Renovate #74
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
name: Renovate | |
on: | |
workflow_call: | |
inputs: | |
logLevel: | |
description: "Override default log level" | |
required: false | |
default: "info" | |
type: string | |
overrideSchedule: | |
description: "Override all schedules" | |
required: false | |
default: "false" | |
type: string | |
processAuthJson: | |
description: "Transfer credentials from auth.json in renovate.json" | |
required: false | |
default: true | |
type: boolean | |
schedule: | |
- cron: '30 3 * * *' | |
concurrency: renovate | |
jobs: | |
renovate: | |
runs-on: ubuntu-latest | |
steps: | |
- name: Checkout | |
uses: actions/checkout@755da8c3cf115ac066823e79a1e1788f8940201b # v3.2.0 | |
# Don't waste time starting Renovate if JSON is invalid | |
- name: Validate Renovate JSON | |
run: jq type renovate.json | |
- name: Get token | |
id: get_token | |
uses: tibdex/github-app-token@021a2405c7f990db57f5eae5397423dcc554159c # v1.7.0 | |
with: | |
app_id: ${{ secrets.RENOVATE_APP_ID }} | |
installation_id: ${{ secrets.RENOVATE_INSTALL_ID }} | |
private_key: ${{ secrets.RENOVATE_PRIVATE_KEY }} | |
# todo chack if enabled and if file exists | |
- name: Process auth.json | |
id: process-auth-json | |
if: ${{ inputs.processAuthJson }} | |
run: | | |
import os | |
import json | |
# process auth.json | |
if os.path.isfile("renovate.json"): | |
file = open("renovate.json", "r") | |
renovate = json.loads(file.read()) | |
file.close() | |
if "hostRules" not in renovate: | |
renovate["hostRules"] = [] | |
if os.path.isfile("auth.json"): | |
auth = json.loads(open("auth.json", "r").read()) | |
if "http-basic" in auth: | |
for key in auth["http-basic"]: | |
secretName = key.upper() | |
host = "https://" + key | |
username = auth["http-basic"][key]["username"] | |
password = auth["http-basic"][key]["password"] | |
renovate["hostRules"].append({ | |
"hostType": "packagist", | |
"matchHost": host, | |
"username": username, | |
"password": password | |
}) | |
file = open("renovate.json", "w") | |
file.write(json.dumps(renovate, indent=2)) | |
file.close() | |
print("renovate.json updated") | |
else: | |
print("auth.json doesn't exist") | |
else: | |
print("renovate.json doesn't exist") | |
shell: python | |
- name: Generate Renovate Secrets | |
id: renovate-secret-generator | |
run: | | |
import os | |
import json | |
print("Available secrets") | |
print(os.environ['ALLSECRETS']) | |
secrets = json.loads(os.environ['ALLSECRETS']) | |
secretsToUse = {} | |
for key in secrets: | |
if(key.startswith('RENOVATE_SECRET_')): | |
secretsToUse[key.replace("RENOVATE_SECRET_", "")] = secrets[key] | |
print("determined secrets") | |
print(secretsToUse) | |
with open(os.environ['GITHUB_OUTPUT'], 'a') as fh: | |
print(f'RENOVATE_SECRETS='+json.dumps(secretsToUse), file=fh) | |
shell: python | |
env: | |
ALLSECRETS: ${{ toJSON(secrets) }} | |
- name: Self-hosted Renovate | |
uses: renovatebot/github-action@8343fa1c8d38f3d030aa8332773b737f7e2fa591 # v34.82.0 | |
env: | |
# Repository taken from variable to keep configuration file generic | |
RENOVATE_REPOSITORIES: ${{ github.repository }} | |
# Onboarding not needed for self hosted | |
RENOVATE_ONBOARDING: "false" | |
# Username for GitHub authentication (should match GitHub App name + [bot]) | |
RENOVATE_USERNAME: "renovate[bot]" | |
# Git commit author used, must match GitHub App | |
RENOVATE_GIT_AUTHOR: "renovate <renovate[bot]@users.noreply.github.com>" | |
# Use GitHub API to create commits (this allows for signed commits from GitHub App) | |
RENOVATE_PLATFORM_COMMIT: "true" | |
# Override schedule if set | |
RENOVATE_FORCE: ${{ github.event.inputs.overrideSchedule == 'true' && '{''schedule'':null}' || '' }} | |
LOG_LEVEL: ${{ inputs.logLevel || 'info' }} | |
RENOVATE_USER_AGENT: "Composer: renovatebot" | |
RENOVATE_SECRETS: ${{ steps.renovate-secret-generator.outputs.RENOVATE_SECRETS }} | |
with: | |
configurationFile: renovate.json | |
token: '${{ steps.get_token.outputs.token }}' |