-
Notifications
You must be signed in to change notification settings - Fork 84
132 lines (116 loc) · 4.09 KB
/
renovate.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
name: Update dependencies
on:
workflow_dispatch:
inputs:
repoCache:
description: "Reset or disable the cache?"
type: choice
default: enabled
options:
- enabled
- disabled
- reset
logLevel:
description: "Override default log level"
type: choice
default: info
options:
- "debug"
- "info"
- "warn"
- "error"
overrideSchedule:
description: "Override all schedules"
type: boolean
default: false
dryRun:
description: "Dry run mode"
type: choice
default: disabled
options:
- disabled
- extract
- lookup
- full
schedule:
# Run every 30 minutes
- cron: "0/30 * * * *"
env:
cache_archive: renovate_cache.tar.gz
cache_dir: /tmp/renovate/cache/renovate/repository
cache_key: renovate-cache
dry_run: ${{ github.event.inputs.dryRun || 'disabled' }}
concurrency:
cancel-in-progress: false
group: renovate
permissions:
contents: write
id-token: write
jobs:
renovate:
runs-on: ubuntu-latest
steps:
- name: Authenticate Vault
id: secrets
uses: hashicorp/vault-action@a1b77a09293a4366e48a5067a86692ac6e94fdc0 # v3.1.0
with:
url: ${{ secrets.VAULT_ADDR }}
method: jwt
role: dev
secrets: |
automation/data/pipelines/hash/dev github_worker_app_id | GITHUB_WORKER_APP_ID ;
automation/data/pipelines/hash/dev github_worker_app_private_key | GITHUB_WORKER_APP_PRIVATE_KEY ;
- name: Get token
id: app-token
uses: actions/create-github-app-token@c1a285145b9d317df6ced56c09f525b5c2b6f755 # v1
with:
app-id: ${{ steps.secrets.outputs.GITHUB_WORKER_APP_ID }}
private-key: ${{ steps.secrets.outputs.GITHUB_WORKER_APP_PRIVATE_KEY }}
- name: Checkout
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
with:
token: ${{ steps.app-token.outputs.token }}
- name: Install Rust toolchain
uses: ./.github/actions/install-rust-toolchain
- name: Install Node.js
uses: actions/setup-node@39370e3970a6d050c480ffad4ff0ed4d3fdee5af # v4
with:
node-version: 22
- name: Enable corepack
uses: ./.github/actions/enable-corepack
- uses: dawidd6/action-download-artifact@80620a5d27ce0ae443b965134db88467fc607b43 # v7
if: github.event.inputs.repoCache != 'disabled'
continue-on-error: true
with:
name: ${{ env.cache_key }}
path: cache-download
- name: Extract renovate cache
if: github.event.inputs.repoCache != 'disabled'
run: |
if [ ! -d cache-download ] ; then
echo "No cache found."
exit 0
fi
mkdir -p $cache_dir
tar -xzf cache-download/$cache_archive -C $cache_dir
- name: Install renovate
run: npm install -g renovate
- name: Run renovate
env:
LOG_LEVEL: ${{ inputs.logLevel || 'info' }}
RENOVATE_FORCE: ${{ github.event.inputs.overrideSchedule == 'true' && '{"schedule":null}' || '' }}
RENOVATE_DRY_RUN: ${{ env.dry_run == 'disabled' && 'null' || inputs.dryRun }}
RENOVATE_PLATFORM_COMMIT: enabled
RENOVATE_REPOSITORIES: ${{ github.repository }}
# TODO: Consider using S3 by setting `RENOVATE_REPOSITORY_CACHE_TYPE`
# see: https://linear.app/hash/issue/H-3315/use-s3-to-store-renovate-cache
RENOVATE_REPOSITORY_CACHE: ${{ github.event.inputs.repoCache || 'enabled' }}
run: renovate --token ${{ steps.app-token.outputs.token }}
- name: Compress renovate cache
run: tar -czvf $cache_archive -C $cache_dir .
- uses: actions/upload-artifact@65c4c4a1ddee5b72f698fdd19549f0f0fb45cf08 # v4
if: env.dry_run == 'disabled' && github.event.inputs.repoCache != 'disabled'
with:
name: ${{ env.cache_key }}
path: ${{ env.cache_archive }}
retention-days: 1