chore: publish 1.0.1+41-full release

Reviewed-on: #4

.drone.yml

@@ -18,6 +18,8 @@ steps:
       RENOVATE_ENDPOINT: https://git.coopcloud.tech/api/v1/
       RENOVATE_REPOSITORIES: coop-cloud/renovate
       RENOVATE_DRY_RUN: "extract"
+      SECRET_RENOVATE_TOKEN_VERSION: v1
+      APP_ENTRYPOINT_VERSION: v1
       # TODO: Set a valid token so it can execute once against this repo.
 trigger:
   branch:

.env.sample

@@ -9,12 +9,28 @@ CRON_SCHEDULE='30 */1 * * *'
 RENOVATE_ENDPOINT="https://gitea.example.com/api/v1/"
 RENOVATE_GIT_AUTHOR="Renovate Bot <renovate@your-domain.example.com>"
 RENOVATE_PLATFORM="gitea"
+
+## Secrets - only RENOVATE_TOKEN is required for writing to your git forge.
+## The github token is recommended to fetch changelogs.
+## Other secrets may be needed to access private packages: https://docs.renovatebot.com/getting-started/private-packages/
+SECRET_RENOVATE_TOKEN_VERSION=v1 # generate=false
+# COMPOSE_FILE="$COMPOSE_FILE:compose.gh-token.yml"
+# SECRET_GITHUB_COM_TOKEN_VERSION=v1 # generate=false
+# COMPOSE_FILE="$COMPOSE_FILE:compose.npm-token.yml"
+# SECRET_RENOVATE_NPM_TOKEN_VERSION=v1 # generate=false
+
+## This controls the contents of the initial renovate.json file created in onboarding PRs.
+RENOVATE_ONBOARDING_CONFIG='{"$schema": "https://docs.renovatebot.com/renovate-schema.json", "extends": ["config:recommended"] }'
+
 ## Autodiscover repos
 #RENOVATE_AUTODISCOVER="true"
 #RENOVATE_AUTODISCOVER_FILTER="my-org/*,my-org2/*"
-## If not using autodiscover, you can supply a space-separated list of repos.
-## Ex: "coop-cloud/renovate coop-cloud/keycloak"
+
+## If not using autodiscover, you can supply a comma-separated list of repos.
+## Ex: "coop-cloud/renovate,coop-cloud/keycloak"
 RENOVATE_REPOSITORIES=""
-RENOVATE_TOKEN="token for your git forge"
-RENOVATE_GITHUB_COM_TOKEN="token-for-github.com"
-RENOVATE_ONBOARDING_CONFIG='{"$schema": "https://docs.renovatebot.com/renovate-schema.json", "extends": ["config:recommended"] }'
+
+## Here's how to set assignees for pull requests. You can also configure this in each repo's renovate.json.
+#RENOVATE_ASSIGNEES="example-user1,example-user2"
+## Or you could do this to set different assignees per path:
+#RENOVATE_ASSIGNEES_FROM_CODE_OWNERS=true

README.md

@@ -21,8 +21,8 @@
 2. Obtain an API token for your target git forge. For example, here are the [docs for Gitea/Forgejo](https://docs.renovatebot.com/modules/platform/forgejo/).
 3. Renovate also recommends [obtaining a github.com token](https://docs.renovatebot.com/mend-hosted/github-com-token/) to fetch changelogs and to avoid rate limits. If your target git forge is github, this can technically be the same token as in step 1.
 4. `abra app new renovate`
-5. `abra app config <app-name>`
-6. Set the tokens obtained in steps 2 and 3.
+5. `abra app config <app-name>` (point it to your git forge and enable any optional secrets)
+6. Set the tokens obtained in steps 2 and 3: `abra app secret insert <app-name> renovate_token v1`
 7. `abra app deploy <app-name>`
 
 This recipe runs Renovate as a cronjob every hour (configurable via `CRON_SCHEDULE`) to check for dependency updates in a target set of git repositories. If it discovers a dependency that needs updating, it will create a pull request to update it.

abra.sh

@@ -0,0 +1 @@
+export APP_ENTRYPOINT_VERSION=v1

compose.gh-token.yml

@@ -0,0 +1,11 @@
+services:
+  app:
+    secrets:
+      - renovate_github_com_token
+    environment:
+      - RENOVATE_GITHUB_COM_TOKEN_FILE=/run/secrets/renovate_github_com_token
+
+secrets:
+  renovate_github_com_token:
+    name: ${STACK_NAME}_renovate_github_com_token_${SECRET_GITHUB_COM_TOKEN_VERSION}
+    external: true

compose.npm-token.yml

@@ -0,0 +1,11 @@
+services:
+  app:
+    secrets:
+      - renovate_npm_token
+    environment:
+      - RENOVATE_NPM_TOKEN_FILE=/run/secrets/renovate_npm_token
+
+secrets:
+  renovate_npm_token:
+    name: ${STACK_NAME}_renovate_npm_token_${SECRET_NPM_TOKEN_VERSION}
+    external: true

compose.yml

@@ -1,10 +1,7 @@
----
-version: "3.8"
-
 services:
   app:
     # Use "full" since the non-full version installs tools at runtime
-    image: "renovate/renovate:full"
+    image: "renovate/renovate:41-full"
     healthcheck:
       disable: true
     deploy:
@@ -13,5 +10,26 @@ services:
       labels:
         - "swarm.cronjob.enable=true"
         - "swarm.cronjob.schedule=${CRON_SCHEDULE}"
+        - "coop-cloud.${STACK_NAME}.version=1.0.1+41-full"
       restart_policy:
         condition: none
+    environment:
+      - RENOVATE_TOKEN_FILE=/run/secrets/renovate_token
+    secrets:
+      - renovate_token
+    configs:
+      - source: app_entrypoint
+        target: /docker-entrypoint.sh
+        mode: 0555
+    entrypoint: /docker-entrypoint.sh
+
+secrets:
+  renovate_token:
+    name: ${STACK_NAME}_renovate_token_${SECRET_RENOVATE_TOKEN_VERSION}
+    external: true
+
+configs:
+  app_entrypoint:
+    name: ${STACK_NAME}_app_entrypoint_${APP_ENTRYPOINT_VERSION}
+    file: entrypoint.sh.tmpl
+    template_driver: golang

entrypoint.sh.tmpl

@@ -0,0 +1,38 @@
+#!/bin/bash
+
+set -e
+
+# Inspiration: https://git.coopcloud.tech/coop-cloud/peertube/src/branch/main/entrypoint.sh.tmpl
+file_env() {
+   local var="$1"
+   local fileVar="${var}_FILE"
+   local def="${2:-}"
+
+   if [ "${!var:-}" ] && [ "${!fileVar:-}" ]; then
+      echo >&2 "error: both $var and $fileVar are set (but are exclusive)"
+      exit 1
+   fi
+
+   local val="$def"
+
+   if [ "${!var:-}" ]; then
+      val="${!var}"
+   elif [ "${!fileVar:-}" ]; then
+      val="$(< "${!fileVar}")"
+   fi
+
+   export "$var"="$val"
+   unset "$fileVar"
+}
+
+file_env "RENOVATE_TOKEN"
+
+{{ if not (eq (env "SECRET_GITHUB_COM_TOKEN_VERSION") "") }}
+file_env "RENOVATE_GITHUB_COM_TOKEN"
+{{ end }}
+
+{{ if not (eq (env "SECRET_NPM_TOKEN_VERSION") "") }}
+file_env "RENOVATE_NPM_TOKEN"
+{{ end }}
+
+/usr/local/sbin/renovate-entrypoint.sh "$@"