-
Notifications
You must be signed in to change notification settings - Fork 0
102 lines (93 loc) · 3.66 KB
/
renovate.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
---
name: Renovate
on:
schedule:
- cron: "42 * * * *"
pull_request:
branches:
- master
- main
permissions:
contents: read
id-token: "write" # AWS GitHub OIDC required: write
env:
LOG_LEVEL: debug
# renovate: datasource=docker depName=renovate packageName=ghcr.io/renovatebot/renovate
RENOVATE_VERSION: 38.82.0
jobs:
renovate:
runs-on: ubuntu-22.04
strategy:
fail-fast: true
matrix:
environment:
- balena-staging
- balena-production
- balena-playground
- balena-restricted
include:
- environment: balena-production
config_file: default.json
- environment: balena-staging
config_file: balena-staging.json
- environment: balena-playground
config_file: balena-playground.json
- environment: balena-restricted
config_file: balena-restricted.json
environment:
name: ${{ matrix.environment }}
steps:
# https://github.com/actions/checkout
- name: Checkout
uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4
# https://github.com/philips-software/app-token-action
- name: Generate GitHub App installation token
uses: philips-software/app-token-action@9f5d57062c9f2beaffafaa9a34f66f824ead63a9 # v2.0.0
id: app_token
with:
# https://github.com/apps/balena-renovate
# https://github.com/organizations/product-os/settings/apps/balena-renovate
app_id: ${{ vars.RENOVATE_APP_ID || '335686' }}
app_base64_private_key: ${{ secrets.RENOVATE_APP_PRIVATE_KEY_B64 }}
auth_type: installation
# https://docs.renovatebot.com/modules/datasource/aws-machine-image/
# https://docs.renovatebot.com/modules/datasource/aws-rds/
- uses: aws-actions/configure-aws-credentials@bd1354327e55c2330d56537b3ac2006a8d97c566
with:
aws-region: ${{ vars.AWS_REGION || 'us-east-1' }}
role-session-name: github-${{ github.job }}-${{ github.run_id }}-${{ github.run_attempt }}
role-to-assume: '${{ vars.AWS_IAM_ROLE }}' # environment specific
- name: Enable dry-run
run: echo "RENOVATE_DRY_RUN=full" >> $GITHUB_ENV
if: github.event_name == 'pull_request'
# https://github.com/renovatebot
- uses: renovatebot/github-action@17973eff4f1b66dc88786ea5490d902aaa274cbf # v40.2.9
with:
# https://docs.renovatebot.com/configuration-options
# https://docs.renovatebot.com/self-hosted-configuration
configurationFile: ${{ matrix.config_file }}
token: ${{ steps.app_token.outputs.token }}
renovate-version: ${{ env.RENOVATE_VERSION }}
# https://github.com/renovatebot/github-action?tab=readme-ov-file#env-regex
env-regex: "^(?:RENOVATE_\\w+|LOG_LEVEL|AWS_\\w+)$"
env:
AWS_REGION: ${{ env.AWS_REGION }}
AWS_DEFAULT_REGION: ${{ env.AWS_REGION }}
AWS_ACCESS_KEY_ID: ${{ env.AWS_ACCESS_KEY_ID }}
AWS_SECRET_ACCESS_KEY: ${{ env.AWS_SECRET_ACCESS_KEY }}
AWS_SESSION_TOKEN: ${{ env.AWS_SESSION_TOKEN }}
RENOVATE_DRY_RUN: ${{ env.RENOVATE_DRY_RUN }}
RENOVATE_HOST_RULES: |
[
{
"hostType": "docker",
"username": "${{ secrets.DOCKERHUB_USER }}",
"password": "${{ secrets.DOCKERHUB_TOKEN }}"
},
{
"hostType": "docker",
"matchHost": "ghcr.io",
"username": "${{ github.actor }}",
"password": "${{ secrets.GITHUB_TOKEN }}"
}
]