaxy.ansible.com:443
ghcr.io:443
github.com:443
objects.githubusercontent.com:443
pkg-containers.githubusercontent.com:443
pypi.org:443
registry.npmjs.org:443
registry.redhat.io:443
sso.redhat.com:443
- name: 'Checkout the repository'
uses: 'actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332' # v4.1.7
with:
# check out the pull request's HEAD
ref: '${{ github.event.pull_request.head.sha }}'
- name: 'Download cache of the previous workflow run'
uses: 'dawidd6/action-download-artifact@bf251b5aa9c2f7eeb574a96ee720e24f801b7c11' # v6
if: "github.event.inputs.repoCache != 'disabled'"
continue-on-error: true
with:
name: '${{ env.cache_key }}'
path: 'cache-download'
- name: 'Extract Renovate cache to improve performance'
if: "github.event.inputs.repoCache != 'disabled'"
run: |
set -x
# Skip if no cache is set, such as the first time it runs.
if [ ! -d cache-download ] ; then
echo "No cache found."
exit 0
fi
# Make sure the directory exists, and extract it there. Note that it's nested in the download directory.
mkdir -p "${cache_dir}"
tar -xzf "cache-download/${cache_archive}" -C "${cache_dir}"
# Unfortunately, the permissions expected within renovate's docker container
# are different than the ones given after the cache is restored. We have to
# change ownership to solve this. We also need to have correct permissions in
# the entire /tmp/renovate tree, not just the section with the repo cache.
sudo chown -R "runneradmin:root" "/tmp/renovate/"
ls -R "${cache_dir}"
- name: 'Authenticate to console.redhat.com'
run: |
# exit immediately if a command fails
set -o errexit
# make the whole pipe fail if any commands within the pipe fail
set -o pipefail
# treats unset variables as an error while performing parameter expansion
# special parameters $* and $@ are not affected from this
set -o nounset
# set the parameters for curl
params=(
"https://sso.redhat.com/auth/realms/redhat-external/protocol/openid-connect/token"
"-d"
"grant_type=refresh_token"
"-d"
"client_id=cloud-services"
"-d"
"refresh_token=${{ secrets.AUTOMATION_HUB_TOKEN }}"
"--silent"
"--show-error"
)
# authenticate and retrieve the bearer token # noqa: line-length
bearerToken="$(curl "${params[@]}" | jq --raw-output .access_token)"
# mask the bearer token to prevent leaking
echo "::add-mask::${bearerToken}"
# make the bearer token visible to other workflow steps
echo RENOVATE_AUTOMATION_HUB_AUTH_TOKEN="${bearerToken}" >> "${GITHUB_ENV}"
- name: 'Run Renovate'
uses: 'renovatebot/github-action@042670e39b8d7335e992c3fa526ecbfbd52ef57b' # v40.2.2
with:
# yamllint disable-line rule:line-length
# renovate self-update: datasource=docker depName=renovatebot/renovate registryUrl=https://ghcr.io
renovate-version: '37.431.4'
configurationFile: '.github/renovate_global.js'
token: '${{ secrets.renovate_token }}'
env:
RENOVATE_REPOSITORY_CACHE: "${{ github.event.inputs.repoCache || 'enabled' }}"
RENOVATE_REPOSITORIES: '${{ github.repository }}'
RENOVATE_CRC_USERNAME: '${{ secrets.CRC_USERNAME }}'
RENOVATE_CRC_PASSWORD: '${{ secrets.CRC_PASSWORD }}'
RENOVATE_GHCR_TOKEN: '${{ secrets.GITHUB_TOKEN }}'
RENOVATE_GHCR_USERNAME: '${{ github.actor }}'
LOG_LEVEL: "${{ github.event.inputs.renovateLogLevel || 'debug' }}"
- name: 'Compress Renovate cache to improve performance'
if: "github.event.inputs.repoCache != 'disabled'"
run: |
# The -C is important, as otherwise we end up extracting the files with
# their full path, ultimately leading to a nested directory situation.
tar -czvf "${cache_archive}" -C "${cache_dir}" .
- name: 'Upload compressed cache'
uses: 'actions/upload-artifact@0b2256b8c012f0828dc542b3febcab082c67f72b' # v4.3.4
if: "github.event.inputs.repoCache != 'disabled'"
with:
name: '${{ env.cache_key }}'
path: '${{ env.cache_archive }}'
# Since this is updated and restored on every run, we don't need to keep it
# for long. Just make sure this value is large enough that multiple renovate
# runs can happen before older cache archives are deleted.
retention-days: 1
...