Added Renovate config for AMI cleanup tool #237
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,7 @@ | ||
| // A Javascript file is used instead of JSON so that environment variables can be pulled in | ||
| // via `process.env.VARIABLE_NAME` if needed. This allows secrets to be stored in Github | ||
| // then provided to the Renovate config here. | ||
| module.exports = { | ||
| $schema: "https://docs.renovatebot.com/renovate-schema.json", | ||
| allowedPostUpgradeCommands: ['^tools/ami-cleanup/log-dependency-change.sh .*$',], | ||
| }; |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,54 @@ | ||
| { | ||
| "$schema": "https://docs.renovatebot.com/renovate-schema.json", | ||
| "extends": [ | ||
| "config:recommended", | ||
| ":enableRenovate", | ||
| ":semanticCommits", | ||
| ":enableVulnerabilityAlerts", | ||
| ":ignoreUnstable", | ||
| ":label(dependency-update)", | ||
| ":prConcurrentLimitNone", | ||
| ":prHourlyLimitNone", | ||
| ":prImmediately", | ||
| ":rebaseStalePrs", | ||
| ":renovatePrefix", | ||
| "helpers:pinGitHubActionDigests", // This ensures that underlying tags are not replaced with a separate commit (tags are immutable but commits are not) | ||
| "preview:dockerVersions", | ||
| "regexManagers:githubActionsVersions", // See https://docs.renovatebot.com/presets-regexManagers/#regexmanagersgithubactionsversions for how to use this | ||
| "github>gravitational/shared-workflows//.github/renovate/commitMessage.json5", | ||
| "github>gravitational/shared-workflows//.github/renovate/labels.json5", | ||
| "github>gravitational/shared-workflows//.github/renovate/languages.json5", | ||
| "github>gravitational/shared-workflows//.github/renovate/renovate.json5", | ||
| // Presets for each project | ||
| "github>gravitational/shared-workflows//tools/ami-cleanup/renovate.json5" | ||
| ], | ||
| "useBaseBranchConfig": "merge", // This is set to allow for some degree of testing PRs, see https://github.com/renovatebot/renovate/discussions/16108 | ||
| // This is used so that not everything in the entire repo is setup for Renovate at once | ||
| // Initially this configuration is designed to only support the new GHA EKS clusters | ||
| "enabledManagers": [ | ||
| "github-actions", | ||
|
There was a problem hiding this comment. Dependabot is already handling github-actions: https://github.com/gravitational/shared-workflows/blob/main/.github/dependabot.yml#L3 Why not just add to the Dependabot configuration for ecosystems which it's already managing? There was a problem hiding this comment. There was a problem hiding this comment. @jentfoo: We've generally found Dependabot lacking for internal tooling IaC needs. It doesn't support critical ecosystems (helm, docker -- yes we've opened the feature requests) and lacks the configurability of renovate (e.g. in how we determine update sources). I'm in favor of incrementally replacing dependabot with renovate in this repo. There was a problem hiding this comment. I agree in the use of Renovate, I recognize it covers gaps that Dependabot has. But it seems like for a given repo we should be using a single tool for a given ecosystem. Having a single ecosystem (github actions) managed by two tools may add confusion. There was a problem hiding this comment. I can replace dependabot with Renovate in this repo if you like. I'd be a bit more work but not a significant amount, given that the (current) one other project is pretty much just Go + GHA workflows. There was a problem hiding this comment. It's my preference to keep them uniform for a single ecosystem + repo combo, unless there is a reason I am not considering to use both. There was a problem hiding this comment. AFAIK we haven't messed with renovate for golang yet, so I'd recommend we keep dependabot for go. I'm fine switching all of GHA to renovate in this repo. |
||
| "custom.regex", | ||
| "gomod" | ||
| ], | ||
| // Unfortunatly Renovate can only override manager defaults via a blacklist instead of a whitelist | ||
| "ignorePaths": [ | ||
| // These predate RFD 0001 and are managed by dependabot | ||
| "bot/**", | ||
| ".github/workflows/codeql.yml", | ||
| ".github/workflows/csv-lint.yaml", | ||
| ".github/workflows/dependency-review.yaml", | ||
| ".github/workflows/github-action-lint.yaml", | ||
| ".github/workflows/govulncheck.yaml", | ||
| ".github/workflows/json-lint.yaml", | ||
| ".github/workflows/terraform-lint.yaml", | ||
| ".github/workflows/trivy.yaml" | ||
|
Comment on lines
+37
to
+44
There was a problem hiding this comment. Lets switch these to renovate. |
||
| ], | ||
| "vulnerabilityAlerts": { | ||
| "dependencyDashboardApproval": true, | ||
| "rangeStrategy": "auto", | ||
| "commitMessageSuffix": "[SECURITY]", | ||
| "branchTopic": "{{{datasource}}}-{{{depName}}}-vulnerability", | ||
| "prCreation": "immediate", | ||
| "enabled": true | ||
| } | ||
| } | ||
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,14 @@ | ||
| { | ||
| "$schema": "https://docs.renovatebot.com/renovate-schema.json", | ||
| // See https://docs.renovatebot.com/configuration-options/#commitmessage for details | ||
| "commitMessageTopic": "{{depName}}", | ||
| "commitMessageExtra": "to {{newVersion}}", | ||
| "packageRules": [ | ||
| { | ||
| "matchManagers": [ | ||
| "github-actions" | ||
| ], | ||
| "commitMessageTopic": "action {{depName}}" | ||
| } | ||
| ] | ||
| } |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,86 @@ | ||
| { | ||
| "$schema": "https://docs.renovatebot.com/renovate-schema.json", | ||
| "packageRules": [ | ||
| // Labels for specific version change types | ||
| { | ||
| "matchUpdateTypes": [ | ||
| "major" | ||
| ], | ||
| "addLabels": [ | ||
| "renovate/type/major" | ||
| ] | ||
| }, | ||
| { | ||
| "matchUpdateTypes": [ | ||
| "minor" | ||
| ], | ||
| "addLabels": [ | ||
| "renovate/type/minor" | ||
| ] | ||
| }, | ||
| { | ||
| "matchUpdateTypes": [ | ||
| "patch" | ||
| ], | ||
| "addLabels": [ | ||
| "renovate/type/patch" | ||
| ] | ||
| }, | ||
| { | ||
| "matchUpdateTypes": [ | ||
| "digest" | ||
| ], | ||
| "addLabels": [ | ||
| "renovate/type/digest" | ||
| ] | ||
| }, | ||
| // Labels for specific artifact types | ||
| { | ||
| "matchDatasources": [ | ||
| "github-releases", | ||
| "github-tags" | ||
| ], | ||
| "addLabels": [ | ||
| "renovate/github-release" | ||
| ] | ||
| }, | ||
| { | ||
| "matchManagers": [ | ||
| "github-actions" | ||
| ], | ||
| "addLabels": [ | ||
| "renovate/github-action" | ||
| ] | ||
| }, | ||
| { | ||
| "matchManagers": [ | ||
| "gomod" | ||
| ], | ||
| "addLabels": [ | ||
| "renovate/golang" | ||
| ] | ||
| }, | ||
| // Labels for specific directories | ||
| { | ||
| "description": "Label Github workflow PRs", | ||
| "matchFileNames": [ | ||
| "**/workflows/*.yml", | ||
| "**/workflows/*.yaml" | ||
| ], | ||
| "addLabels": [ | ||
| "renovate/workflow/{{{ replace '\\.ya?ml$' '' (replace '^\\.github\\/workflows\\/' '' packageFile) }}}" | ||
| ] | ||
| }, | ||
| { | ||
| "description": "Label Renovate PRs", | ||
| "matchFileNames": [ | ||
| ".github/renovate*", | ||
| ".github/renovate/**", | ||
| "renovate.json5" | ||
| ], | ||
| "addLabels": [ | ||
| "renovate/config/{{{ replace '\\.js(?:on5?)?$' '' (replace '^\\.github\\/' '' packageFile) }}}" | ||
| ] | ||
| } | ||
| ] | ||
| } |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,54 @@ | ||
| { | ||
| "$schema": "https://docs.renovatebot.com/renovate-schema.json", | ||
| "gomod": { | ||
| "postUpdateOptions": [ | ||
| "gomodTidy", | ||
| "gomodUpdateImportPaths" | ||
| ] | ||
| }, | ||
| "customManagers": [ | ||
| // Earthfiles | ||
| { | ||
| "description": "Earthly language version - Earthfiles", | ||
| "customType": "regex", | ||
| "fileMatch": [ | ||
| "Earthfile$" | ||
| ], | ||
| "matchStrings": [ | ||
| "^\\s*VERSION(?:.*(?:\\\\\\n)?)*(?<currentValue>\\d+\\.\\d)+$" | ||
| ], | ||
| "datasourceTemplate": "github-releases", | ||
| "depNameTemplate": "earthly/earthly", | ||
| "packageNameTemplate": "earthly/earthly", | ||
| "versioningTemplate": "semver-coerced", | ||
| // Extract the major and minor version from the latest GH release | ||
| "extractVersionTemplate": "^v?(?<version>\\d+\\.\\d+).*$" | ||
| }, | ||
| { | ||
| "description": "Earthly version - setup action in GHA workflows", | ||
| "customType": "regex", | ||
| "fileMatch": [ | ||
| "^.*/workflows/[^/].ya?ml$" | ||
| ], | ||
| "matchStrings": [ | ||
| "# renovate: earthly-version\\s*\\n\\s*version: \\s*(?<currentValue>.*?)\\s*\\n" | ||
| ], | ||
| "datasourceTemplate": "github-releases", | ||
| "depNameTemplate": "earthly/earthly", | ||
| "packageNameTemplate": "earthly/earthly", | ||
| "versioningTemplate": "semver-coerced" | ||
| }, | ||
| { | ||
| "description": "Container images - Earthfiles", | ||
| "customType": "regex", | ||
| "fileMatch": [ | ||
| "Earthfile$" | ||
| ], | ||
| "matchStrings": [ | ||
| "\\s*FROM \\s*.*?(?<depName>\\S+):(?<currentValue>[^\\s\\$]+)" | ||
| ], | ||
| "datasourceTemplate": "docker", | ||
| "versioningTemplate": "docker" | ||
| } | ||
| ] | ||
| } |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,19 @@ | ||
| { | ||
| "$schema": "https://docs.renovatebot.com/renovate-schema.json", | ||
| "github-actions": { | ||
| "fileMatch": [ | ||
| "^\\.github/workflows/renovate(?:-bypass)?\\.ya?ml$" | ||
| ] | ||
| }, | ||
| "packageRules": [ | ||
| { | ||
| "description": "Assign to maintainer", | ||
| "matchFileNames": [ | ||
| ".github/workflows/renovate*.yaml" | ||
| ], | ||
| "extends": [ | ||
| ":assignAndReview(fheinecke)", | ||
| ] | ||
| } | ||
| ] | ||
| } |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,152 @@ | ||
| --- | ||
| # This should eventually moved to a reusable workflow within this repo | ||
| # This was originally written for cloud-terraform, and later ported to | ||
| # shared-workflows | ||
| name: Update dependencies with Renovate | ||
|
|
||
| on: | ||
| workflow_dispatch: | ||
| inputs: | ||
| dry-run: | ||
| description: "True to test changes without applying them, false otherwise" | ||
| default: false | ||
| required: false | ||
| type: boolean | ||
| log-level: | ||
| description: "Log severity level" | ||
| default: "debug" | ||
| required: false | ||
| type: choice | ||
| options: | ||
| - fatal | ||
| - error | ||
| - warn | ||
| - info | ||
| - debug | ||
| - trace # Warning: this will generate a >512MB log! | ||
| schedule: | ||
| - cron: "0 15 * * 1-5" # 15:00 UTC is 8:00 PST, 1-5 is Monday-Friday | ||
| push: | ||
| branches: | ||
| - main | ||
| paths: | ||
| - .github/workflows/renovate.yaml | ||
| - .github/renovate-repo-config.js | ||
| - .github/renovate.json5 | ||
| - .github/renovate/**.json5 | ||
| - '**/renovate.json5' | ||
| pull_request: | ||
| paths: | ||
| - .github/workflows/renovate.yaml | ||
| - .github/renovate-repo-config.js | ||
| - .github/renovate.json5 | ||
| - .github/renovate/**.json5 | ||
| - '**/renovate.json5' | ||
|
|
||
| # There shouldn't ever be a need to run this concurrently and it may avoid | ||
| # some problems | ||
| concurrency: | ||
| cancel-in-progress: true | ||
| group: Only allow one "${{ github.workflow }}" on ${{ github.ref }} run at a time | ||
|
|
||
| env: | ||
| # Default values for inputs when the trigger is not `workflow_dispatch` | ||
| DRY_RUN_DEFAULT: false | ||
| LOG_LEVEL_DEFAULT: debug | ||
|
|
||
| jobs: | ||
| run-renovate: | ||
| name: Update repo dependencies | ||
| runs-on: ubuntu-latest | ||
| steps: | ||
| - name: Checkout | ||
| uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 | ||
| - name: Set PR testing variables | ||
| if: contains(fromJSON('["pull_request", "merge_group"]'), github.event_name) | ||
| env: | ||
| PR_BRANCH: ${{ github.head_ref }} | ||
| run: | | ||
| echo "PR detected, testing Renovate with a dry run targeting the PR branch" | ||
| echo "DRY_RUN_DEFAULT=true" | tee -a "$GITHUB_ENV" | ||
| echo "RENOVATE_BASE_BRANCHES=$PR_BRANCH" | tee -a "$GITHUB_ENV" | ||
| # This script/action will be moved to a separate action in my work | ||
| # immediately following this project. For now it lives here to | ||
| # avoid scope creep. | ||
| # | ||
| # Github can be notoriously difficult to authenticate and talk with. | ||
| # There are four different types of authentication. This step | ||
| # generates an app JWT token, and an app installation token, for | ||
| # other steps that need a specific one. | ||
| - name: Install NPM dependencies | ||
| run: npm install '@octokit/auth-app' '@actions/github' | ||
| - name: Generate Github access tokens | ||
| uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea # v7.0.1 | ||
| id: generate-tokens | ||
| env: | ||
| APP_ID: ${{ vars.PUBLIC_RENOVATE_GHA_APP_ID }} | ||
| PRIVATE_KEY: ${{ secrets.PUBLIC_RENOVATE_GHA_PRIVATE_KEY }} | ||
| with: | ||
| script: | | ||
| const { createAppAuth } = require("@octokit/auth-app"); | ||
| const { getOctokit } = require("@actions/github"); | ||
|
|
||
| // App authentication, which uses a JWT | ||
| const appAuthFunction = createAppAuth({appId: process.env.APP_ID, privateKey: process.env.PRIVATE_KEY}); | ||
| const appAuth = await appAuthFunction({ type: "app" }); | ||
| // TODO export token via `appAuth.token` | ||
| core.setSecret(appAuth.token) | ||
| core.setOutput("app-jwt-token", appAuth.token) | ||
| const appOctokit = getOctokit(appAuth.token); | ||
|
|
||
| // Installation authentication, which uses an installation token | ||
| let installationId = process.env["INSTALLATION_ID"]; | ||
| if (installationId === undefined) { | ||
| try { | ||
| // Repo can be specified via `GITHUB_REPOSITORY` env variable | ||
| installationId = (await appOctokit.rest.apps.getRepoInstallation(context.repo)).data.id; | ||
| } catch (error) { | ||
| throw new Error( | ||
| "Could not get repo installation to find ID. Is the app installed on this repo?", | ||
| { cause: error }, | ||
| ); | ||
| } | ||
| } | ||
| const installationToken = (await appOctokit.rest.apps.createInstallationAccessToken({installation_id: installationId})).data.token; | ||
| core.setSecret(installationToken) | ||
| core.setOutput("app-installation-token", installationToken) | ||
| # These two actions will also be moved out to a separate repo after this project is complete | ||
| - name: Get app JWT information | ||
| uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea # v7.0.1 | ||
| id: app-jwt-info | ||
| with: | ||
| github-token: ${{ steps.generate-tokens.outputs.app-jwt-token }} | ||
| script: | | ||
| const appSlug = (await github.rest.apps.getAuthenticated()).data.slug; | ||
| const appUserName = `${appSlug}[bot]` | ||
| core.setOutput("app-username", appUserName); | ||
| - name: Get app installation information | ||
| uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea # v7.0.1 | ||
| id: app-installation-info | ||
| env: | ||
| APP_USERNAME: ${{ steps.app-jwt-info.outputs.app-username }} | ||
| with: | ||
| github-token: ${{ steps.generate-tokens.outputs.app-installation-token }} | ||
| script: | | ||
| const userId = (await github.rest.users.getByUsername({username: process.env.APP_USERNAME})).data.id | ||
| core.setOutput("user-id", userId); | ||
| core.setOutput("user-email", `${userId}+${process.env.APP_USERNAME}@users.noreply.github.com`); | ||
| - name: Renovate | ||
| uses: renovatebot/github-action@b8ce565a2e98de1fec9696a76fba7beb01ec29b2 # v39.2.3 | ||
| env: | ||
| # Config values | ||
| RENOVATE_DRY_RUN: ${{ inputs.dry-run || env.DRY_RUN_DEFAULT }} | ||
| RENOVATE_LOG_FILE_LEVEL: ${{ inputs.log-level || env.LOG_LEVEL_DEFAULT }} | ||
| LOG_LEVEL: ${{ inputs.log-level || env.LOG_LEVEL_DEFAULT }} | ||
| LOG_FORMAT: "text" # Any value but "json" will pretty-print | ||
| RENOVATE_USERNAME: ${{ steps.app-jwt-info.outputs.app-username }} | ||
| RENOVATE_GIT_AUTHOR: "${{ steps.app-jwt-info.outputs.app-username }} <${{ steps.app-installation-info.outputs.user-email }}>" | ||
| RENOVATE_REPOSITORIES: ${{ github.repository }} | ||
| # This is the config for Renovate itself, not the repo-specific config | ||
| RENOVATE_CONFIG_FILE: .github/renovate-repo-config.js | ||
| with: | ||
| token: ${{ steps.generate-tokens.outputs.app-installation-token }} |
Oops, something went wrong.
Oops, something went wrong.
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This adds the following on top of
config:recommended:https://docs.renovatebot.com/presets-config/