# ============================================================================= # Renovate Workflow — Automated Dependency Updates # ============================================================================= # # DISABLED BY DEFAULT (ENABLE_RENOVATE=false in .ci/config.env). # # When enabled, this workflow runs Renovate to: # - Detect outdated dependencies (pip, npm, Docker FROM, etc.) # - Open PRs with updates, respecting schedule and PR limits # # REQUIRED SECRET: # RENOVATE_TOKEN — A Gitea PAT (Personal Access Token) with repo scope # for the Renovate bot user. Set in repo/org secrets. # # CONFIG: # - .ci/config.env → RENOVATE_SCHEDULE, RENOVATE_PR_LIMIT # - renovate.json → Renovate-specific config (grouping, labels, etc.) # # See docs/RENOVATE.md for setup instructions. # ============================================================================= name: Renovate on: # Run on a schedule (default: weekly on Mondays at 04:00 UTC) schedule: - cron: "0 4 * * 1" # Allow manual trigger workflow_dispatch: jobs: renovate: runs-on: ubuntu-latest steps: # ----------------------------------------------------------------------- # Step 1: Checkout # ----------------------------------------------------------------------- - name: Checkout uses: actions/checkout@v4 # ----------------------------------------------------------------------- # Step 2: Load config # ----------------------------------------------------------------------- - name: Load config run: | if [ -f .ci/config.env ]; then set -a source .ci/config.env set +a fi echo "ENABLE_RENOVATE=${ENABLE_RENOVATE:-false}" >> "$GITHUB_ENV" echo "RENOVATE_SCHEDULE=${RENOVATE_SCHEDULE:-weekly}" >> "$GITHUB_ENV" echo "RENOVATE_PR_LIMIT=${RENOVATE_PR_LIMIT:-5}" >> "$GITHUB_ENV" # ----------------------------------------------------------------------- # Step 3: Check if Renovate is enabled # ----------------------------------------------------------------------- - name: Check if enabled run: | if [ "$ENABLE_RENOVATE" != "true" ]; then echo "Renovate is disabled (ENABLE_RENOVATE=$ENABLE_RENOVATE)." echo "To enable, set ENABLE_RENOVATE=true in .ci/config.env" echo "SKIP_RENOVATE=true" >> "$GITHUB_ENV" fi # ----------------------------------------------------------------------- # Step 4: Run Renovate # # Uses the official Renovate CLI via npx. Configures it to point at # the Gitea instance and the current repository. # ----------------------------------------------------------------------- - name: Run Renovate if: env.SKIP_RENOVATE != 'true' env: RENOVATE_TOKEN: ${{ secrets.RENOVATE_TOKEN }} run: | if [ -z "$RENOVATE_TOKEN" ]; then echo "ERROR: RENOVATE_TOKEN secret is not set." echo "Please create a Gitea PAT and add it as a repository secret." exit 1 fi # Determine repository path FULL_REPO="${GITEA_REPOSITORY:-${{ github.repository }}}" echo "Running Renovate for ${FULL_REPO} on ${REGISTRY_HOST:-git.hiddenden.cafe}..." npx renovate \ --platform gitea \ --endpoint "https://${REGISTRY_HOST:-git.hiddenden.cafe}/api/v1" \ --token "$RENOVATE_TOKEN" \ --pr-hourly-limit "$RENOVATE_PR_LIMIT" \ "$FULL_REPO" # ----------------------------------------------------------------------- # Step 5: Summary # ----------------------------------------------------------------------- - name: Renovate Summary if: always() run: | echo "==============================" echo " Renovate Workflow Complete" echo " Enabled: ${ENABLE_RENOVATE:-false}" echo " Schedule: ${RENOVATE_SCHEDULE:-weekly}" echo " PR Limit: ${RENOVATE_PR_LIMIT:-5}" echo "=============================="