From e576f9f8c4a39a2d605357661a5df06df14faf26 Mon Sep 17 00:00:00 2001
From: Simon Templer <simon@wetransform.to>
Date: Fri, 8 Mar 2024 09:45:53 +0100
Subject: [PATCH] ci: add renovate workflow

---
 .github/renovate.json5         | 54 +++++++++++++++++++++++++++++
 .github/workflows/renovate.yml | 62 ++++++++++++++++++++++++++++++++++
 2 files changed, 116 insertions(+)
 create mode 100644 .github/renovate.json5
 create mode 100644 .github/workflows/renovate.yml

diff --git a/.github/renovate.json5 b/.github/renovate.json5
new file mode 100644
index 00000000..89c2eb54
--- /dev/null
+++ b/.github/renovate.json5
@@ -0,0 +1,54 @@
+{
+  $schema: "https://docs.renovatebot.com/renovate-schema.json",
+  extends: [
+    "config:recommended",
+    "helpers:pinGitHubActionDigestsToSemver",
+    "security:openssf-scorecard",
+    ":disableDependencyDashboard",
+    ":disableRateLimiting",
+    ":enableVulnerabilityAlertsWithLabel(security)",
+  ],
+  "git-submodules": {
+    enabled: true,
+  },
+  labels: [
+    "renovate",
+    "renovate/{{replace '.*/' '' depName}}",
+    "renovate/{{updateType}}",
+  ],
+  lockFileMaintenance: {
+    enabled: true,
+    schedule: ["before 6am on Sunday"],
+  },
+  packageRules: [
+    {
+      matchUpdateTypes: ["major"],
+      automerge: false,
+    },
+    {
+      description: "Ignore frequent renovate updates",
+      enabled: false,
+      matchPackageNames: ["renovatebot/github-action"],
+      matchUpdateTypes: ["patch"],
+    },
+    {
+      description: "Update renovatebot/github-action minor updates on Sundays",
+      matchPackageNames: ["renovatebot/github-action"],
+      matchUpdateTypes: ["minor"],
+      schedule: ["* * * * 0"],
+    },
+  ],
+  prBodyTemplate: "{{{table}}}{{{notes}}}{{{changelogs}}}",
+  rebaseWhen: "behind-base-branch",
+  regexManagers: [
+    {
+      extractVersionTemplate: "{{#if extractVersion}}{{{extractVersion}}}{{else}}^v?(?<version>.+)${{/if}}",
+      fileMatch: ["\\.ya?ml$", "\\.md$", "^Dockerfile$", "^entrypoint\\.sh$"],
+      matchStrings: [
+        '# renovate: datasource=(?<datasource>.+?) depName=(?<depName>.+?)( versioning=(?<versioning>.+?))?( extractVersion=(?<extractVersion>.+?))?( registryUrl=(?<registryUrl>.+?))?\\s.*[=:]\\s*"?(?<currentValue>.+?)"?\\s',
+      ],
+      versioningTemplate: "{{#if versioning}}{{{versioning}}}{{else}}semver{{/if}}",
+    },
+  ],
+  separateMinorPatch: true,
+}
diff --git a/.github/workflows/renovate.yml b/.github/workflows/renovate.yml
new file mode 100644
index 00000000..724c4936
--- /dev/null
+++ b/.github/workflows/renovate.yml
@@ -0,0 +1,62 @@
+---
+name: renovate
+
+on:
+  workflow_dispatch:
+    inputs:
+      dryRun:
+        type: boolean
+        description: "Dry-Run"
+      logLevel:
+        type: choice
+        description: "Log-Level"
+        default: debug
+        options:
+          - info
+          - debug
+          - trace
+  push:
+    branches:
+      - master
+      - "!renovate/*"
+  schedule:
+    - cron: "0 0,2,4 * * 0"
+
+env:
+  # https://docs.renovatebot.com/troubleshooting/#log-debug-levels
+  LOG_LEVEL: "${{ inputs.logLevel || 'debug' }}"
+  # https://docs.renovatebot.com/self-hosted-configuration/#repositories
+  RENOVATE_REPOSITORIES: ${{ github.repository }}
+  # https://docs.renovatebot.com/self-hosted-configuration/#username
+  RENOVATE_USERNAME: ${{ github.repository_owner }}
+  # https://docs.renovatebot.com/configuration-options/#platformcommit
+  RENOVATE_PLATFORM_COMMIT: "true"
+  # https://docs.renovatebot.com/self-hosted-configuration/#dryrun
+  # Run renovate in dry-run mode if executed in branches other than master - prevents versions in PRs/branches from being updated
+  RENOVATE_DRY_RUN: "${{ inputs.dryRun || ( github.head_ref || github.ref_name ) != 'master' || false }}"
+  # Renovate Automerge
+  RENOVATE_AUTOMERGE_TYPE: "branch"
+  RENOVATE_AUTOMERGE: "true"
+
+permissions: read-all
+
+jobs:
+  renovate:
+    runs-on: ubuntu-latest
+    concurrency:
+      group: ${{ github.workflow }}-${{ github.ref }}
+    steps:
+      - name: Checkout
+        uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
+
+      - uses: actions/create-github-app-token@f2acddfb5195534d487896a656232b016a682f3c # v1.9.0
+        id: app-token
+        with:
+          # see https://github.com/renovatebot/renovate/blob/47c8501c412c2f53f61ca292a5039f5939c32c5d/lib/modules/platform/github/readme.md?plain=1#L28
+          app-id: ${{ secrets.WE_RENOVATE_GITHUB_APP_ID }}
+          private-key: "${{ secrets.WE_RENOVATE_GITHUB_PRIVATE_KEY }}"
+
+      - name: 💡 Self-hosted Renovate
+        uses: renovatebot/github-action@2d90417499f45ff78a09586f7b9874b19817dba3 # v40.1.0
+        with:
+          token: "${{ steps.app-token.outputs.token }}"