coop-cloud/renovate
10
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

Compare commits

base: coop-cloud:main
Branches Tags
coop-cloud:main coop-cloud:secret-test
coop-cloud:1.1.0+41 coop-cloud:1.0.1+41-full coop-cloud:1.0.0+41-full
..
compare: coop-cloud:secret-test
Branches Tags
coop-cloud:main coop-cloud:secret-test
coop-cloud:1.1.0+41 coop-cloud:1.0.1+41-full coop-cloud:1.0.0+41-full

1 Commits
main ... secret-tes

Author SHA1 Message Date
cyrnel
0acbde9f48 test secrets 2025-09-14 09:35:35 -04:00
9 changed files with 16 additions and 100 deletions
Expand all files Collapse all files

3
.drone.yml
View File

@ -8,7 +8,6 @@ steps:
host: swarm-test.autonomic.zone
stack: renovate
purge: true
generate_secrets: true
deploy_key:
from_secret: drone_ssh_swarm_test
networks:
@ -19,8 +18,6 @@ steps:
RENOVATE_ENDPOINT: https://git.coopcloud.tech/api/v1/
RENOVATE_REPOSITORIES: coop-cloud/renovate
RENOVATE_DRY_RUN: "extract"
SECRET_RENOVATE_TOKEN_VERSION: v1
APP_ENTRYPOINT_VERSION: v1
# TODO: Set a valid token so it can execute once against this repo.
trigger:
branch:

15
.env.sample
View File

@ -10,15 +10,6 @@ RENOVATE_ENDPOINT="https://gitea.example.com/api/v1/"
RENOVATE_GIT_AUTHOR="Renovate Bot <renovate@your-domain.example.com>"
RENOVATE_PLATFORM="gitea"
## Secrets - only RENOVATE_TOKEN is required for writing to your git forge.
## The github token is recommended to fetch changelogs.
## Other secrets may be needed to access private packages: https://docs.renovatebot.com/getting-started/private-packages/
SECRET_RENOVATE_TOKEN_VERSION=v1 # generate=false
# COMPOSE_FILE="$COMPOSE_FILE:compose.gh-token.yml"
# SECRET_GITHUB_COM_TOKEN_VERSION=v1 # generate=false
# COMPOSE_FILE="$COMPOSE_FILE:compose.npm-token.yml"
# SECRET_RENOVATE_NPM_TOKEN_VERSION=v1 # generate=false
## This controls the contents of the initial renovate.json file created in onboarding PRs.
RENOVATE_ONBOARDING_CONFIG='{"$schema": "https://docs.renovatebot.com/renovate-schema.json", "extends": ["config:recommended"] }'
@ -26,11 +17,11 @@ RENOVATE_ONBOARDING_CONFIG='{"$schema": "https://docs.renovatebot.com/renovate-s
#RENOVATE_AUTODISCOVER="true"
#RENOVATE_AUTODISCOVER_FILTER="my-org/*,my-org2/*"
## If not using autodiscover, you can supply a comma-separated list of repos.
## Ex: "coop-cloud/renovate,coop-cloud/keycloak"
## If not using autodiscover, you can supply a space-separated list of repos.
## Ex: "coop-cloud/renovate coop-cloud/keycloak"
RENOVATE_REPOSITORIES=""
## Here's how to set assignees for pull requests. You can also configure this in each repo's renovate.json.
#RENOVATE_ASSIGNEES="example-user1,example-user2"
#RENOVATE_ASSIGNEES="example-user1 example-user2"
## Or you could do this to set different assignees per path:
#RENOVATE_ASSIGNEES_FROM_CODE_OWNERS=true

28
README.md
View File

@ -21,8 +21,8 @@
2. Obtain an API token for your target git forge. For example, here are the [docs for Gitea/Forgejo](https://docs.renovatebot.com/modules/platform/forgejo/).
3. Renovate also recommends [obtaining a github.com token](https://docs.renovatebot.com/mend-hosted/github-com-token/) to fetch changelogs and to avoid rate limits. If your target git forge is github, this can technically be the same token as in step 1.
4. `abra app new renovate`
5. `abra app config <app-name>` (point it to your git forge and enable any optional secrets)
6. Set the tokens obtained in steps 2 and 3: `abra app secret insert <app-name> renovate_token v1`
5. `abra app config <app-name>`
6. Set the tokens obtained in steps 2 and 3.
7. `abra app deploy <app-name>`
This recipe runs Renovate as a cronjob every hour (configurable via `CRON_SCHEDULE`) to check for dependency updates in a target set of git repositories. If it discovers a dependency that needs updating, it will create a pull request to update it.
@ -30,27 +30,3 @@ This recipe runs Renovate as a cronjob every hour (configurable via `CRON_SCHEDU
You can configure how Renovate behaves with a `renovate.json` file in each target repo. Renovate will not run on a repo unless this file exists. By default, Renovate will attempt to "[onboard](https://docs.renovatebot.com/self-hosted-configuration/#onboarding)" any new repo by creating a pull request to create the `renovate.json` file.
For more information please refer to the [Renovate documentation](https://docs.renovatebot.com/).
## Using Renovate for coop-cloud recipes
If you store your recipe .env files in git, you can use Renovate to automatically bump recipe versions. To do this, add the following to the end of your `renovate.json` (courtesy of p4u1):
```json
{
"customManagers": [
{
"customType": "regex",
"managerFilePatterns": [
"/^servers\\/.*\\/.*\\.env$/"
],
"matchStrings": [
"(RECIPE|TYPE)=(?<depName>.*?):(?<currentValue>.*.*?)"
],
"datasourceTemplate": "gitea-tags",
"depNameTemplate": "coop-cloud/{{depName}}",
"registryUrlTemplate": "https://git.coopcloud.tech/"
}
]
}
```

1
abra.sh
View File

@ -1 +0,0 @@
export APP_ENTRYPOINT_VERSION=v1

11
compose.gh-token.yml
View File

@ -1,11 +0,0 @@
services:
app:
secrets:
- renovate_github_com_token
environment:
- RENOVATE_GITHUB_COM_TOKEN_FILE=/run/secrets/renovate_github_com_token
secrets:
renovate_github_com_token:
name: ${STACK_NAME}_renovate_github_com_token_${SECRET_GITHUB_COM_TOKEN_VERSION}
external: true

11
compose.npm-token.yml
View File

@ -1,11 +0,0 @@
services:
app:
secrets:
- renovate_npm_token
environment:
- RENOVATE_NPM_TOKEN_FILE=/run/secrets/renovate_npm_token
secrets:
renovate_npm_token:
name: ${STACK_NAME}_renovate_npm_token_${SECRET_NPM_TOKEN_VERSION}
external: true

34
compose.yml
View File

@ -1,7 +1,10 @@
---
version: "3.8"
services:
app:
# Docs recommend using the non-full image and use a volume for caching downloaded binaries
image: "renovate/renovate:41"
# Use "full" since the non-full version installs tools at runtime
image: "renovate/renovate:full"
healthcheck:
disable: true
deploy:
@ -10,33 +13,16 @@ services:
labels:
- "swarm.cronjob.enable=true"
- "swarm.cronjob.schedule=${CRON_SCHEDULE}"
- "coop-cloud.${STACK_NAME}.version=1.1.0+41"
restart_policy:
condition: none
environment:
- RENOVATE_TOKEN_FILE=/run/secrets/renovate_token
# This is already the default, we're just being explicit since they've moved it before
- RENOVATE_BASE_DIR=/tmp/renovate
volumes:
- renovate-data:/tmp/renovate
secrets:
- renovate_token
configs:
- source: app_entrypoint
target: /docker-entrypoint.sh
mode: 0555
entrypoint: /docker-entrypoint.sh
- github_token
secrets:
renovate_token:
name: ${STACK_NAME}_renovate_token_${SECRET_RENOVATE_TOKEN_VERSION}
name: ${STACK_NAME}_renovate_token_${RENOVATE_TOKEN_VERSION}
external: true
github_token:
name: ${STACK_NAME}_github_token_${GITHUB_TOKEN_VERSION}
external: true
configs:
app_entrypoint:
name: ${STACK_NAME}_app_entrypoint_${APP_ENTRYPOINT_VERSION}
file: entrypoint.sh.tmpl
template_driver: golang
volumes:
renovate-data:

6
entrypoint.sh.tmpl
View File

@ -27,12 +27,8 @@ file_env() {
file_env "RENOVATE_TOKEN"
{{ if not (eq (env "SECRET_GITHUB_COM_TOKEN_VERSION") "") }}
{{ if eq (env "RENOVATE_GITHUB_COM_TOKEN") "1" }}
file_env "RENOVATE_GITHUB_COM_TOKEN"
{{ end }}
{{ if not (eq (env "SECRET_NPM_TOKEN_VERSION") "") }}
file_env "RENOVATE_NPM_TOKEN"
{{ end }}
/usr/local/sbin/renovate-entrypoint.sh "$@"

7
release/1.1.0+41
View File

@ -1,7 +0,0 @@
The previous release used the "-full" renovate image which is 6 gigabytes
but doesn't install tools at runtime. Apparently the docs discourage this, so
this release moves to using the "non-full" image.
When renovate detects e.g. a golang dependency, it will now download a golang toolchain
and store it in a persistent volume. This means the total disk usage of the tool should
be much lower for most users.