Hiddenden/openrabbit
3
0
Fork 0
Code Issues Pull Requests Actions Packages Projects 1 Releases Wiki Activity

Add Gitea Actions workflows, CI config, and docs
Some checks failed
Docker / docker (push) Successful in 6s
Details
Security / security (push) Successful in 6s
Details
Deploy / deploy-local-runner (push) Has been cancelled
Details
CI / ci (push) Successful in 1m42s
Details
Deploy / deploy-ssh (push) Successful in 7s
Details

Browse Source
This commit is contained in:
Latte
2026-02-28 20:40:14 +01:00
parent 3b48b39561
commit 8cadb2d216
35 changed files with 3216 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

101
docs/RENOVATE.md Normal file
View File

@@ -0,0 +1,101 @@
# Renovate — Automated Dependency Updates — ${REPO_NAME}
## Overview
[Renovate](https://docs.renovatebot.com/) automatically detects outdated
dependencies and opens PRs to update them. This keeps your project secure
and up-to-date with minimal manual effort.
**Disabled by default.** Set `ENABLE_RENOVATE=true` in `.ci/config.env` to enable.
## How It Works
1. The workflow (`.gitea/workflows/renovate.yml`) runs on a schedule (default: weekly).
2. Renovate scans your lockfiles and config for outdated packages.
3. It opens PRs with updates, grouped by minor/patch to reduce noise.
4. You review and merge the PRs.
## Setup
### Step 1: Create a Bot PAT
1. Create a dedicated Gitea user (e.g., `renovate-bot`) or use your own account.
2. Generate a PAT: **Settings → Applications → Generate New Token**
3. Scopes: `repo` (full repository access)
4. Copy the token.
### Step 2: Add the Secret
1. Go to **Repository Settings → Actions → Secrets**
2. Add secret: `RENOVATE_TOKEN` = the PAT from step 1
### Step 3: Enable in Config
In `.ci/config.env`:
```env
ENABLE_RENOVATE=true
RENOVATE_SCHEDULE=weekly
RENOVATE_PR_LIMIT=5
```
### Step 4: Commit and Push
Renovate will run on the next scheduled time, or you can trigger it manually
via the Actions tab → "Renovate" → "Run workflow".
## Configuration
### Workflow Config (.ci/config.env)
| Variable | Default | Description |
|----------|---------|-------------|
| `ENABLE_RENOVATE` | `false` | Master switch |
| `RENOVATE_SCHEDULE` | `weekly` | How often to run |
| `RENOVATE_PR_LIMIT` | `5` | Max open PRs at once |
### Renovate Config (renovate.json)
The `renovate.json` file in the repo root controls Renovate's behavior:
- **Grouping**: Minor and patch updates are grouped into a single PR.
- **Docker**: Base image updates (`FROM ...`) are enabled.
- **Labels**: PRs get the `dependencies` label.
- **Schedule**: Runs before 6am on Mondays.
Customize `renovate.json` to:
- Pin specific dependencies
- Exclude packages
- Change grouping strategy
- Add automerge for low-risk updates
### Docker Base Image Updates
Renovate will detect `FROM` lines in your Dockerfile and open PRs when
newer base images are available. This is enabled by default in `renovate.json`.
## Noise Control
To reduce PR spam:
1. **Group updates**: Already configured — minor/patch grouped together.
2. **Limit PRs**: `RENOVATE_PR_LIMIT=5` (adjust as needed).
3. **Schedule**: Runs weekly by default, not on every push.
4. **Automerge**: Add to `renovate.json` for trusted updates:
```json
{
"packageRules": [
{
"matchUpdateTypes": ["patch"],
"automerge": true
}
]
}
```
## Expected Behavior
After enabling, expect:
- An initial burst of PRs for all outdated dependencies
- Weekly batches of 1-5 PRs (depending on updates available)
- PRs labeled `dependencies` for easy filtering
- Each PR includes a changelog and compatibility notes