Renovate #29727
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| --- | |
| name: Renovate | |
| on: | |
| schedule: | |
| - cron: "42 * * * *" | |
| pull_request: | |
| branches: | |
| - master | |
| - main | |
| permissions: | |
| contents: read | |
| id-token: "write" # AWS GitHub OIDC required: write | |
| env: | |
| LOG_LEVEL: debug | |
| # renovate: datasource=docker depName=renovate packageName=ghcr.io/renovatebot/renovate | |
| RENOVATE_VERSION: 37.440.7 | |
| jobs: | |
| renovate: | |
| runs-on: ubuntu-22.04 | |
| strategy: | |
| fail-fast: true | |
| matrix: | |
| environment: | |
| - balena-staging | |
| - balena-production | |
| - balena-playground | |
| - balena-restricted | |
| include: | |
| - environment: balena-production | |
| config_file: default.json | |
| - environment: balena-staging | |
| config_file: balena-staging.json | |
| - environment: balena-playground | |
| config_file: balena-playground.json | |
| - environment: balena-restricted | |
| config_file: balena-restricted.json | |
| environment: | |
| name: ${{ matrix.environment }} | |
| steps: | |
| # https://github.com/actions/checkout | |
| - name: Checkout | |
| uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4 | |
| # https://github.com/philips-software/app-token-action | |
| - name: Generate GitHub App installation token | |
| uses: philips-software/app-token-action@9f5d57062c9f2beaffafaa9a34f66f824ead63a9 # v2.0.0 | |
| id: app_token | |
| with: | |
| # https://github.com/apps/balena-renovate | |
| # https://github.com/organizations/product-os/settings/apps/balena-renovate | |
| app_id: ${{ vars.RENOVATE_APP_ID || '335686' }} | |
| app_base64_private_key: ${{ secrets.RENOVATE_APP_PRIVATE_KEY_B64 }} | |
| auth_type: installation | |
| # https://docs.renovatebot.com/modules/datasource/aws-machine-image/ | |
| # https://docs.renovatebot.com/modules/datasource/aws-rds/ | |
| - uses: aws-actions/configure-aws-credentials@0fc95ed93529d540ccff34b6c330f66318bdc888 | |
| with: | |
| aws-region: ${{ vars.AWS_REGION || 'us-east-1' }} | |
| role-session-name: github-${{ github.job }}-${{ github.run_id }}-${{ github.run_attempt }} | |
| role-to-assume: '${{ vars.AWS_IAM_ROLE }}' # environment specific | |
| - name: Enable dry-run | |
| run: echo "RENOVATE_DRY_RUN=full" >> $GITHUB_ENV | |
| if: github.event_name == 'pull_request' | |
| # https://github.com/renovatebot | |
| - uses: renovatebot/github-action@630a255a1f2f56c8d8ce160bed3e3ca577ca53e2 # v40.2.7 | |
| with: | |
| # https://docs.renovatebot.com/configuration-options | |
| # https://docs.renovatebot.com/self-hosted-configuration | |
| configurationFile: ${{ matrix.config_file }} | |
| token: ${{ steps.app_token.outputs.token }} | |
| renovate-version: ${{ env.RENOVATE_VERSION }} | |
| # https://github.com/renovatebot/github-action?tab=readme-ov-file#env-regex | |
| env-regex: "^(?:RENOVATE_\\w+|LOG_LEVEL|AWS_\\w+)$" | |
| env: | |
| AWS_REGION: ${{ env.AWS_REGION }} | |
| AWS_DEFAULT_REGION: ${{ env.AWS_REGION }} | |
| AWS_ACCESS_KEY_ID: ${{ env.AWS_ACCESS_KEY_ID }} | |
| AWS_SECRET_ACCESS_KEY: ${{ env.AWS_SECRET_ACCESS_KEY }} | |
| AWS_SESSION_TOKEN: ${{ env.AWS_SESSION_TOKEN }} | |
| RENOVATE_DRY_RUN: ${{ env.RENOVATE_DRY_RUN }} | |
| RENOVATE_HOST_RULES: | | |
| [ | |
| { | |
| "hostType": "docker", | |
| "username": "${{ secrets.DOCKERHUB_USER }}", | |
| "password": "${{ secrets.DOCKERHUB_TOKEN }}" | |
| }, | |
| { | |
| "hostType": "docker", | |
| "matchHost": "ghcr.io", | |
| "username": "${{ github.actor }}", | |
| "password": "${{ secrets.GITHUB_TOKEN }}" | |
| } | |
| ] |