renovate #8602
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| --- | |
| # GitHub Actions workflow to run Renovate on the Schrödinger's Stack repositories. | |
| # Ref: https://github.com/renovatebot/github-action?tab=readme-ov-file#persisting-the-repository-cache | |
| name: "renovate" | |
| on: | |
| schedule: | |
| # Run every hour. | |
| - cron: '0 * * * *' | |
| # Dispatch a Renovate job with different cache options if you want to reset or disable the cache manually. | |
| workflow_dispatch: | |
| inputs: | |
| repoCache: | |
| description: 'Reset or disable the cache?' | |
| type: choice | |
| default: enabled | |
| options: | |
| - enabled | |
| - disabled | |
| - reset | |
| logLevel: | |
| description: 'Log level for Renovate' | |
| type: choice | |
| default: INFO | |
| options: | |
| - DEBUG | |
| - INFO | |
| - WARN | |
| - ERROR | |
| - FATAL | |
| # Adding these as env variables makes it easy to re-use them in different steps and in bash. | |
| env: | |
| cache_archive: renovate_cache.tar.gz | |
| cache_dir: /tmp/renovate/cache/renovate/repository | |
| # This can be manually changed to bust the cache if necessary. | |
| cache_key: renovate-cache | |
| jobs: | |
| renovate: | |
| runs-on: ubuntu-latest | |
| steps: | |
| - name: Checkout repository | |
| uses: actions/checkout@v6 | |
| - name: Download repository cache for Renovate | |
| uses: dawidd6/action-download-artifact@v11 | |
| if: github.event.inputs.repoCache != 'disabled' | |
| continue-on-error: true | |
| with: | |
| name: ${{ env.cache_key }} | |
| path: cache-download | |
| - name: Extract Renovate cache | |
| run: | | |
| set -x | |
| # Skip if no cache is set, such as the first time it runs. | |
| if [ ! -d cache-download ] ; then | |
| echo "No cache found." | |
| exit 0 | |
| fi | |
| # Make sure the directory exists, and extract it there. Note that it's nested in the download directory. | |
| mkdir -p $cache_dir | |
| tar -xzf cache-download/$cache_archive -C $cache_dir | |
| # Unfortunately, the permissions expected within renovate's docker container | |
| # are different than the ones given after the cache is restored. We have to | |
| # change ownership to solve this. We also need to have correct permissions in | |
| # the entire /tmp/renovate tree, not just the section with the repo cache. | |
| sudo chown -R 12021:0 /tmp/renovate/ | |
| ls -R $cache_dir | |
| - name: Generate authentication token from GitHub App | |
| id: app_token | |
| uses: actions/create-github-app-token@v2.2.1 | |
| with: | |
| app-id: ${{ secrets.SCHTACK_RENOVATOR_APP_ID }} | |
| private-key: ${{ secrets.SCHTACK_RENOVATOR_PRIVATE_KEY }} | |
| # This line is what says that the token is not limited to the current repository but to all repositories its | |
| # owner has access to. | |
| owner: ${{ github.repository_owner }} | |
| - name: Run Renovate | |
| uses: renovatebot/github-action@v44.2.1 | |
| with: | |
| configurationFile: .github/global-renovate-config.json | |
| token: ${{ steps.app_token.outputs.token }} | |
| env: | |
| LOG_LEVEL: ${{ github.event.inputs.logLevel }} | |
| # Compression helps performance in the upload step! | |
| - name: Compress Renovate cache | |
| run: | | |
| ls $cache_dir | |
| # The -C is important -- otherwise we end up extracting the files with | |
| # their full path, ultimately leading to a nested directory situation. | |
| # To solve *that*, we'd have to extract to root (/), which isn't safe. | |
| tar -czvf $cache_archive -C $cache_dir . | |
| - name: Upload Renovate cache | |
| uses: actions/upload-artifact@v6 | |
| if: github.event.inputs.repoCache != 'disabled' | |
| with: | |
| name: ${{ env.cache_key }} | |
| path: ${{ env.cache_archive }} | |
| retention-days: 1 |