108 lines
4.1 KiB
YAML
108 lines
4.1 KiB
YAML
# =============================================================================
|
|
# Renovate Workflow — Automated Dependency Updates
|
|
# =============================================================================
|
|
#
|
|
# DISABLED BY DEFAULT (ENABLE_RENOVATE=false in .ci/config.env).
|
|
#
|
|
# When enabled, this workflow runs Renovate to:
|
|
# - Detect outdated dependencies (pip, npm, Docker FROM, etc.)
|
|
# - Open PRs with updates, respecting schedule and PR limits
|
|
#
|
|
# REQUIRED SECRET:
|
|
# RENOVATE_TOKEN — A Gitea PAT (Personal Access Token) with repo scope
|
|
# for the Renovate bot user. Set in repo/org secrets.
|
|
#
|
|
# CONFIG:
|
|
# - .ci/config.env → RENOVATE_SCHEDULE, RENOVATE_PR_LIMIT
|
|
# - renovate.json → Renovate-specific config (grouping, labels, etc.)
|
|
#
|
|
# See docs/RENOVATE.md for setup instructions.
|
|
# =============================================================================
|
|
|
|
name: Renovate
|
|
|
|
on:
|
|
# Run on a schedule (default: weekly on Mondays at 04:00 UTC)
|
|
schedule:
|
|
- cron: "0 4 * * 1"
|
|
# Allow manual trigger
|
|
workflow_dispatch:
|
|
|
|
jobs:
|
|
renovate:
|
|
runs-on: ubuntu-latest
|
|
steps:
|
|
# -----------------------------------------------------------------------
|
|
# Step 1: Checkout
|
|
# -----------------------------------------------------------------------
|
|
- name: Checkout
|
|
uses: actions/checkout@v4
|
|
|
|
# -----------------------------------------------------------------------
|
|
# Step 2: Load config
|
|
# -----------------------------------------------------------------------
|
|
- name: Load config
|
|
run: |
|
|
if [ -f .ci/config.env ]; then
|
|
set -a
|
|
source .ci/config.env
|
|
set +a
|
|
fi
|
|
|
|
echo "ENABLE_RENOVATE=${ENABLE_RENOVATE:-false}" >> "$GITHUB_ENV"
|
|
echo "RENOVATE_SCHEDULE=${RENOVATE_SCHEDULE:-weekly}" >> "$GITHUB_ENV"
|
|
echo "RENOVATE_PR_LIMIT=${RENOVATE_PR_LIMIT:-5}" >> "$GITHUB_ENV"
|
|
|
|
# -----------------------------------------------------------------------
|
|
# Step 3: Check if Renovate is enabled
|
|
# -----------------------------------------------------------------------
|
|
- name: Check if enabled
|
|
run: |
|
|
if [ "$ENABLE_RENOVATE" != "true" ]; then
|
|
echo "Renovate is disabled (ENABLE_RENOVATE=$ENABLE_RENOVATE)."
|
|
echo "To enable, set ENABLE_RENOVATE=true in .ci/config.env"
|
|
echo "SKIP_RENOVATE=true" >> "$GITHUB_ENV"
|
|
fi
|
|
|
|
# -----------------------------------------------------------------------
|
|
# Step 4: Run Renovate
|
|
#
|
|
# Uses the official Renovate CLI via npx. Configures it to point at
|
|
# the Gitea instance and the current repository.
|
|
# -----------------------------------------------------------------------
|
|
- name: Run Renovate
|
|
if: env.SKIP_RENOVATE != 'true'
|
|
env:
|
|
RENOVATE_TOKEN: ${{ secrets.RENOVATE_TOKEN }}
|
|
run: |
|
|
if [ -z "$RENOVATE_TOKEN" ]; then
|
|
echo "ERROR: RENOVATE_TOKEN secret is not set."
|
|
echo "Please create a Gitea PAT and add it as a repository secret."
|
|
exit 1
|
|
fi
|
|
|
|
# Determine repository path
|
|
FULL_REPO="${GITEA_REPOSITORY:-${{ github.repository }}}"
|
|
|
|
echo "Running Renovate for ${FULL_REPO} on ${REGISTRY_HOST:-git.hiddenden.cafe}..."
|
|
|
|
npx renovate \
|
|
--platform gitea \
|
|
--endpoint "https://${REGISTRY_HOST:-git.hiddenden.cafe}/api/v1" \
|
|
--token "$RENOVATE_TOKEN" \
|
|
--pr-hourly-limit "$RENOVATE_PR_LIMIT" \
|
|
"$FULL_REPO"
|
|
|
|
# -----------------------------------------------------------------------
|
|
# Step 5: Summary
|
|
# -----------------------------------------------------------------------
|
|
- name: Renovate Summary
|
|
if: always()
|
|
run: |
|
|
echo "=============================="
|
|
echo " Renovate Workflow Complete"
|
|
echo " Enabled: ${ENABLE_RENOVATE:-false}"
|
|
echo " Schedule: ${RENOVATE_SCHEDULE:-weekly}"
|
|
echo " PR Limit: ${RENOVATE_PR_LIMIT:-5}"
|
|
echo "=============================="
|