From dcf08cb12e13d87930b96d8346aab09ddcb74153 Mon Sep 17 00:00:00 2001 From: cyrnel Date: Thu, 11 Sep 2025 22:43:54 -0400 Subject: [PATCH 1/6] feat: prepare for v1 release --- .drone.yml | 40 ++++++++++++++++++++++++++++++++++++++++ .env.sample | 20 ++++++++++++++++++++ README.md | 32 ++++++++++++++++++++++++-------- abra.sh | 0 compose.yml | 23 +++-------------------- config.js.tmpl | 15 --------------- release/.git-keep-me | 0 7 files changed, 87 insertions(+), 43 deletions(-) create mode 100644 .env.sample create mode 100755 abra.sh delete mode 100644 config.js.tmpl create mode 100644 release/.git-keep-me diff --git a/.drone.yml b/.drone.yml index e69de29..d920891 100644 --- a/.drone.yml +++ b/.drone.yml @@ -0,0 +1,40 @@ +--- +kind: pipeline +name: deploy to swarm-test.autonomic.zone +steps: + - name: deployment + image: git.coopcloud.tech/coop-cloud/stack-ssh-deploy:latest + settings: + host: swarm-test.autonomic.zone + stack: renovate + purge: true + deploy_key: + from_secret: drone_ssh_swarm_test + networks: + - proxy + environment: + STACK_NAME: renovate + CRON_SCHEDULE: '*/1 * * * *' + RENOVATE_ENDPOINT: https://git.coopcloud.tech/api/v1/ + RENOVATE_REPOSITORIES: coop-cloud/renovate + RENOVATE_DRY_RUN: "extract" + # TODO: Set a valid token so it can execute once against this repo. +trigger: + branch: + - main +--- +kind: pipeline +name: generate recipe catalogue +steps: + - name: release a new version + image: plugins/downstream + settings: + server: https://build.coopcloud.tech + token: + from_secret: drone_abra-bot_token + fork: true + repositories: + - toolshed/auto-recipes-catalogue-json + +trigger: + event: tag diff --git a/.env.sample b/.env.sample new file mode 100644 index 0000000..33c2033 --- /dev/null +++ b/.env.sample @@ -0,0 +1,20 @@ +TYPE=renovate + +COMPOSE_FILE="compose.yml" + +CRON_SCHEDULE='30 */1 * * *' + +## See https://docs.renovatebot.com/self-hosted-configuration/ +## This example is for Gitea +RENOVATE_ENDPOINT="https://gitea.example.com/api/v1/" +RENOVATE_GIT_AUTHOR="Renovate Bot " +RENOVATE_PLATFORM="gitea" +## Autodiscover repos +#RENOVATE_AUTODISCOVER="true" +#RENOVATE_AUTODISCOVER_FILTER="my-org/*,my-org2/*" +## If not using autodiscover, you can supply a space-separated list of repos. +## Ex: "coop-cloud/renovate coop-cloud/keycloak" +RENOVATE_REPOSITORIES="" +RENOVATE_TOKEN="token for your git forge" +RENOVATE_GITHUB_COM_TOKEN="token-for-github.com" +RENOVATE_ONBOARDING_CONFIG='{"$schema": "https://docs.renovatebot.com/renovate-schema.json", "extends": ["config:recommended"] }' diff --git a/README.md b/README.md index 41b2bb7..07c50a0 100644 --- a/README.md +++ b/README.md @@ -1,16 +1,32 @@ # renovate -> https://renovate.whitesourcesoftware.com +> Automated dependency updates. Multi-platform and multi-language. * **Category**: Utilities -* **Status**: -* **Image**: -* **Healthcheck**: -* **Backups**: -* **Email**: -* **Tests**: -* **SSO**: +* **Status**: 3 +* **Image**: [`renovate/renovate`](https://hub.docker.com/r/renovate/renovate), 4, upstream +* **Healthcheck**: n/a +* **Backups**: n/a +* **Email**: n/a +* **Tests**: 2 +* **SSO**: n/a + +## Quick start + +1. First deploy [swarm-cronjob](https://recipes.coopcloud.tech/swarm-cronjob) +2. Obtain an API token for your target git forge. For example, here are the [docs for Gitea/Forgejo](https://docs.renovatebot.com/modules/platform/forgejo/). +3. Renovate also recommends [obtaining a github.com token](https://docs.renovatebot.com/mend-hosted/github-com-token/) to fetch changelogs and to avoid rate limits. If your target git forge is github, this can technically be the same token as in step 1. +4. `abra app new renovate` +5. `abra app config ` +6. Set the tokens obtained in steps 2 and 3. +7. `abra app deploy ` + +This recipe runs Renovate as a cronjob every hour (configurable via `CRON_SCHEDULE`) to check for dependency updates in a target set of git repositories. If it discovers a dependency that needs updating, it will create a pull request to update it. + +You can configure how Renovate behaves with a `renovate.json` file in each target repo. Renovate will not run on a repo unless this file exists. By default, Renovate will attempt to "[onboard](https://docs.renovatebot.com/self-hosted-configuration/#onboarding)" any new repo by creating a pull request to create the `renovate.json` file. + +For more information please refer to the [Renovate documentation](https://docs.renovatebot.com/). diff --git a/abra.sh b/abra.sh new file mode 100755 index 0000000..e69de29 diff --git a/compose.yml b/compose.yml index a54a4ea..c895e6c 100644 --- a/compose.yml +++ b/compose.yml @@ -3,32 +3,15 @@ version: "3.8" services: app: - image: "renovate/renovate:slim" - configs: - - source: config_js - target: /usr/src/app/config.js - secrets: - - api_token + # Use "full" since the non-full version installs tools at runtime + image: "renovate/renovate:full" healthcheck: disable: true - volumes: - - "/var/run/docker.sock:/var/run/docker.sock" deploy: mode: replicated replicas: 0 labels: - "swarm.cronjob.enable=true" - - "swarm.cronjob.schedule=*/1 * * * *" + - "swarm.cronjob.schedule=${CRON_SCHEDULE}" restart_policy: condition: none - -configs: - config_js: - name: config_js_v1 - file: config.js.tmpl - template_driver: golang - -secrets: - api_token: - name: api_token_v1 - external: true diff --git a/config.js.tmpl b/config.js.tmpl deleted file mode 100644 index a96fc56..0000000 --- a/config.js.tmpl +++ /dev/null @@ -1,15 +0,0 @@ -module.exports = { - endpoint: "https://TODO.com/api/v1/", - token: "{{ secret "api-token" }}", - platform: "gitea", - logLevel: "error", - unicodeEmoji: false, - onboarding: true, - assignees: [], - labels: ["renovate", "dependencies", "automated"], - onboardingConfig: { - extends: ["config:base"], - }, - repositories: [ - ] -}; diff --git a/release/.git-keep-me b/release/.git-keep-me new file mode 100644 index 0000000..e69de29 -- 2.49.0 From 22d5d5e5781d78609d8b50902bf96f29fc45fcd8 Mon Sep 17 00:00:00 2001 From: cyrnel Date: Sun, 14 Sep 2025 10:41:15 -0400 Subject: [PATCH 2/6] feat: reimplement docker secrets --- .drone.yml | 2 ++ .env.sample | 22 +++++++++++++++++++--- README.md | 2 +- abra.sh | 1 + compose.gh-token.yml | 9 +++++++++ compose.npm-token.yml | 9 +++++++++ compose.yml | 18 ++++++++++++++++++ entrypoint.sh.tmpl | 38 ++++++++++++++++++++++++++++++++++++++ 8 files changed, 97 insertions(+), 4 deletions(-) create mode 100644 compose.gh-token.yml create mode 100644 compose.npm-token.yml create mode 100644 entrypoint.sh.tmpl diff --git a/.drone.yml b/.drone.yml index d920891..648c3a7 100644 --- a/.drone.yml +++ b/.drone.yml @@ -18,6 +18,8 @@ steps: RENOVATE_ENDPOINT: https://git.coopcloud.tech/api/v1/ RENOVATE_REPOSITORIES: coop-cloud/renovate RENOVATE_DRY_RUN: "extract" + SECRET_RENOVATE_TOKEN_VERSION: v1 + APP_ENTRYPOINT_VERSION: v1 # TODO: Set a valid token so it can execute once against this repo. trigger: branch: diff --git a/.env.sample b/.env.sample index 33c2033..3a9c55c 100644 --- a/.env.sample +++ b/.env.sample @@ -9,12 +9,28 @@ CRON_SCHEDULE='30 */1 * * *' RENOVATE_ENDPOINT="https://gitea.example.com/api/v1/" RENOVATE_GIT_AUTHOR="Renovate Bot " RENOVATE_PLATFORM="gitea" + +## Secrets - only RENOVATE_TOKEN is required for writing to your git forge. +## The github token is recommended to fetch changelogs. +## Other secrets may be needed to access private packages: https://docs.renovatebot.com/getting-started/private-packages/ +SECRET_RENOVATE_TOKEN_VERSION=v1 # generate=false +# COMPOSE_FILE="$COMPOSE_FILE:compose.gh-token.yml" +# SECRET_GITHUB_COM_TOKEN_VERSION=v1 # generate=false +# COMPOSE_FILE="$COMPOSE_FILE:compose.npm-token.yml" +# SECRET_RENOVATE_NPM_TOKEN_VERSION=v1 # generate=false + +## This controls the contents of the initial renovate.json file created in onboarding PRs. +RENOVATE_ONBOARDING_CONFIG='{"$schema": "https://docs.renovatebot.com/renovate-schema.json", "extends": ["config:recommended"] }' + ## Autodiscover repos #RENOVATE_AUTODISCOVER="true" #RENOVATE_AUTODISCOVER_FILTER="my-org/*,my-org2/*" + ## If not using autodiscover, you can supply a space-separated list of repos. ## Ex: "coop-cloud/renovate coop-cloud/keycloak" RENOVATE_REPOSITORIES="" -RENOVATE_TOKEN="token for your git forge" -RENOVATE_GITHUB_COM_TOKEN="token-for-github.com" -RENOVATE_ONBOARDING_CONFIG='{"$schema": "https://docs.renovatebot.com/renovate-schema.json", "extends": ["config:recommended"] }' + +## Here's how to set assignees for pull requests. You can also configure this in each repo's renovate.json. +#RENOVATE_ASSIGNEES="example-user1 example-user2" +## Or you could do this to set different assignees per path: +#RENOVATE_ASSIGNEES_FROM_CODE_OWNERS=true diff --git a/README.md b/README.md index 07c50a0..75a8446 100644 --- a/README.md +++ b/README.md @@ -22,7 +22,7 @@ 3. Renovate also recommends [obtaining a github.com token](https://docs.renovatebot.com/mend-hosted/github-com-token/) to fetch changelogs and to avoid rate limits. If your target git forge is github, this can technically be the same token as in step 1. 4. `abra app new renovate` 5. `abra app config ` -6. Set the tokens obtained in steps 2 and 3. +6. Set the tokens obtained in steps 2 and 3: `abra app secret insert renovate_token v1` 7. `abra app deploy ` This recipe runs Renovate as a cronjob every hour (configurable via `CRON_SCHEDULE`) to check for dependency updates in a target set of git repositories. If it discovers a dependency that needs updating, it will create a pull request to update it. diff --git a/abra.sh b/abra.sh index e69de29..7c5fe57 100755 --- a/abra.sh +++ b/abra.sh @@ -0,0 +1 @@ +export APP_ENTRYPOINT_VERSION=v1 diff --git a/compose.gh-token.yml b/compose.gh-token.yml new file mode 100644 index 0000000..899de99 --- /dev/null +++ b/compose.gh-token.yml @@ -0,0 +1,9 @@ +services: + app: + secrets: + - github_token + +secrets: + github_com_token: + name: ${STACK_NAME}_github_com_token_${SECRET_GITHUB_COM_TOKEN_VERSION} + external: true diff --git a/compose.npm-token.yml b/compose.npm-token.yml new file mode 100644 index 0000000..9a4d82f --- /dev/null +++ b/compose.npm-token.yml @@ -0,0 +1,9 @@ +services: + app: + secrets: + - npm_token + +secrets: + npm_token: + name: ${STACK_NAME}_npm_token_${SECRET_NPM_TOKEN_VERSION} + external: true diff --git a/compose.yml b/compose.yml index c895e6c..77f214d 100644 --- a/compose.yml +++ b/compose.yml @@ -15,3 +15,21 @@ services: - "swarm.cronjob.schedule=${CRON_SCHEDULE}" restart_policy: condition: none + secrets: + - renovate_token + configs: + - source: app_entrypoint + target: /docker-entrypoint.sh + mode: 0555 + entrypoint: /docker-entrypoint.sh + +secrets: + renovate_token: + name: ${STACK_NAME}_renovate_token_${SECRET_RENOVATE_TOKEN_VERSION} + external: true + +configs: + app_entrypoint: + name: ${STACK_NAME}_app_entrypoint_${APP_ENTRYPOINT_VERSION} + file: entrypoint.sh.tmpl + template_driver: golang diff --git a/entrypoint.sh.tmpl b/entrypoint.sh.tmpl new file mode 100644 index 0000000..669933f --- /dev/null +++ b/entrypoint.sh.tmpl @@ -0,0 +1,38 @@ +#!/bin/bash + +set -e + +# Inspiration: https://git.coopcloud.tech/coop-cloud/peertube/src/branch/main/entrypoint.sh.tmpl +file_env() { + local var="$1" + local fileVar="${var}_FILE" + local def="${2:-}" + + if [ "${!var:-}" ] && [ "${!fileVar:-}" ]; then + echo >&2 "error: both $var and $fileVar are set (but are exclusive)" + exit 1 + fi + + local val="$def" + + if [ "${!var:-}" ]; then + val="${!var}" + elif [ "${!fileVar:-}" ]; then + val="$(< "${!fileVar}")" + fi + + export "$var"="$val" + unset "$fileVar" +} + +file_env "RENOVATE_TOKEN" + +{{ if not (eq (env "SECRET_GITHUB_TOKEN_VERSION") "") }} +file_env "RENOVATE_GITHUB_COM_TOKEN" +{{ end }} + +{{ if not (eq (env "RENOVATE_GITHUB_COM_TOKEN") "") }} +file_env "RENOVATE_GITHUB_COM_TOKEN" +{{ end }} + +/usr/local/sbin/renovate-entrypoint.sh "$@" -- 2.49.0 From 652be03c06c9b889d5ff54d4ab9cbaea4c47524f Mon Sep 17 00:00:00 2001 From: cyrnel Date: Sun, 14 Sep 2025 10:45:15 -0400 Subject: [PATCH 3/6] fix: Remove compose version; it's deprecated --- compose.yml | 3 --- 1 file changed, 3 deletions(-) diff --git a/compose.yml b/compose.yml index 77f214d..a445f36 100644 --- a/compose.yml +++ b/compose.yml @@ -1,6 +1,3 @@ ---- -version: "3.8" - services: app: # Use "full" since the non-full version installs tools at runtime -- 2.49.0 From b209b6514a61d34072848193d30c5ed9c7802413 Mon Sep 17 00:00:00 2001 From: cyrnel Date: Sun, 14 Sep 2025 11:09:13 -0400 Subject: [PATCH 4/6] fix: sync secret names and env vars --- compose.gh-token.yml | 6 +++--- compose.npm-token.yml | 6 +++--- entrypoint.sh.tmpl | 4 ++-- 3 files changed, 8 insertions(+), 8 deletions(-) diff --git a/compose.gh-token.yml b/compose.gh-token.yml index 899de99..574574d 100644 --- a/compose.gh-token.yml +++ b/compose.gh-token.yml @@ -1,9 +1,9 @@ services: app: secrets: - - github_token + - renovate_github_com_token secrets: - github_com_token: - name: ${STACK_NAME}_github_com_token_${SECRET_GITHUB_COM_TOKEN_VERSION} + renovate_github_com_token: + name: ${STACK_NAME}_renovate_github_com_token_${SECRET_GITHUB_COM_TOKEN_VERSION} external: true diff --git a/compose.npm-token.yml b/compose.npm-token.yml index 9a4d82f..a4e46cb 100644 --- a/compose.npm-token.yml +++ b/compose.npm-token.yml @@ -1,9 +1,9 @@ services: app: secrets: - - npm_token + - renovate_npm_token secrets: - npm_token: - name: ${STACK_NAME}_npm_token_${SECRET_NPM_TOKEN_VERSION} + renovate_npm_token: + name: ${STACK_NAME}_renovate_npm_token_${SECRET_NPM_TOKEN_VERSION} external: true diff --git a/entrypoint.sh.tmpl b/entrypoint.sh.tmpl index 669933f..8fcc960 100644 --- a/entrypoint.sh.tmpl +++ b/entrypoint.sh.tmpl @@ -27,11 +27,11 @@ file_env() { file_env "RENOVATE_TOKEN" -{{ if not (eq (env "SECRET_GITHUB_TOKEN_VERSION") "") }} +{{ if not (eq (env "SECRET_GITHUB_COM_TOKEN_VERSION") "") }} file_env "RENOVATE_GITHUB_COM_TOKEN" {{ end }} -{{ if not (eq (env "RENOVATE_GITHUB_COM_TOKEN") "") }} +{{ if not (eq (env "SECRET_GITHUB_COM_TOKEN") "") }} file_env "RENOVATE_GITHUB_COM_TOKEN" {{ end }} -- 2.49.0 From 2b5c94c1297faa73f9dbf25c3c7cf33679c653c3 Mon Sep 17 00:00:00 2001 From: cyrnel Date: Sun, 14 Sep 2025 12:06:46 -0400 Subject: [PATCH 5/6] fix: add secret file paths to env vars --- compose.gh-token.yml | 2 ++ compose.npm-token.yml | 2 ++ compose.yml | 2 ++ entrypoint.sh.tmpl | 4 ++-- 4 files changed, 8 insertions(+), 2 deletions(-) diff --git a/compose.gh-token.yml b/compose.gh-token.yml index 574574d..d7b34cf 100644 --- a/compose.gh-token.yml +++ b/compose.gh-token.yml @@ -2,6 +2,8 @@ services: app: secrets: - renovate_github_com_token + environment: + - RENOVATE_GITHUB_COM_TOKEN_FILE=/run/secrets/renovate_github_com_token secrets: renovate_github_com_token: diff --git a/compose.npm-token.yml b/compose.npm-token.yml index a4e46cb..047e0ec 100644 --- a/compose.npm-token.yml +++ b/compose.npm-token.yml @@ -2,6 +2,8 @@ services: app: secrets: - renovate_npm_token + environment: + - RENOVATE_NPM_TOKEN_FILE=/run/secrets/renovate_npm_token secrets: renovate_npm_token: diff --git a/compose.yml b/compose.yml index a445f36..ed09237 100644 --- a/compose.yml +++ b/compose.yml @@ -12,6 +12,8 @@ services: - "swarm.cronjob.schedule=${CRON_SCHEDULE}" restart_policy: condition: none + environment: + - RENOVATE_TOKEN_FILE=/run/secrets/renovate_token secrets: - renovate_token configs: diff --git a/entrypoint.sh.tmpl b/entrypoint.sh.tmpl index 8fcc960..96c205f 100644 --- a/entrypoint.sh.tmpl +++ b/entrypoint.sh.tmpl @@ -31,8 +31,8 @@ file_env "RENOVATE_TOKEN" file_env "RENOVATE_GITHUB_COM_TOKEN" {{ end }} -{{ if not (eq (env "SECRET_GITHUB_COM_TOKEN") "") }} -file_env "RENOVATE_GITHUB_COM_TOKEN" +{{ if not (eq (env "SECRET_NPM_TOKEN_VERSION") "") }} +file_env "RENOVATE_NPM_TOKEN" {{ end }} /usr/local/sbin/renovate-entrypoint.sh "$@" -- 2.49.0 From b06dde0783f26a6ba374ecb7b97c593ed9aeb7d1 Mon Sep 17 00:00:00 2001 From: cyrnel Date: Sun, 14 Sep 2025 12:53:06 -0400 Subject: [PATCH 6/6] fix: lists are comma-separated --- .env.sample | 6 +++--- README.md | 2 +- 2 files changed, 4 insertions(+), 4 deletions(-) diff --git a/.env.sample b/.env.sample index 3a9c55c..6f3d185 100644 --- a/.env.sample +++ b/.env.sample @@ -26,11 +26,11 @@ RENOVATE_ONBOARDING_CONFIG='{"$schema": "https://docs.renovatebot.com/renovate-s #RENOVATE_AUTODISCOVER="true" #RENOVATE_AUTODISCOVER_FILTER="my-org/*,my-org2/*" -## If not using autodiscover, you can supply a space-separated list of repos. -## Ex: "coop-cloud/renovate coop-cloud/keycloak" +## If not using autodiscover, you can supply a comma-separated list of repos. +## Ex: "coop-cloud/renovate,coop-cloud/keycloak" RENOVATE_REPOSITORIES="" ## Here's how to set assignees for pull requests. You can also configure this in each repo's renovate.json. -#RENOVATE_ASSIGNEES="example-user1 example-user2" +#RENOVATE_ASSIGNEES="example-user1,example-user2" ## Or you could do this to set different assignees per path: #RENOVATE_ASSIGNEES_FROM_CODE_OWNERS=true diff --git a/README.md b/README.md index 75a8446..321bd36 100644 --- a/README.md +++ b/README.md @@ -21,7 +21,7 @@ 2. Obtain an API token for your target git forge. For example, here are the [docs for Gitea/Forgejo](https://docs.renovatebot.com/modules/platform/forgejo/). 3. Renovate also recommends [obtaining a github.com token](https://docs.renovatebot.com/mend-hosted/github-com-token/) to fetch changelogs and to avoid rate limits. If your target git forge is github, this can technically be the same token as in step 1. 4. `abra app new renovate` -5. `abra app config ` +5. `abra app config ` (point it to your git forge and enable any optional secrets) 6. Set the tokens obtained in steps 2 and 3: `abra app secret insert renovate_token v1` 7. `abra app deploy ` -- 2.49.0