test: Fix CI?

Reviewed-on: #5
Reviewed-by: decentral1se <decentral1se@noreply.git.coopcloud.tech>
Reviewed-by: p4u1 <p4u1@noreply.git.coopcloud.tech>

.drone.yml

@@ -8,6 +8,7 @@ steps:
       host: swarm-test.autonomic.zone
       stack: renovate
       purge: true
+      generate_secrets: true
       deploy_key:
         from_secret: drone_ssh_swarm_test
       networks:
@@ -18,6 +19,8 @@ steps:
       RENOVATE_ENDPOINT: https://git.coopcloud.tech/api/v1/
       RENOVATE_REPOSITORIES: coop-cloud/renovate
       RENOVATE_DRY_RUN: "extract"
+      SECRET_RENOVATE_TOKEN_VERSION: v1
+      APP_ENTRYPOINT_VERSION: v1
       # TODO: Set a valid token so it can execute once against this repo.
 trigger:
   branch:

.env.sample

@@ -9,12 +9,28 @@ CRON_SCHEDULE='30 */1 * * *'
 RENOVATE_ENDPOINT="https://gitea.example.com/api/v1/"
 RENOVATE_GIT_AUTHOR="Renovate Bot <renovate@your-domain.example.com>"
 RENOVATE_PLATFORM="gitea"
+
+## Secrets - only RENOVATE_TOKEN is required for writing to your git forge.
+## The github token is recommended to fetch changelogs.
+## Other secrets may be needed to access private packages: https://docs.renovatebot.com/getting-started/private-packages/
+SECRET_RENOVATE_TOKEN_VERSION=v1 # generate=false
+# COMPOSE_FILE="$COMPOSE_FILE:compose.gh-token.yml"
+# SECRET_GITHUB_COM_TOKEN_VERSION=v1 # generate=false
+# COMPOSE_FILE="$COMPOSE_FILE:compose.npm-token.yml"
+# SECRET_RENOVATE_NPM_TOKEN_VERSION=v1 # generate=false
+
+## This controls the contents of the initial renovate.json file created in onboarding PRs.
+RENOVATE_ONBOARDING_CONFIG='{"$schema": "https://docs.renovatebot.com/renovate-schema.json", "extends": ["config:recommended"] }'
+
 ## Autodiscover repos
 #RENOVATE_AUTODISCOVER="true"
 #RENOVATE_AUTODISCOVER_FILTER="my-org/*,my-org2/*"
-## If not using autodiscover, you can supply a space-separated list of repos.
-## Ex: "coop-cloud/renovate coop-cloud/keycloak"
+
+## If not using autodiscover, you can supply a comma-separated list of repos.
+## Ex: "coop-cloud/renovate,coop-cloud/keycloak"
 RENOVATE_REPOSITORIES=""
-RENOVATE_TOKEN="token for your git forge"
-RENOVATE_GITHUB_COM_TOKEN="token-for-github.com"
-RENOVATE_ONBOARDING_CONFIG='{"$schema": "https://docs.renovatebot.com/renovate-schema.json", "extends": ["config:recommended"] }'
+
+## Here's how to set assignees for pull requests. You can also configure this in each repo's renovate.json.
+#RENOVATE_ASSIGNEES="example-user1,example-user2"
+## Or you could do this to set different assignees per path:
+#RENOVATE_ASSIGNEES_FROM_CODE_OWNERS=true

README.md

@@ -21,8 +21,8 @@
 2. Obtain an API token for your target git forge. For example, here are the [docs for Gitea/Forgejo](https://docs.renovatebot.com/modules/platform/forgejo/).
 3. Renovate also recommends [obtaining a github.com token](https://docs.renovatebot.com/mend-hosted/github-com-token/) to fetch changelogs and to avoid rate limits. If your target git forge is github, this can technically be the same token as in step 1.
 4. `abra app new renovate`
-5. `abra app config <app-name>`
-6. Set the tokens obtained in steps 2 and 3.
+5. `abra app config <app-name>` (point it to your git forge and enable any optional secrets)
+6. Set the tokens obtained in steps 2 and 3: `abra app secret insert <app-name> renovate_token v1`
 7. `abra app deploy <app-name>`
 
 This recipe runs Renovate as a cronjob every hour (configurable via `CRON_SCHEDULE`) to check for dependency updates in a target set of git repositories. If it discovers a dependency that needs updating, it will create a pull request to update it.
@@ -30,3 +30,27 @@ This recipe runs Renovate as a cronjob every hour (configurable via `CRON_SCHEDU
 You can configure how Renovate behaves with a `renovate.json` file in each target repo. Renovate will not run on a repo unless this file exists. By default, Renovate will attempt to "[onboard](https://docs.renovatebot.com/self-hosted-configuration/#onboarding)" any new repo by creating a pull request to create the `renovate.json` file.
 
 For more information please refer to the [Renovate documentation](https://docs.renovatebot.com/).
+
+
+## Using Renovate for coop-cloud recipes
+
+If you store your recipe .env files in git, you can use Renovate to automatically bump recipe versions. To do this, add the following to the end of your `renovate.json` (courtesy of p4u1):
+
+```json
+{
+  "customManagers": [
+    {
+      "customType": "regex",
+      "managerFilePatterns": [
+        "/^servers\\/.*\\/.*\\.env$/"
+      ],
+      "matchStrings": [
+        "(RECIPE|TYPE)=(?<depName>.*?):(?<currentValue>.*.*?)"
+      ],
+      "datasourceTemplate": "gitea-tags",
+      "depNameTemplate": "coop-cloud/{{depName}}",
+      "registryUrlTemplate": "https://git.coopcloud.tech/"
+    }
+  ]
+}
+```

abra.sh

@@ -0,0 +1 @@
+export APP_ENTRYPOINT_VERSION=v1

compose.gh-token.yml

@@ -0,0 +1,11 @@
+services:
+  app:
+    secrets:
+      - renovate_github_com_token
+    environment:
+      - RENOVATE_GITHUB_COM_TOKEN_FILE=/run/secrets/renovate_github_com_token
+
+secrets:
+  renovate_github_com_token:
+    name: ${STACK_NAME}_renovate_github_com_token_${SECRET_GITHUB_COM_TOKEN_VERSION}
+    external: true

compose.npm-token.yml

@@ -0,0 +1,11 @@
+services:
+  app:
+    secrets:
+      - renovate_npm_token
+    environment:
+      - RENOVATE_NPM_TOKEN_FILE=/run/secrets/renovate_npm_token
+
+secrets:
+  renovate_npm_token:
+    name: ${STACK_NAME}_renovate_npm_token_${SECRET_NPM_TOKEN_VERSION}
+    external: true

compose.yml

@@ -1,10 +1,7 @@
----
-version: "3.8"
-
 services:
   app:
-    # Use "full" since the non-full version installs tools at runtime
-    image: "renovate/renovate:full"
+    # Docs recommend using the non-full image and use a volume for caching downloaded binaries
+    image: "renovate/renovate:41"
     healthcheck:
       disable: true
     deploy:
@@ -13,5 +10,33 @@ services:
       labels:
         - "swarm.cronjob.enable=true"
         - "swarm.cronjob.schedule=${CRON_SCHEDULE}"
+        - "coop-cloud.${STACK_NAME}.version=1.1.0+41"
       restart_policy:
         condition: none
+    environment:
+      - RENOVATE_TOKEN_FILE=/run/secrets/renovate_token
+      # This is already the default, we're just being explicit since they've moved it before
+      - RENOVATE_BASE_DIR=/tmp/renovate
+    volumes:
+      - renovate-data:/tmp/renovate
+    secrets:
+      - renovate_token
+    configs:
+      - source: app_entrypoint
+        target: /docker-entrypoint.sh
+        mode: 0555
+    entrypoint: /docker-entrypoint.sh
+
+secrets:
+  renovate_token:
+    name: ${STACK_NAME}_renovate_token_${SECRET_RENOVATE_TOKEN_VERSION}
+    external: true
+
+configs:
+  app_entrypoint:
+    name: ${STACK_NAME}_app_entrypoint_${APP_ENTRYPOINT_VERSION}
+    file: entrypoint.sh.tmpl
+    template_driver: golang
+
+volumes:
+  renovate-data:

entrypoint.sh.tmpl

@@ -0,0 +1,38 @@
+#!/bin/bash
+
+set -e
+
+# Inspiration: https://git.coopcloud.tech/coop-cloud/peertube/src/branch/main/entrypoint.sh.tmpl
+file_env() {
+   local var="$1"
+   local fileVar="${var}_FILE"
+   local def="${2:-}"
+
+   if [ "${!var:-}" ] && [ "${!fileVar:-}" ]; then
+      echo >&2 "error: both $var and $fileVar are set (but are exclusive)"
+      exit 1
+   fi
+
+   local val="$def"
+
+   if [ "${!var:-}" ]; then
+      val="${!var}"
+   elif [ "${!fileVar:-}" ]; then
+      val="$(< "${!fileVar}")"
+   fi
+
+   export "$var"="$val"
+   unset "$fileVar"
+}
+
+file_env "RENOVATE_TOKEN"
+
+{{ if not (eq (env "SECRET_GITHUB_COM_TOKEN_VERSION") "") }}
+file_env "RENOVATE_GITHUB_COM_TOKEN"
+{{ end }}
+
+{{ if not (eq (env "SECRET_NPM_TOKEN_VERSION") "") }}
+file_env "RENOVATE_NPM_TOKEN"
+{{ end }}
+
+/usr/local/sbin/renovate-entrypoint.sh "$@"

release/1.1.0+41

@@ -0,0 +1,7 @@
+The previous release used the "-full" renovate image which is 6 gigabytes
+but doesn't install tools at runtime. Apparently the docs discourage this, so
+this release moves to using the "non-full" image.
+
+When renovate detects e.g. a golang dependency, it will now download a golang toolchain
+and store it in a persistent volume. This means the total disk usage of the tool should
+be much lower for most users.