-
Notifications
You must be signed in to change notification settings - Fork 3
152 lines (146 loc) · 6.52 KB
/
renovate.yaml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
---
# This should eventually moved to a reusable workflow within this repo
# This was originally written for cloud-terraform, and later ported to
# shared-workflows
name: Update dependencies with Renovate
on:
workflow_dispatch:
inputs:
dry-run:
description: "True to test changes without applying them, false otherwise"
default: false
required: false
type: boolean
log-level:
description: "Log severity level"
default: "debug"
required: false
type: choice
options:
- fatal
- error
- warn
- info
- debug
- trace # Warning: this will generate a >512MB log!
schedule:
- cron: "0 15 * * 1-5" # 15:00 UTC is 8:00 PST, 1-5 is Monday-Friday
push:
branches:
- main
paths:
- .github/workflows/renovate.yaml
- .github/renovate-repo-config.js
- .github/renovate.json5
- .github/renovate/**.json5
- '**/renovate.json5'
pull_request:
paths:
- .github/workflows/renovate.yaml
- .github/renovate-repo-config.js
- .github/renovate.json5
- .github/renovate/**.json5
- '**/renovate.json5'
# There shouldn't ever be a need to run this concurrently and it may avoid
# some problems
concurrency:
cancel-in-progress: true
group: Only allow one "${{ github.workflow }}" on ${{ github.ref }} run at a time
env:
# Default values for inputs when the trigger is not `workflow_dispatch`
DRY_RUN_DEFAULT: false
LOG_LEVEL_DEFAULT: debug
jobs:
run-renovate:
name: Update repo dependencies
runs-on: ubuntu-latest
steps:
- name: Checkout
uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
- name: Set PR testing variables
if: contains(fromJSON('["pull_request", "merge_group"]'), github.event_name)
env:
PR_BRANCH: ${{ github.head_ref }}
run: |
echo "PR detected, testing Renovate with a dry run targeting the PR branch"
echo "DRY_RUN_DEFAULT=true" | tee -a "$GITHUB_ENV"
echo "RENOVATE_BASE_BRANCHES=$PR_BRANCH" | tee -a "$GITHUB_ENV"
# This script/action will be moved to a separate action in my work
# immediately following this project. For now it lives here to
# avoid scope creep.
#
# Github can be notoriously difficult to authenticate and talk with.
# There are four different types of authentication. This step
# generates an app JWT token, and an app installation token, for
# other steps that need a specific one.
- name: Install NPM dependencies
run: npm install '@octokit/auth-app' '@actions/github'
- name: Generate Github access tokens
uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea # v7.0.1
id: generate-tokens
env:
APP_ID: ${{ vars.PUBLIC_RENOVATE_GHA_APP_ID }}
PRIVATE_KEY: ${{ secrets.PUBLIC_RENOVATE_GHA_PRIVATE_KEY }}
with:
script: |
const { createAppAuth } = require("@octokit/auth-app");
const { getOctokit } = require("@actions/github");
// App authentication, which uses a JWT
const appAuthFunction = createAppAuth({appId: process.env.APP_ID, privateKey: process.env.PRIVATE_KEY});
const appAuth = await appAuthFunction({ type: "app" });
// TODO export token via `appAuth.token`
core.setSecret(appAuth.token)
core.setOutput("app-jwt-token", appAuth.token)
const appOctokit = getOctokit(appAuth.token);
// Installation authentication, which uses an installation token
let installationId = process.env["INSTALLATION_ID"];
if (installationId === undefined) {
try {
// Repo can be specified via `GITHUB_REPOSITORY` env variable
installationId = (await appOctokit.rest.apps.getRepoInstallation(context.repo)).data.id;
} catch (error) {
throw new Error(
"Could not get repo installation to find ID. Is the app installed on this repo?",
{ cause: error },
);
}
}
const installationToken = (await appOctokit.rest.apps.createInstallationAccessToken({installation_id: installationId})).data.token;
core.setSecret(installationToken)
core.setOutput("app-installation-token", installationToken)
# These two actions will also be moved out to a separate repo after this project is complete
- name: Get app JWT information
uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea # v7.0.1
id: app-jwt-info
with:
github-token: ${{ steps.generate-tokens.outputs.app-jwt-token }}
script: |
const appSlug = (await github.rest.apps.getAuthenticated()).data.slug;
const appUserName = `${appSlug}[bot]`
core.setOutput("app-username", appUserName);
- name: Get app installation information
uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea # v7.0.1
id: app-installation-info
env:
APP_USERNAME: ${{ steps.app-jwt-info.outputs.app-username }}
with:
github-token: ${{ steps.generate-tokens.outputs.app-installation-token }}
script: |
const userId = (await github.rest.users.getByUsername({username: process.env.APP_USERNAME})).data.id
core.setOutput("user-id", userId);
core.setOutput("user-email", `${userId}+${process.env.APP_USERNAME}@users.noreply.github.com`);
- name: Renovate
uses: renovatebot/github-action@b8ce565a2e98de1fec9696a76fba7beb01ec29b2 # v39.2.3
env:
# Config values
RENOVATE_DRY_RUN: ${{ inputs.dry-run || env.DRY_RUN_DEFAULT }}
RENOVATE_LOG_FILE_LEVEL: ${{ inputs.log-level || env.LOG_LEVEL_DEFAULT }}
LOG_LEVEL: ${{ inputs.log-level || env.LOG_LEVEL_DEFAULT }}
LOG_FORMAT: "text" # Any value but "json" will pretty-print
RENOVATE_USERNAME: ${{ steps.app-jwt-info.outputs.app-username }}
RENOVATE_GIT_AUTHOR: "${{ steps.app-jwt-info.outputs.app-username }} <${{ steps.app-installation-info.outputs.user-email }}>"
RENOVATE_REPOSITORIES: ${{ github.repository }}
# This is the config for Renovate itself, not the repo-specific config
RENOVATE_CONFIG_FILE: .github/renovate-repo-config.js
with:
token: ${{ steps.generate-tokens.outputs.app-installation-token }}