Add Gitea Actions workflows, CI config, and docs

2026-02-28 20:40:14 +01:00
parent 3b48b39561
commit 8cadb2d216
35 changed files with 3216 additions and 0 deletions
--- a/.gitea/workflows/renovate.yml
+++ b/.gitea/workflows/renovate.yml
@@ -0,0 +1,107 @@
+# =============================================================================
+# Renovate Workflow — Automated Dependency Updates
+# =============================================================================
+#
+# DISABLED BY DEFAULT (ENABLE_RENOVATE=false in .ci/config.env).
+#
+# When enabled, this workflow runs Renovate to:
+#   - Detect outdated dependencies (pip, npm, Docker FROM, etc.)
+#   - Open PRs with updates, respecting schedule and PR limits
+#
+# REQUIRED SECRET:
+#   RENOVATE_TOKEN — A Gitea PAT (Personal Access Token) with repo scope
+#                    for the Renovate bot user. Set in repo/org secrets.
+#
+# CONFIG:
+#   - .ci/config.env     → RENOVATE_SCHEDULE, RENOVATE_PR_LIMIT
+#   - renovate.json      → Renovate-specific config (grouping, labels, etc.)
+#
+# See docs/RENOVATE.md for setup instructions.
+# =============================================================================
+
+name: Renovate
+
+on:
+  # Run on a schedule (default: weekly on Mondays at 04:00 UTC)
+  schedule:
+    - cron: "0 4 * * 1"
+  # Allow manual trigger
+  workflow_dispatch:
+
+jobs:
+  renovate:
+    runs-on: ubuntu-latest
+    steps:
+      # -----------------------------------------------------------------------
+      # Step 1: Checkout
+      # -----------------------------------------------------------------------
+      - name: Checkout
+        uses: actions/checkout@v4
+
+      # -----------------------------------------------------------------------
+      # Step 2: Load config
+      # -----------------------------------------------------------------------
+      - name: Load config
+        run: |
+          if [ -f .ci/config.env ]; then
+            set -a
+            source .ci/config.env
+            set +a
+          fi
+
+          echo "ENABLE_RENOVATE=${ENABLE_RENOVATE:-false}" >> "$GITHUB_ENV"
+          echo "RENOVATE_SCHEDULE=${RENOVATE_SCHEDULE:-weekly}" >> "$GITHUB_ENV"
+          echo "RENOVATE_PR_LIMIT=${RENOVATE_PR_LIMIT:-5}" >> "$GITHUB_ENV"
+
+      # -----------------------------------------------------------------------
+      # Step 3: Check if Renovate is enabled
+      # -----------------------------------------------------------------------
+      - name: Check if enabled
+        run: |
+          if [ "$ENABLE_RENOVATE" != "true" ]; then
+            echo "Renovate is disabled (ENABLE_RENOVATE=$ENABLE_RENOVATE)."
+            echo "To enable, set ENABLE_RENOVATE=true in .ci/config.env"
+            echo "SKIP_RENOVATE=true" >> "$GITHUB_ENV"
+          fi
+
+      # -----------------------------------------------------------------------
+      # Step 4: Run Renovate
+      #
+      # Uses the official Renovate CLI via npx. Configures it to point at
+      # the Gitea instance and the current repository.
+      # -----------------------------------------------------------------------
+      - name: Run Renovate
+        if: env.SKIP_RENOVATE != 'true'
+        env:
+          RENOVATE_TOKEN: ${{ secrets.RENOVATE_TOKEN }}
+        run: |
+          if [ -z "$RENOVATE_TOKEN" ]; then
+            echo "ERROR: RENOVATE_TOKEN secret is not set."
+            echo "Please create a Gitea PAT and add it as a repository secret."
+            exit 1
+          fi
+
+          # Determine repository path
+          FULL_REPO="${GITEA_REPOSITORY:-${{ github.repository }}}"
+
+          echo "Running Renovate for ${FULL_REPO} on ${REGISTRY_HOST:-git.hiddenden.cafe}..."
+
+          npx renovate \
+            --platform gitea \
+            --endpoint "https://${REGISTRY_HOST:-git.hiddenden.cafe}/api/v1" \
+            --token "$RENOVATE_TOKEN" \
+            --pr-hourly-limit "$RENOVATE_PR_LIMIT" \
+            "$FULL_REPO"
+
+      # -----------------------------------------------------------------------
+      # Step 5: Summary
+      # -----------------------------------------------------------------------
+      - name: Renovate Summary
+        if: always()
+        run: |
+          echo "=============================="
+          echo " Renovate Workflow Complete"
+          echo " Enabled:    ${ENABLE_RENOVATE:-false}"
+          echo " Schedule:   ${RENOVATE_SCHEDULE:-weekly}"
+          echo " PR Limit:   ${RENOVATE_PR_LIMIT:-5}"
+          echo "=============================="