Run Renovate as a Github Action

[enesonus]

Description

As #5462 requests, this PR adds a workflow file to self-host renovate on github actions to run make generate before creating a PR.

Our goals were (as @negz stated):

• Renovate automatically runs make generate before opening a PR
• Ideally renovate runs about as frequently as it does today
• Ideally we don't lose useful Renovate functionality (e.g. the "click here to rebase" box on Renovate PRs)

Renovate will automatically run make generate before creating a commit using postUpgradeTasks configuration option.
All files will be committed after running a post-upgrade task.
The postUpgradeTask (make generate) will be executed for the whole branch but it can also be configured to execute for every dependency on the branch.

This workflow file runs Renovate everyday at 8 AM UTC. Since I did not know current frequency I made this up.

  schedule:
    - cron: '0 8 * * *'

Probably we will not lose any useful Renovate functionality since there is no mention of functionality difference between Mend Renovate and Self Hosted Renovate in the documentations, but of course I am not %100 sure.

Currently this PR handles authentication via PAT (Personal Access Token) with repo scope as explained in the renovate docs

token: ${{ secrets.RENOVATE_TOKEN }}

Instead of using a Personal Access Token (PAT) that is tied to a particular user it is also possible to create a GitHub App where permissions can be better tuned. For this we need to perform a bit more steps. I don't think we need this but this is an option.

I have:

• Read and followed Crossplane's contribution process.
• Run make reviewable to ensure this PR is ready for review.
• Added or updated unit tests.
• Added or updated e2e tests.
• Linked a PR or a docs tracking issue to document this change.
• Added backport release-x.y labels to auto-backport this PR.

Need help with this checklist? See the cheat sheet.

[phisco]

This should work, we should be able to create PRs with that:

Suggested change

	token: ${{ secrets.RENOVATE_TOKEN }}
	token: ${{ secrets.GITHUB_TOKEN }}

[phisco]

no, that won't have all the required access, I'll see if we manage to create an app on monday

[enesonus]

Hi @phisco any updates on this?

[phisco]

Sorry, got lost, I'll make sure to check this out next week 😅

[enesonus]

Hey @phisco Is there a way I can also run this github action on my fork for testing purposes? It's my first Open Source contribution about Github Actions so I dont have much experince :)

[phisco]

Sure, @enesonus! Github actions have to be on the main branch of your repo for you to be able to run them, so you'll have to merge your commits on master, add one more commit commenting out the if condition we just introduced to allow running it also on forks, and then you can just manually run it. You can do all your changes on your master branch, once you are satisfied you can just port them back on the PR's branch. Let me know if you have any other doubt!

[phisco]

Hey @EnesOnu, sorry again, busy weeks, I've pinged @jbw976 to setup the app, I think it would be better in the long run to use that. So, would you mind switching this PR to use that instead of the PAT in the meantime? Let me know if you need any help 🙏

[enesonus]

Of course I can @phisco . I will work on it at the weekend

[enesonus]

Hey @phisco Renovate bot can be run as a self-hosted GitHub app now. I tested it on my fork and it seems to be working as expected. If you want to have a look here is a workflow run and a PR the bot created at my fork.

Steps required to get the bot up and running are:

1. Registering a new GitHub App
   • Please make sure all required permissions are granted
2. Install the app
3. Generate a private key for the app and store it as a secret named RENOVATE_GITHUB_APP_PRIVATE_KEY
4. Store the GitHub App ID as a secret named RENOVATE_GITHUB_APP_ID

After these steps it should be good to go.

[phisco]

Awesome @enesonus!
@jbw976 let me know when you have configured the app 🙏

[jbw976]

@enesonus @phisco I believe I have completed the steps here to create the GitHub app for self-hosted Renovate. Please let me know if I've missed anything 🕵️

From https://github.com/organizations/crossplane/settings/installations/49496343, we can see the Crossplane-Renovate GitHub App is installed for all repositories in the crossplane organization, with the permissions as described in the renovate docs:

A private key was created and its value, along with the ID of the GitHub APP, were stored as Actions Secrets at the Organization level in https://github.com/organizations/crossplane/settings/secrets/actions. Note that these secrets are only visible to the main crossplane repo to get started. We can expand that to more repos once we have tested.

Let me know if anything else is needed, thanks guys!! 🙇‍♂️

[phisco]

Awesome, thanks @jbw976! And thanks a lot for your contribution, @enesonus, looking forward to the next one! 🎉 🎉