Renovate #3275
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
name: Renovate | |
on: | |
# running every hour from 9h to 19h UTC on every working day | |
schedule: | |
- cron: '0 9-19 * * 1-5' | |
# allow to manually trigger this workflow | |
workflow_dispatch: | |
inputs: | |
renovate_log_level_debug: | |
type: boolean | |
default: true | |
push: | |
branches: | |
- main | |
paths: | |
- '.github/renovate.json5' | |
jobs: | |
renovate: | |
if: ${{ github.repository == 'cilium/tetragon' || github.event_name != 'schedule' }} | |
runs-on: ubuntu-latest | |
env: | |
buildx_version: 'v0.10.5' | |
steps: | |
# we need special permission to be able to operate renovate (view, list, | |
# create issues, PR, etc.) and we use a GitHub application with fine | |
# grained permissions installed in the repository for that. | |
- name: Get token | |
id: get_token | |
uses: cilium/actions-app-token@61a6271ce92ba02f49bf81c755685d59fb25a59a # v0.21.1 | |
with: | |
APP_PEM: ${{ secrets.CILIUM_RENOVATE_PEM }} | |
APP_ID: ${{ secrets.CILIUM_RENOVATE_APP_ID }} | |
# buildx is not installed in the renovate container image and we need it | |
# for the postUpgradeTasks's commands. We take advantage of the fact that | |
# the renovate GitHub action mounts the /tmp folder in the container to | |
# transfer the docker CLI plugin binary. | |
- name: Cache Buildx CLI plugin download | |
id: cache-buildx | |
uses: actions/cache@0c45773b623bea8c8e75f6c82b208c3cf94ea4f9 # v4.0.2 | |
with: | |
path: /tmp/docker-buildx | |
key: ${{ runner.os }}-${{ env.buildx_version }}-buildx | |
- name: Download and set permissions for buildx | |
if: steps.cache-buildx.outputs.cache-hit != 'true' | |
run: | | |
curl -L -o /tmp/docker-buildx https://github.com/docker/buildx/releases/download/${{ env.buildx_version }}/buildx-${{ env.buildx_version }}.linux-amd64 | |
chmod +x /tmp/docker-buildx | |
# this is not strictly necessary but makes the renovate | |
# postUpgradeTasks's commands shorter and understandable. | |
- name: Create and set permissions for install buildx bash script | |
run: | | |
echo '#!/bin/bash' > /tmp/install-buildx | |
echo 'DIR="$HOME/.docker/cli-plugins"' >> /tmp/install-buildx | |
echo 'mkdir -p "$DIR" && ln -sf /tmp/docker-buildx "$DIR/docker-buildx"' >> /tmp/install-buildx | |
chmod +x /tmp/install-buildx | |
# renovate clones the repository again in its container fs but it needs | |
# the renovate configuration to start. | |
- name: Checkout | |
uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 | |
- name: Self-hosted Renovate | |
uses: renovatebot/github-action@dd4d265eb8646cd04fc5f86ff8bc8d496d75a251 # v40.2.8 | |
env: | |
# default to DEBUG log level, this is always useful | |
LOG_LEVEL: ${{ github.event.inputs.renovate_log_level_debug == 'false' && 'INFO' || 'DEBUG' }} | |
with: | |
configurationFile: .github/renovate.json5 | |
token: '${{ steps.get_token.outputs.app_token }}' | |
mount-docker-socket: true | |