Renovate #1886
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Renovate | |
| on: | |
| schedule: | |
| # Offset by 12 minutes to avoid busy times on the hour | |
| - cron: 12 */4 * * * | |
| pull_request: | |
| paths: | |
| - .github/renovate-config.json5 | |
| - .github/workflows/renovate.yml | |
| types: | |
| - edited | |
| - opened | |
| - ready_for_review | |
| - synchronize | |
| push: | |
| branches: | |
| - main | |
| paths: | |
| - .github/renovate-config.json5 | |
| - .github/workflows/renovate.yml | |
| workflow_dispatch: | |
| inputs: | |
| dry-run: | |
| description: "Run Renovate in dry-run mode" | |
| required: false | |
| default: false | |
| type: boolean | |
| merge_group: | |
| permissions: | |
| contents: read | |
| jobs: | |
| renovate: | |
| permissions: | |
| contents: read | |
| id-token: write | |
| runs-on: ubuntu-latest | |
| timeout-minutes: 5 | |
| # We need a secret for the GitHub app, which isn't available for a fork, so | |
| # don't run there. | |
| if: github.event.pull_request.head.repo.full_name == github.repository | |
| steps: | |
| - name: Harden the runner (Audit all outbound calls) | |
| uses: step-security/harden-runner@0634a2670c59f64b4a01f0f96f84700a4088b9f0 # v2.12.0 | |
| with: | |
| egress-policy: audit | |
| - name: Checkout Code | |
| uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 | |
| with: | |
| persist-credentials: false | |
| sparse-checkout: | | |
| .github/renovate-config.json5 | |
| actions/get-vault-secrets | |
| - name: Retrieve renovate secrets | |
| id: get-secrets | |
| uses: ./actions/get-vault-secrets | |
| with: | |
| common_secrets: | | |
| GRAFANA_RENOVATE_APP_ID=grafana-renovate-app:app-id | |
| GRAFANA_RENOVATE_PRIVATE_KEY=grafana-renovate-app:private-key | |
| - name: Generate token | |
| id: generate-token | |
| uses: actions/create-github-app-token@3ff1caaa28b64c9cc276ce0a02e2ff584f3900c5 # v2.0.2 | |
| with: | |
| app-id: ${{ env.GRAFANA_RENOVATE_APP_ID }} | |
| private-key: ${{ env.GRAFANA_RENOVATE_PRIVATE_KEY }} | |
| - name: Self-hosted Renovate | |
| uses: renovatebot/github-action@8ac70de2fe55752c573155866e30735411e3b61c # v41.0.22 | |
| with: | |
| configurationFile: .github/renovate-config.json5 | |
| # renovate: datasource=docker depName=ghcr.io/renovatebot/renovate | |
| renovate-version: 39.252.0@sha256:f244c095f6f698e1ced593a8521dd2cc78d22beeaf4fb009450fbc977a2c5b36 | |
| token: ${{ steps.generate-token.outputs.token }} | |
| env: | |
| LOG_LEVEL: ${{ github.event_name == 'pull_request' && 'debug' || 'info' }} | |
| # For pull requests, this means we'll get the dependencies of the PR's | |
| # branch, so you can fix/change things and see the results in the PR's | |
| # run. By default, Renovate will clone the main/default branch. | |
| RENOVATE_BASE_BRANCHES: ${{ github.event_name == 'pull_request' && github.event.pull_request.head.ref || null }} | |
| # Dry run if the event is pull_request, or workflow_dispatch AND the dry-run input is true | |
| RENOVATE_DRY_RUN: ${{ (github.event_name == 'pull_request' || (github.event_name == 'workflow_dispatch' && github.event.inputs.dry-run == 'true')) && 'full' || null }} | |
| RENOVATE_PLATFORM: github | |
| RENOVATE_REPOSITORIES: ${{ github.repository }} | |
| RENOVATE_USERNAME: GrafanaRenovateBot |