ci: Grouping renovate updates #573
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| --- | |
| name: 'Renovate' | |
| on: # yamllint disable-line rule:truthy | |
| workflow_dispatch: | |
| inputs: | |
| repoCache: | |
| description: 'Reset or disable the cache?' | |
| type: 'choice' | |
| default: 'enabled' | |
| options: | |
| - 'enabled' | |
| - 'disabled' | |
| - 'reset' | |
| renovateLogLevel: | |
| description: 'Renovate Log Level' | |
| type: 'choice' | |
| default: 'debug' | |
| options: | |
| - 'debug' | |
| - 'info' | |
| - 'warn' | |
| - 'error' | |
| - 'fatal' | |
| schedule: | |
| - cron: '0 */3 * * *' | |
| pull_request_target: | |
| types: | |
| - 'opened' | |
| - 'synchronize' | |
| paths: | |
| - '.github/workflows/renovate.yml' | |
| - '.github/renovate.json5' | |
| - '.github/renovate_global.js' | |
| push: | |
| branches: | |
| - 'main' | |
| paths: | |
| - '.github/workflows/renovate.yml' | |
| - '.github/renovate.json5' | |
| - '.github/renovate_global.js' | |
| # Declare default permissions as read only | |
| permissions: 'read-all' | |
| # Adding these as env variables makes it easy to re-use them in different steps and in bash. | |
| env: | |
| # cache for the actual renovate run | |
| cache_archive: 'renovate_cache.tar.gz' | |
| # This is the dir renovate provides | |
| # If we set our own directory via cacheDir, we can run into permissions issues. | |
| # It is also possible to cache a higher level of the directory, but it has minimal benefit. While renovate execution | |
| # time gets faster, it also takes longer to upload the cache as it grows bigger. | |
| cache_dir: '/tmp/renovate/cache/renovate/repository' | |
| # This can be manually changed to bust the cache if neccessary. | |
| # cache for the actual renovate run | |
| cache_key: 'renovate-cache' | |
| jobs: | |
| validate-config: | |
| # run the schedule only on the main repository - manual runs via workflow_dispatch still work | |
| if: >- | |
| ( | |
| github.event_name == 'schedule' && | |
| github.repository == 'sscheib/ansible-role-file_deployment' | |
| ) || ( | |
| github.event_name != 'schedule' | |
| ) | |
| runs-on: 'ubuntu-latest' | |
| steps: | |
| - name: 'Harden Runner' | |
| uses: 'step-security/harden-runner@17d0e2bd7d51742c71671bd19fa12bdc9d40a3d6' # v2.8.1 | |
| with: | |
| disable-sudo: true | |
| egress-policy: 'block' | |
| allowed-endpoints: > | |
| api.github.com:443 | |
| github.com:443 | |
| nodejs.org:443 | |
| objects.githubusercontent.com:443 | |
| registry.npmjs.org:443 | |
| - name: 'Checkout the repository' | |
| uses: 'actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332' # v4.1.7 | |
| - name: 'Install NodeJS' | |
| uses: 'actions/setup-node@1e60f620b9541d16bece96c5465dc8ee9832be0b' # v4.0.3 | |
| with: | |
| # renovate dep: datasource=npm depName=node | |
| node-version: '20.15.1' | |
| - name: 'Install renovate and run renovate-config-validator' | |
| run: | | |
| # renovate: datasource=npm | |
| npm install [email protected] | |
| npx --yes --package renovate -- renovate-config-validator --strict || exit 1 | |
| check-user-permissions: | |
| runs-on: 'ubuntu-latest' | |
| needs: 'validate-config' | |
| outputs: | |
| require-result: '${{ steps.check-access.outputs.require-result }}' | |
| steps: | |
| - name: 'Harden Runner' | |
| uses: 'step-security/harden-runner@17d0e2bd7d51742c71671bd19fa12bdc9d40a3d6' # v2.8.1 | |
| with: | |
| egress-policy: 'block' | |
| allowed-endpoints: > | |
| api.github.com:443 | |
| github.com:443 | |
| - name: 'Get User Permissions' | |
| id: 'check-access' | |
| uses: 'actions-cool/check-user-permission@956b2e73cdfe3bcb819bb7225e490cb3b18fd76e' # v2.2.1 | |
| with: | |
| require: 'write' | |
| username: '${{ github.triggering_actor }}' | |
| env: | |
| GITHUB_TOKEN: '${{ secrets.GITHUB_TOKEN }}' | |
| - name: 'Check User Permission' | |
| if: "steps.check-access.outputs.require-result == 'false'" | |
| run: | | |
| echo "${{ github.triggering_actor }} does not have permissions on this repo." | |
| echo "Current permission level is ${{ steps.check-access.outputs.user-permission }}" | |
| echo "Job originally triggered by ${{ github.actor }}" | |
| renovate: | |
| runs-on: 'ubuntu-latest' | |
| needs: 'check-user-permissions' | |
| if: "needs.check-user-permissions.outputs.require-result == 'true'" | |
| permissions: | |
| contents: 'write' | |
| pull-requests: 'write' | |
| steps: | |
| - name: 'Harden Runner' | |
| uses: 'step-security/harden-runner@17d0e2bd7d51742c71671bd19fa12bdc9d40a3d6' # v2.8.1 | |
| with: | |
| egress-policy: 'block' | |
| allowed-endpoints: > | |
| api.github.com:443 | |
| console.redhat.com:443 | |
| cdn.quay.io:443 | |
| cdn01.quay.io:443 | |
| cdn02.quay.io:443 | |
| cdn03.quay.io:443 | |
| galaxy.ansible.com:443 | |
| ghcr.io:443 | |
| github.com:443 | |
| objects.githubusercontent.com:443 | |
| pkg-containers.githubusercontent.com:443 | |
| pypi.org:443 | |
| registry.npmjs.org:443 | |
| registry.redhat.io:443 | |
| sso.redhat.com:443 | |
| - name: 'Checkout the repository' | |
| uses: 'actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332' # v4.1.7 | |
| with: | |
| # check out the pull request's HEAD | |
| ref: '${{ github.event.pull_request.head.sha }}' | |
| - name: 'Download cache of the previous workflow run' | |
| uses: 'dawidd6/action-download-artifact@bf251b5aa9c2f7eeb574a96ee720e24f801b7c11' # v6 | |
| if: "github.event.inputs.repoCache != 'disabled'" | |
| continue-on-error: true | |
| with: | |
| name: '${{ env.cache_key }}' | |
| path: 'cache-download' | |
| - name: 'Extract Renovate cache to improve performance' | |
| if: "github.event.inputs.repoCache != 'disabled'" | |
| run: | | |
| set -x | |
| # Skip if no cache is set, such as the first time it runs. | |
| if [ ! -d cache-download ] ; then | |
| echo "No cache found." | |
| exit 0 | |
| fi | |
| # Make sure the directory exists, and extract it there. Note that it's nested in the download directory. | |
| mkdir -p "${cache_dir}" | |
| tar -xzf "cache-download/${cache_archive}" -C "${cache_dir}" | |
| # Unfortunately, the permissions expected within renovate's docker container | |
| # are different than the ones given after the cache is restored. We have to | |
| # change ownership to solve this. We also need to have correct permissions in | |
| # the entire /tmp/renovate tree, not just the section with the repo cache. | |
| sudo chown -R "runneradmin:root" "/tmp/renovate/" | |
| ls -R "${cache_dir}" | |
| - name: 'Authenticate to console.redhat.com' | |
| run: | | |
| # exit immediately if a command fails | |
| set -o errexit | |
| # make the whole pipe fail if any commands within the pipe fail | |
| set -o pipefail | |
| # treats unset variables as an error while performing parameter expansion | |
| # special parameters $* and $@ are not affected from this | |
| set -o nounset | |
| # set the parameters for curl | |
| params=( | |
| "https://sso.redhat.com/auth/realms/redhat-external/protocol/openid-connect/token" | |
| "-d" | |
| "grant_type=refresh_token" | |
| "-d" | |
| "client_id=cloud-services" | |
| "-d" | |
| "refresh_token=${{ secrets.AUTOMATION_HUB_TOKEN }}" | |
| "--silent" | |
| "--show-error" | |
| ) | |
| # authenticate and retrieve the bearer token # noqa: line-length | |
| bearerToken="$(curl "${params[@]}" | jq --raw-output .access_token)" | |
| # mask the bearer token to prevent leaking | |
| echo "::add-mask::${bearerToken}" | |
| # make the bearer token visible to other workflow steps | |
| echo RENOVATE_AUTOMATION_HUB_AUTH_TOKEN="${bearerToken}" >> "${GITHUB_ENV}" | |
| - name: 'Run Renovate' | |
| uses: 'renovatebot/github-action@042670e39b8d7335e992c3fa526ecbfbd52ef57b' # v40.2.2 | |
| with: | |
| # yamllint disable-line rule:line-length | |
| # renovate self-update: datasource=docker depName=renovatebot/renovate registryUrl=https://ghcr.io | |
| renovate-version: '37.431.4' | |
| configurationFile: '.github/renovate_global.js' | |
| token: '${{ secrets.renovate_token }}' | |
| env: | |
| RENOVATE_REPOSITORY_CACHE: "${{ github.event.inputs.repoCache || 'enabled' }}" | |
| RENOVATE_REPOSITORIES: '${{ github.repository }}' | |
| RENOVATE_CRC_USERNAME: '${{ secrets.CRC_USERNAME }}' | |
| RENOVATE_CRC_PASSWORD: '${{ secrets.CRC_PASSWORD }}' | |
| RENOVATE_GHCR_TOKEN: '${{ secrets.GITHUB_TOKEN }}' | |
| RENOVATE_GHCR_USERNAME: '${{ github.actor }}' | |
| LOG_LEVEL: "${{ github.event.inputs.renovateLogLevel || 'debug' }}" | |
| - name: 'Compress Renovate cache to improve performance' | |
| if: "github.event.inputs.repoCache != 'disabled'" | |
| run: | | |
| # The -C is important, as otherwise we end up extracting the files with | |
| # their full path, ultimately leading to a nested directory situation. | |
| tar -czvf "${cache_archive}" -C "${cache_dir}" . | |
| - name: 'Upload compressed cache' | |
| uses: 'actions/upload-artifact@0b2256b8c012f0828dc542b3febcab082c67f72b' # v4.3.4 | |
| if: "github.event.inputs.repoCache != 'disabled'" | |
| with: | |
| name: '${{ env.cache_key }}' | |
| path: '${{ env.cache_archive }}' | |
| # Since this is updated and restored on every run, we don't need to keep it | |
| # for long. Just make sure this value is large enough that multiple renovate | |
| # runs can happen before older cache archives are deleted. | |
| retention-days: 1 | |
| ... |