Added AMI cleanup tool #7

Workflow file for this run

.github/workflows/renovate.yaml at 84bf7c9

	---
	# This should eventually moved to a reusable workflow within this repo
	# This was originally written for cloud-terraform, and later ported to
	# shared-workflows
	name: Update dependencies with Renovate

	on:
	workflow_dispatch:
	inputs:
	dry-run:
	description: "True to test changes without applying them, false otherwise"
	default: false
	required: false
	type: boolean
	log-level:
	description: "Log severity level"
	default: "debug"
	required: false
	type: choice
	options:
	- fatal
	- error
	- warn
	- info
	- debug
	- trace # Warning: this will generate a >512MB log!
	schedule:
	- cron: "0 15 * * 1-5" # 15:00 UTC is 8:00 PST, 1-5 is Monday-Friday
	push:
	branches:
	- main
	paths:
	- .github/workflows/renovate.yaml
	- .github/renovate-repo-config.js
	- .github/renovate.json5
	- .github/renovate/**.json5
	- '**/renovate.json5'
	pull_request:
	paths:
	- .github/workflows/renovate.yaml
	- .github/renovate-repo-config.js
	- .github/renovate.json5
	- .github/renovate/**.json5
	- '**/renovate.json5'

	# There shouldn't ever be a need to run this concurrently and it may avoid
	# some problems
	concurrency:
	cancel-in-progress: true
	group: Only allow one "${{ github.workflow }}" on ${{ github.ref }} run at a time

	env:
	# Default values for inputs when the trigger is not `workflow_dispatch`
	DRY_RUN_DEFAULT: false
	LOG_LEVEL_DEFAULT: debug

	jobs:
	run-renovate:
	name: Update repo dependencies
	runs-on: ubuntu-latest
	steps:
	- name: Checkout
	uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
	- name: Set PR testing variables
	if: contains(fromJSON('["pull_request", "merge_group"]'), github.event_name)
	env:
	PR_BRANCH: ${{ github.head_ref }}
	run: \|
	echo "PR detected, testing Renovate with a dry run targeting the PR branch"
	echo "DRY_RUN_DEFAULT=true" \| tee -a "$GITHUB_ENV"
	echo "RENOVATE_BASE_BRANCHES=$PR_BRANCH" \| tee -a "$GITHUB_ENV"
	# This script/action will be moved to a separate action in my work
	# immediately following this project. For now it lives here to
	# avoid scope creep.
	#
	# Github can be notoriously difficult to authenticate and talk with.
	# There are four different types of authentication. This step
	# generates an app JWT token, and an app installation token, for
	# other steps that need a specific one.
	- name: Install NPM dependencies
	run: npm install '@octokit/auth-app' '@actions/github'
	- name: Generate Github access tokens
	uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea # v7.0.1
	id: generate-tokens
	env:
	APP_ID: ${{ vars.PUBLIC_RENOVATE_GHA_APP_ID }}
	PRIVATE_KEY: ${{ secrets.PUBLIC_RENOVATE_GHA_PRIVATE_KEY }}
	with:
	script: \|
	const { createAppAuth } = require("@octokit/auth-app");
	const { getOctokit } = require("@actions/github");

	// App authentication, which uses a JWT
	const appAuthFunction = createAppAuth({appId: process.env.APP_ID, privateKey: process.env.PRIVATE_KEY});
	const appAuth = await appAuthFunction({ type: "app" });
	// TODO export token via `appAuth.token`
	core.setSecret(appAuth.token)
	core.setOutput("app-jwt-token", appAuth.token)
	const appOctokit = getOctokit(appAuth.token);

	// Installation authentication, which uses an installation token
	let installationId = process.env["INSTALLATION_ID"];
	if (installationId === undefined) {
	try {
	// Repo can be specified via `GITHUB_REPOSITORY` env variable
	installationId = (await appOctokit.rest.apps.getRepoInstallation(context.repo)).data.id;
	} catch (error) {
	throw new Error(
	"Could not get repo installation to find ID. Is the app installed on this repo?",
	{ cause: error },
	);
	}
	}
	const installationToken = (await appOctokit.rest.apps.createInstallationAccessToken({installation_id: installationId})).data.token;
	core.setSecret(installationToken)
	core.setOutput("app-installation-token", installationToken)
	# These two actions will also be moved out to a separate repo after this project is complete
	- name: Get app JWT information
	uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea # v7.0.1
	id: app-jwt-info
	with:
	github-token: ${{ steps.generate-tokens.outputs.app-jwt-token }}
	script: \|
	const appSlug = (await github.rest.apps.getAuthenticated()).data.slug;
	const appUserName = `${appSlug}[bot]`
	core.setOutput("app-username", appUserName);
	- name: Get app installation information
	uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea # v7.0.1
	id: app-installation-info
	env:
	APP_USERNAME: ${{ steps.app-jwt-info.outputs.app-username }}
	with:
	github-token: ${{ steps.generate-tokens.outputs.app-installation-token }}
	script: \|
	const userId = (await github.rest.users.getByUsername({username: process.env.APP_USERNAME})).data.id
	core.setOutput("user-id", userId);
	core.setOutput("user-email", `${userId}+${process.env.APP_USERNAME}@users.noreply.github.com`);
	- name: Renovate
	uses: renovatebot/github-action@b8ce565a2e98de1fec9696a76fba7beb01ec29b2 # v39.2.3
	env:
	# Config values
	RENOVATE_DRY_RUN: ${{ inputs.dry-run \|\| env.DRY_RUN_DEFAULT }}
	RENOVATE_LOG_FILE_LEVEL: ${{ inputs.log-level \|\| env.LOG_LEVEL_DEFAULT }}
	LOG_LEVEL: ${{ inputs.log-level \|\| env.LOG_LEVEL_DEFAULT }}
	LOG_FORMAT: "text" # Any value but "json" will pretty-print
	RENOVATE_USERNAME: ${{ steps.app-jwt-info.outputs.app-username }}
	RENOVATE_GIT_AUTHOR: "${{ steps.app-jwt-info.outputs.app-username }} <${{ steps.app-installation-info.outputs.user-email }}>"
	RENOVATE_REPOSITORIES: ${{ github.repository }}
	# This is the config for Renovate itself, not the repo-specific config
	RENOVATE_CONFIG_FILE: .github/renovate-repo-config.js
	with:
	token: ${{ steps.generate-tokens.outputs.app-installation-token }}

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Added AMI cleanup tool #7

Workflow file

Added AMI cleanup tool #7

Jobs

Run details

Workflow file for this run