chore(ci): set up Renovate dependency automation
Renovate runs as a daily Gitea Actions cron (03:00 UTC, on
self-hosted runners) and opens PRs against main for dependency
updates. Picked daily-at-3am specifically so Monday's run sits
inside Renovate's default `lockFileMaintenance.schedule` ("before
4am on Monday") and triggers the weekly lockfile refresh in passing.
The workflow only handles invocation + Gitea-platform plumbing.
Bot behaviour (groupings, labels, Conventional Commits, OSV.dev
vulnerability source) lives in /renovate.json so it can evolve
without redeploying the workflow.
Groups defined: Angular, Nx, NestJS, Prisma (incl. nestjs-prisma),
Vitest, TypeScript tooling, ESLint, SWC, Tailwind. Standalone
packages get individual PRs.
Bot identity: a dedicated `apf-portal-bot` Gitea user authenticates
with a PAT stored as the RENOVATE_TOKEN repo secret. The full
onboarding procedure (user creation, scopes, secret) is documented
in docs/development.md → "Dependency updates (Renovate)".
The roadmap entry for Renovate is removed from §8 since the section
now exists.
This commit is contained in:
@@ -0,0 +1,45 @@
|
||||
# Per ADR-0015 (CI/CD on Gitea Actions). Scheduled invocation of
|
||||
# Renovate Bot, which proposes dependency updates as PRs against main.
|
||||
#
|
||||
# Configuration of the *bot's behaviour* (groupings, schedules, labels,
|
||||
# auto-merge, vulnerability sources) lives in /renovate.json at the
|
||||
# repo root. This workflow only controls *when* Renovate runs and how
|
||||
# it authenticates against Gitea.
|
||||
#
|
||||
# Authentication: a Gitea Personal Access Token issued for the dedicated
|
||||
# `apf-portal-bot` user, stored as the RENOVATE_TOKEN secret. The full
|
||||
# bot-onboarding procedure lives in docs/development.md → "Dependency
|
||||
# updates (Renovate)".
|
||||
|
||||
name: Renovate
|
||||
|
||||
on:
|
||||
schedule:
|
||||
# Daily 03:00 UTC — outside working hours, no contention with PR CI.
|
||||
# Picked specifically to sit inside Renovate's default
|
||||
# `lockFileMaintenance.schedule` window of "before 4am on Monday",
|
||||
# so Monday's run also triggers the weekly lockfile refresh.
|
||||
- cron: '0 3 * * *'
|
||||
workflow_dispatch:
|
||||
|
||||
jobs:
|
||||
renovate:
|
||||
runs-on: [self-hosted, on-prem]
|
||||
steps:
|
||||
- uses: renovatebot/github-action@v40
|
||||
with:
|
||||
token: ${{ secrets.RENOVATE_TOKEN }}
|
||||
configurationFile: renovate.json
|
||||
env:
|
||||
# Tell Renovate this is Gitea, not GitHub.
|
||||
RENOVATE_PLATFORM: gitea
|
||||
# Gitea API endpoint — derived from the workflow's own server
|
||||
# URL so a Gitea → GitLab migration only requires changing
|
||||
# github.server_url at the platform level (matches the
|
||||
# CLAUDE.md rule about not hardcoding the project name /
|
||||
# forge details outside repo metadata).
|
||||
RENOVATE_ENDPOINT: ${{ github.server_url }}/api/v1/
|
||||
# Don't crawl the whole instance — only this repo.
|
||||
RENOVATE_AUTODISCOVER: 'false'
|
||||
RENOVATE_REPOSITORIES: ${{ github.repository }}
|
||||
LOG_LEVEL: info
|
||||
Reference in New Issue
Block a user