Skip to content

Renovate

Renovate #18321

Workflow file for this run

---
name: Renovate
on:
schedule:
- cron: '0 * * * *'
workflow_call:
inputs:
autodiscover:
description: Autodiscover all repositories.
required: false
type: boolean
default: true
branch:
description: Run Renovate on this branch.
required: false
type: string
cache:
description: Enable the Renovate cache.
required: false
type: boolean
default: true
dry_run:
description: Perform a dry run by logging messages instead of creating/updating/deleting branches and PRs.
required: false
type: boolean
default: true
log_level:
description: Set the log level.
required: false
type: string
default: 'debug'
print_config:
description: Log the fully-resolved Renovate config for each repository, plus fully-resolved presets.
required: false
type: boolean
default: false
renovate_git_author:
description: Set the Git author name and email (used to set the `gitAuthor` Renovate configuration option).
required: false
type: string
renovate_username:
description: Set the Renovate username (used to set the `username` Renovate configuration option).
required: false
type: string
outputs:
docker-image:
description: The name of the Renovate Docker image
value: ${{ jobs.renovate.outputs.docker-image }}
renovate-version:
description: The Renovate version
value: ${{ jobs.renovate.outputs.renovate-version }}
secrets:
APPLICATION_ID:
description: GitHub App ID
required: true
APPLICATION_PRIVATE_KEY:
description: GitHub App private key
required: true
workflow_dispatch:
inputs:
autodiscover:
description: Autodiscover all repositories.
required: false
type: boolean
default: true
branch:
description: Run Renovate on this branch.
required: false
type: string
cache:
description: Enable the Renovate cache.
required: false
type: boolean
default: true
dry_run:
description: Perform a dry run by logging messages instead of creating/updating/deleting branches and PRs.
required: false
type: boolean
default: true
log_level:
description: Set the log level.
required: false
type: choice
default: 'debug'
options: ['trace', 'debug', 'info', 'warn', 'error', 'fatal']
print_config:
description: Log the fully-resolved Renovate config for each repository, plus fully-resolved presets.
required: false
type: boolean
default: false
concurrency:
group: '${{ github.repository }}-${{ github.workflow }}-$${{ github.ref }}'
cancel-in-progress: false
permissions: {}
env:
RENOVATE_VERSION: 36.100.0 # renovate: datasource=docker depName=renovate packageName=ghcr.io/renovatebot/renovate
jobs:
renovate:
name: Renovate
runs-on: ubuntu-latest
outputs:
autodiscover: ${{ steps.configure.outputs.autodiscover }}
base-branches: ${{ steps.configure.outputs.base-branches }}
docker-image: ${{ steps.configure.outputs.docker-image }}
dry-run: ${{ steps.configure.outputs.dry-run }}
global-config: ${{ steps.configure.outputs.global-config }}
is-org-account: ${{ steps.configure.outputs.is-org-account }}
log-level: ${{ steps.configure.outputs.log-level }}
print-config: ${{ steps.configure.outputs.print-config }}
renovate-version: ${{ steps.configure.outputs.renovate-version }}
repositories: ${{ steps.configure.outputs.repositories }}
steps:
- name: Configure workflow run
id: configure
env:
autodiscover: ${{ inputs.autodiscover || contains(inputs.autodiscover, 'false') && 'false' || 'true' }}
dry_run: ${{ inputs.dry_run || contains(inputs.dry_run, 'false') && 'false' }}
# Check if this workflow was triggered from an organization account.
is-org-account: ${{ github.event.organization && 'true' || 'false' }}
log_level: ${{ inputs.log_level || 'debug' }}
print_config: ${{ inputs.print_config || 'false' }}
renovate_git_author: ${{ inputs.renovate_git_author || vars.RENOVATE_GIT_AUTHOR || '' }}
cache: ${{ inputs.cache && !inputs.dry_run && 'true' || github.event_name == 'schedule' && 'true' || 'false' }}
zzglobal_config: |-
{
allowedPostUpgradeCommands: [
'^(npx )?corepack enable$',
'^npm ci( --ignore-scripts)?$',
'^npm install -g (npm|pnpm)(?:@\\d+(?:\\.\\d+\\.\\d+)?)?$',
'^(npx|pnpm|yarn) prettier( --no-color)? --write \\.$',
'^(pnpm|yarn) install( --frozen-lockfile)?( --ignore-scripts)?$',
'^(pnpm|yarn) run (build|fix|format)$',
'^yarn install( --immutable)?( --immutable-cache)?$',
],
description: [
'Use the global config preset for the @bfra-me organization.',
'_See the [renovate workflow](https://github.com/bfra-me/renovate-config/blob/main/.github/workflows/renovate.yaml) for details._',
],
onboardingConfig: {
'$schema': 'https://docs.renovatebot.com/renovate-schema.json',
extends: ['github>bfra-me/renovate-config#v1.8.0'],
},
onboardingConfigFileName: '.github/renovate.json5',
onboardingPrTitle: 'feat(deps): configure Renovate',
onboardingRebaseCheckbox: true,
packageRules: [
{
matchPackagePatterns: ['*'],
rangeStrategy: 'pin',
},
{
matchDepTypes: ['engines', 'peerDependencies'],
rangeStrategy: 'update-lockfile',
},
],
}
# Use the contains function to convert the boolean input to a string and compare it to 'false'. This is
# required when the workflow is triggered from workflow_call because the github context is that of the workflow
# that called this workflow.
run: |
# Create outputs for this configuration
[[ -n "${{ inputs.branch }}" ]] && base_branches=$(jq 'split(",")' -Rc <(echo '${{ inputs.branch }}'))
sed 's/^[[:space:]]*//' <<EOF >> $GITHUB_OUTPUT
autodiscover=${{ env.autodiscover }}
base-branches=${base_branches}
docker-image=ghcr.io/renovatebot/renovate:${{ env.RENOVATE_VERSION }}
dry-run=${{ env.dry_run }}
enable-cache=${{ env.cache }}
global-config=$(echo "${zzglobal_config}" | tr -d '\n')
is-org-account=${{ env.is-org-account }}
log-level=${{ env.log_level }}
print-config=${{ env.print_config }}
renovate-git-author=${{ env.renovate_git_author }}
renovate-version=$(echo "${{ env.RENOVATE_VERSION }}")
repositories=${{ !fromJSON(env.autodiscover) && format('["{0}"]', github.repository) || '' }}
EOF
shell: bash
- name: Get Workflow Token
id: get_workflow_token
uses: peter-murray/workflow-application-token-action@8e1ba3bf1619726336414f1014e37f17fbadf1db # v2.1.0
with:
application_id: ${{ secrets.APPLICATION_ID }}
application_private_key: ${{ secrets.APPLICATION_PRIVATE_KEY }}
organization: ${{ fromJSON(steps.configure.outputs.is-org-account) && github.repository_owner || '' }}
permissions: >
checks:write,
contents:write,
issues:write,
members:read,
metadata:read,
pull_requests:write,
statuses:write,
vulnerability_alerts:read,
workflows:write
- name: Configure Renovate cache
if: steps.configure.outputs.enable-cache == 'true'
shell: bash
run: |
echo "RENOVATE_CACHE_DIR=${RENOVATE_CACHE_DIR:-/tmp/renovate/cache}" >> $GITHUB_ENV
- id: renovate-cache
name: Cache Renovate
if: steps.configure.outputs.enable-cache == 'true'
env:
RENOVATE_CACHE_DIR: ${{ env.RENOVATE_CACHE_DIR }}
uses: actions/cache@704facf57e6136b1bc63b828d79edcd491f0ee84 # v3.3.2
with:
enableCrossOsArchive: true
path: ${{ env.RENOVATE_CACHE_DIR }}
key: >-
${{ github.repository_owner }}-renovate-cache-${{ steps.configure.outputs.renovate-version }}-${{ github.sha }}
- name: Workaround Renovate cache permissions
if: steps.configure.outputs.enable-cache == 'true'
continue-on-error: true
run: >
[ -d /tmp/renovate ] && sudo chown -R 1000 /tmp/renovate || true
- name: Renovate ${{ steps.configure.outputs.renovate-version }}
uses: renovatebot/github-action@3cef36a9aba515d8726b491905b3bc766832e221 # v39.0.5
env:
FORCE_COLOR: 3
LOG_LEVEL: ${{ steps.configure.outputs.log-level }}
RENOVATE_AUTODISCOVER: ${{ steps.configure.outputs.autodiscover }}
RENOVATE_BASE_BRANCHES: ${{ steps.configure.outputs.base-branches }}
RENOVATE_USE_BASE_BRANCH_CONFIG: ${{ steps.configure.outputs.base-branches && 'merge' || 'none' }}
RENOVATE_BRANCH_PREFIX_OLD: 'renovate-github/'
RENOVATE_CACHE_NPM_MINUTES: 30
RENOVATE_CONFIG: ${{ steps.configure.outputs.global-config }}
RENOVATE_DEPENDENCY_DASHBOARD_FOOTER: '\n- [ ] <!-- manual job -->Check here to trigger a Renovate run on this repository\n'
RENOVATE_DRY_RUN: ${{ fromJSON(steps.configure.outputs.dry-run) && 'full' || '' }}
RENOVATE_GIT_AUTHOR: ${{ steps.configure.outputs.renovate-git-author }}
RENOVATE_GIT_IGNORED_AUTHORS: |-
[
"[email protected]",
"29139614+renovate[bot]@users.noreply.github.com",
"[email protected]",
"[email protected]",
"${{ steps.configure.outputs.renovate-git-author }}"
]
RENOVATE_HOST_RULES: |-
[
{
"dnsCache": true
},
{
"hostType": "docker",
"matchHost": "ghcr.io",
"username": "${{ github.repository_owner }}",
"password": "${{ secrets.GITHUB_TOKEN }}"
}
]
RENOVATE_PLATFORM: github
RENOVATE_PLATFORM_COMMIT: true
RENOVATE_PRINT_CONFIG: ${{ steps.configure.outputs.print-config }}
RENOVATE_REPOSITORIES: ${{ steps.configure.outputs.repositories }}
RENOVATE_REPOSITORY_CACHE: ${{ steps.configure.outputs.enable-cache == 'true' && 'enabled' || 'disabled' }}
RENOVATE_USERNAME: ${{ inputs.renovate_username || vars.RENOVATE_USERNAME || '' }}
with:
env-regex: '^(?:CI|FORCE_COLOR|GITHUB_(?:(?!PATH|ENV).)+|(?:HTTPS?|NO)_PROXY|(?:https?|no)_proxy|LOG_LEVEL|NODE_OPTIONS|RENOVATE_\w+|RUNNER_\w+)$'
mount-docker-socket: true
renovate-version: ${{ env.RENOVATE_VERSION }}
token: 'x-access-token:${{ steps.get_workflow_token.outputs.token }}'
- name: Restore Renovate cache permissions
if: always() && steps.configure.outputs.enable-cache == 'true'
continue-on-error: true
run: >
[ -d /tmp/renovate ] && sudo chown -R $(whoami) /tmp/renovate