ci: renovate

4m-mazi · Jun 26, 2024 · cf929b4 · cf929b4
1 parent 8efd7c7
commit cf929b4
Show file tree

Hide file tree

Showing 4 changed files with 44 additions and 17 deletions.
diff --git a/.github/workflows/_renovate.yml b/.github/workflows/_renovate.yml
@@ -6,7 +6,7 @@ on:
         type: string
       repoCache:
         description: "Reset or disable the cache?"
-        default: 'enabled'
+        default: "enabled"
         required: false
         type: string
       dependencyDashboardTitle:
@@ -30,13 +30,14 @@ on:
 permissions: {}
 
 env:
-  RENOVATE_REPO: 4m-mazi/gh-test
+  RENOVATE_REPOSITORY_OWNER: 4m-mazi
+  RENOVATE_REPOSITORY_NAME: gh-test
 
 jobs:
   trigger-renovate:
     if: >-
       ${{
-        contains(fromJSON('["push", "schedule", "workflow_dispatch"]'), github.event_name)
+        contains(fromJSON('["push", "workflow_dispatch"]'), github.event_name)
         || (
             github.actor != inputs.renovate_actor
             && (
@@ -59,12 +60,19 @@ jobs:
         id: generate_token
         uses: actions/create-github-app-token@c8f55efbd427e7465d6da1106e7979bc8aaee856 # v1.10.1
         with:
+          # [permissions]─────────────────────────────────────
+          #   [read and write]
+          #     repo: Contents
+          # ──────────────────────────────────────────────────
           app-id: ${{ secrets.app-id }}
           private-key: ${{ secrets.private-key }}
+          owner: ${{ env.RENOVATE_REPOSITORY_OWNER }}
+          repositories: ${{ env.RENOVATE_REPOSITORY_NAME }}
 
-      - name: 'Create a repository dispatch event'
+      - name: "Create a repository dispatch event"
         env:
           GH_TOKEN: ${{ steps.generate_token.outputs.token }}
+          RENOVATE_REPO: ${{ env.RENOVATE_REPOSITORY_OWNER }}/${{ env.RENOVATE_REPOSITORY_NAME }}
           CACHE: ${{ inputs.repoCache }}
         run: |
           gh api \

diff --git a/.github/workflows/renovate.yml b/.github/workflows/renovate.yml
@@ -8,15 +8,10 @@ on:
 
 permissions: {}
 
-# Adding these as env variables makes it easy to re-use them in different steps and in bash.
 env:
-  # This is the dir renovate provides -- if we set our own directory via cacheDir, we can run into permissions issues.
-  # It is also possible to cache a higher level of the directory, but it has minimal benefit. While renovate execution
-  # time gets faster, it also takes longer to upload the cache as it grows bigger.
-  # cache_dir: /tmp/renovate/cache/renovate/repository
   cache_dir: /tmp/renovate/cache
-  # This can be manually changed to bust the cache if neccessary.
   cache_key: renovate-cache
+  config_file: config.yaml
   # tool versions
   # renovate: datasource=docker depName=renovate packageName=ghcr.io/renovatebot/renovate
   RENOVATE_VERSION: 37.419.1
@@ -29,6 +24,7 @@ jobs:
     runs-on: ubuntu-latest
     permissions:
       actions: write
+      contents: read
     steps:
       - uses: actions/cache/restore@0c45773b623bea8c8e75f6c82b208c3cf94ea4f9 # v4.0.2
         id: restore-cache
@@ -44,8 +40,23 @@ jobs:
         id: generate_token
         uses: actions/create-github-app-token@c8f55efbd427e7465d6da1106e7979bc8aaee856 # v1.10.1
         with:
+          # [permissions]─────────────────────────────────────────────────────────────────
+          #   [read-only]
+          #     repo: Administration, Dependabot alerts, Metadata, Packages
+          #     org:  Members
+          #   [read and write]
+          #     repo: Checks, Commit statuses, Contents, Issues, Pull requests, Workflows
+          # ──────────────────────────────────────────────────────────────────────────────
           app-id: ${{ vars.MAZI_RENOVATE_APP_ID }}
           private-key: ${{ secrets.MAZI_RENOVATE_PRIVATE_KEY }}
+          owner: ${{ github.repository_owner }}
+
+      - name: 'Checkout ${{ env.config_file }}'
+        uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
+        with:
+          sparse-checkout: |
+            ${{ env.config_file }}
+          sparse-checkout-cone-mode: false
 
       - uses: renovatebot/github-action@21d88b0bf0183abcee15f990011cca090dfc47dd # v40.1.12
         with:
@@ -56,18 +67,16 @@ jobs:
           # This enables the cache -- if this is set, it's not necessary to add it to renovate.json.
           RENOVATE_REPOSITORY_CACHE: ${{ github.event.client_payload.repoCache || 'enabled' }}
           RENOVATE_AUTODISCOVER: true # Renovate runs NOT only on this repository.
-          RENOVATE_AUTODISCOVER_FILTER: "${{ github.repository_owner }}/*"
           RENOVATE_DEPENDENCY_DASHBOARD_FOOTER: "- [ ] <!-- manual job -->Check this box to trigger a request for Renovate to run again on this repository"
           RENOVATE_PLATFORM_COMMIT: true
           FORCE_COLOR: 3 # chalk.supportsColor
           LOG_LEVEL: debug
 
           # customize
           RENOVATE_PR_FOOTER: "This PR has been generated by [Renovate Bot](https://github.com/renovatebot/renovate/tree/${{ env.RENOVATE_VERSION }}). - [View logs](${{ github.event.repository.html_url }}/actions/runs/${{ github.run_id }})"
-          RENOVATE_ALLOWED_POST_UPGRADE_COMMANDS: '["^pnpm install --frozen-lockfile --ignore-scripts$", "^pnpm run build$"]'
-          RENOVATE_ONBOARDING_CONFIG_FILE_NAME: .renovaterc.json
+          RENOVATE_CONFIG_FILE: ${{ env.config_file }}
 
-      - run: tree -L 5 -h --du -F "${cache_dir}"
+      - run: tree -L 5 -h --du -F -C -- "${cache_dir}"
 
       - name: delete old cache
         if: github.event.client_payload.repoCache != 'disabled' && github.ref_name == github.event.repository.default_branch

diff --git a/.github/workflows/trigger_renovate.yml b/.github/workflows/trigger_renovate.yml
@@ -1,4 +1,4 @@
-name: trigger Renovate
+name: Trigger Renovate
 on:
   issues:
     # Dependency Dashboard
@@ -42,5 +42,9 @@ jobs:
       renovate_actor: "mazi-renovate[bot]"
       repoCache: ${{ inputs.repoCache }}
     secrets:
-      app-id: ${{ vars.MAZI_RENOVATE_APP_ID }}
-      private-key: ${{ secrets.MAZI_RENOVATE_PRIVATE_KEY }}
+      # [permissions]─────────────────────────────────────
+      #   [read and write]
+      #     repo: Contents
+      # ──────────────────────────────────────────────────
+      app-id: ${{ vars.MAZI_TRIGGER_APP_ID }}
+      private-key: ${{ secrets.MAZI_TRIGGER_PRIVATE_KEY }}
diff --git a/config.yaml b/config.yaml
@@ -0,0 +1,6 @@
+# yaml-language-server: $schema=https://docs.renovatebot.com/renovate-schema.json
+
+allowedPostUpgradeCommands:
+  - "^pnpm install --frozen-lockfile --ignore-scripts$"
+  - "^pnpm run build$"
+onboardingConfigFileName: .renovaterc.json