Skip to content

Renovate

Renovate #3275

Workflow file for this run

name: Renovate
on:
# running every hour from 9h to 19h UTC on every working day
schedule:
- cron: '0 9-19 * * 1-5'
# allow to manually trigger this workflow
workflow_dispatch:
inputs:
renovate_log_level_debug:
type: boolean
default: true
push:
branches:
- main
paths:
- '.github/renovate.json5'
jobs:
renovate:
if: ${{ github.repository == 'cilium/tetragon' || github.event_name != 'schedule' }}
runs-on: ubuntu-latest
env:
buildx_version: 'v0.10.5'
steps:
# we need special permission to be able to operate renovate (view, list,
# create issues, PR, etc.) and we use a GitHub application with fine
# grained permissions installed in the repository for that.
- name: Get token
id: get_token
uses: cilium/actions-app-token@61a6271ce92ba02f49bf81c755685d59fb25a59a # v0.21.1
with:
APP_PEM: ${{ secrets.CILIUM_RENOVATE_PEM }}
APP_ID: ${{ secrets.CILIUM_RENOVATE_APP_ID }}
# buildx is not installed in the renovate container image and we need it
# for the postUpgradeTasks's commands. We take advantage of the fact that
# the renovate GitHub action mounts the /tmp folder in the container to
# transfer the docker CLI plugin binary.
- name: Cache Buildx CLI plugin download
id: cache-buildx
uses: actions/cache@0c45773b623bea8c8e75f6c82b208c3cf94ea4f9 # v4.0.2
with:
path: /tmp/docker-buildx
key: ${{ runner.os }}-${{ env.buildx_version }}-buildx
- name: Download and set permissions for buildx
if: steps.cache-buildx.outputs.cache-hit != 'true'
run: |
curl -L -o /tmp/docker-buildx https://github.com/docker/buildx/releases/download/${{ env.buildx_version }}/buildx-${{ env.buildx_version }}.linux-amd64
chmod +x /tmp/docker-buildx
# this is not strictly necessary but makes the renovate
# postUpgradeTasks's commands shorter and understandable.
- name: Create and set permissions for install buildx bash script
run: |
echo '#!/bin/bash' > /tmp/install-buildx
echo 'DIR="$HOME/.docker/cli-plugins"' >> /tmp/install-buildx
echo 'mkdir -p "$DIR" && ln -sf /tmp/docker-buildx "$DIR/docker-buildx"' >> /tmp/install-buildx
chmod +x /tmp/install-buildx
# renovate clones the repository again in its container fs but it needs
# the renovate configuration to start.
- name: Checkout
uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
- name: Self-hosted Renovate
uses: renovatebot/github-action@dd4d265eb8646cd04fc5f86ff8bc8d496d75a251 # v40.2.8
env:
# default to DEBUG log level, this is always useful
LOG_LEVEL: ${{ github.event.inputs.renovate_log_level_debug == 'false' && 'INFO' || 'DEBUG' }}
with:
configurationFile: .github/renovate.json5
token: '${{ steps.get_token.outputs.app_token }}'
mount-docker-socket: true