From bbca5dec2e5ac343803fed4d23a958cc3bb66afb Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Gonzalo=20Su=C3=A1rez=20Losada?= Date: Tue, 21 Oct 2025 10:30:40 +0200 Subject: [PATCH 01/14] feat: added initial renovate action --- security/renovate/renovate.yaml | 106 ++++++++++++++++++++++++++++++++ 1 file changed, 106 insertions(+) create mode 100644 security/renovate/renovate.yaml diff --git a/security/renovate/renovate.yaml b/security/renovate/renovate.yaml new file mode 100644 index 0000000..98ea751 --- /dev/null +++ b/security/renovate/renovate.yaml @@ -0,0 +1,106 @@ +name: Renovate + +on: + workflow_call: + inputs: + log_level: + description: 'Log level for Renovate' + required: false + type: string + default: 'info' + dry_run: + description: 'Dry run (no PRs will be created)' + required: false + type: boolean + default: false + force_refresh: + description: 'Force refresh all dependencies' + required: false + type: boolean + default: false + renovate_config_file: + description: 'Path to Renovate configuration file' + required: false + type: string + default: 'renovate.json' + slack_channel: + description: 'Slack channel to post notifications' + required: false + type: string + default: '#devops-peer-review' + runner: + description: 'GitHub Actions runner to use' + required: false + type: string + default: 'actions-runners' + +env: + LOG_LEVEL: ${{ inputs.log_level }} + RENOVATE_DRY_RUN: ${{ inputs.dry_run }} + +jobs: + renovate: + runs-on: ${{ inputs.runner }} + name: Renovate Dependencies + + steps: + - name: Checkout + uses: actions/checkout@v5 + + - name: Install GitHub CLI + run: | + sudo apt update + sudo apt install gh -y + + - name: Self-hosted Renovate + uses: renovatebot/github-action@v43.0.18 + with: + configurationFile: ${{ inputs.renovate_config_file }} + token: ${{ secrets.GITHUB_TOKEN }} + env: + LOG_LEVEL: ${{ env.LOG_LEVEL }} + RENOVATE_DRY_RUN: ${{ env.RENOVATE_DRY_RUN }} + RENOVATE_FORCE: ${{ inputs.force_refresh }} + # Enable autodiscover to find the current repository + RENOVATE_AUTODISCOVER: true + RENOVATE_AUTODISCOVER_FILTER: ${{ github.repository }} + RENOVATE_GIT_AUTHOR: 'Renovate Bot ' + + - name: Get Renovate PRs + id: get-prs + if: always() + run: | + # Get PRs created by Renovate Bot in the last 7 days + PRS=$(gh pr list \ + --author "app/github-actions" \ + --limit 20 \ + --json number,title,url,createdAt,state \ + --jq 'map(select(.createdAt >= (now - 604800 | strftime("%Y-%m-%dT%H:%M:%SZ")))) | .[] | "• <\(.url)|\(.title)> (#\(.number)) - \(.state)"' \ + | sed 's/OPEN/🟢 Open/g; s/MERGED/🟣 Merged/g; s/CLOSED/⚫ Closed/g') + + # Count PRs - ensure we always get a valid number + if [ -z "$PRS" ]; then + PR_COUNT="0" + else + PR_COUNT=$(echo "$PRS" | grep -c .) + if [ -z "$PR_COUNT" ]; then + PR_COUNT="0" + fi + fi + + # Format the PR list (escape newlines for JSON) + if [ -n "$PRS" ]; then + PR_LIST=$(echo "$PRS" | sed ':a;N;$!ba;s/\n/\\n/g') + else + PR_LIST="No PRs found in the last 7 days." + fi + + # Set outputs + echo "pr_list<> $GITHUB_OUTPUT + echo "$PR_LIST" >> $GITHUB_OUTPUT + echo "EOF" >> $GITHUB_OUTPUT + echo "pr_count=$PR_COUNT" >> $GITHUB_OUTPUT + env: + GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} + + # - name: Post text to a Discord channel From ffc78c320010286a2f2f8beb203d8c533466c4ff Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Gonzalo=20Su=C3=A1rez=20Losada?= Date: Tue, 21 Oct 2025 10:32:35 +0200 Subject: [PATCH 02/14] fix: deleted unused field --- security/renovate/renovate.yaml | 5 ----- 1 file changed, 5 deletions(-) diff --git a/security/renovate/renovate.yaml b/security/renovate/renovate.yaml index 98ea751..2561a31 100644 --- a/security/renovate/renovate.yaml +++ b/security/renovate/renovate.yaml @@ -23,11 +23,6 @@ on: required: false type: string default: 'renovate.json' - slack_channel: - description: 'Slack channel to post notifications' - required: false - type: string - default: '#devops-peer-review' runner: description: 'GitHub Actions runner to use' required: false From 5a53930d83121550d1cd63f73c048a6e16f9bc99 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Gonzalo=20Su=C3=A1rez=20Losada?= Date: Tue, 21 Oct 2025 10:56:15 +0200 Subject: [PATCH 03/14] fix: moved to .github/workflows/ --- {security/renovate => .github/workflows}/renovate.yaml | 0 1 file changed, 0 insertions(+), 0 deletions(-) rename {security/renovate => .github/workflows}/renovate.yaml (100%) diff --git a/security/renovate/renovate.yaml b/.github/workflows/renovate.yaml similarity index 100% rename from security/renovate/renovate.yaml rename to .github/workflows/renovate.yaml From c67b9162624bbc3dab97e1c8721b29e98fd61019 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Gonzalo=20Su=C3=A1rez=20Losada?= Date: Tue, 21 Oct 2025 11:11:59 +0200 Subject: [PATCH 04/14] fix: updated extension --- .github/workflows/{renovate.yaml => renovate.yml} | 0 1 file changed, 0 insertions(+), 0 deletions(-) rename .github/workflows/{renovate.yaml => renovate.yml} (100%) diff --git a/.github/workflows/renovate.yaml b/.github/workflows/renovate.yml similarity index 100% rename from .github/workflows/renovate.yaml rename to .github/workflows/renovate.yml From 12c66e484274521c687bf7cd9ed8054bf6ebb004 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Gonzalo=20Su=C3=A1rez=20Losada?= Date: Fri, 24 Oct 2025 10:02:40 +0200 Subject: [PATCH 05/14] fix: passing GH PAT as a parameter --- .github/workflows/renovate.yml | 8 ++++++-- 1 file changed, 6 insertions(+), 2 deletions(-) diff --git a/.github/workflows/renovate.yml b/.github/workflows/renovate.yml index 2561a31..bc0be41 100644 --- a/.github/workflows/renovate.yml +++ b/.github/workflows/renovate.yml @@ -28,6 +28,10 @@ on: required: false type: string default: 'actions-runners' + github_token: + description: 'GitHub Personal Access Token (PAT)' + required: true + type: string env: LOG_LEVEL: ${{ inputs.log_level }} @@ -51,7 +55,7 @@ jobs: uses: renovatebot/github-action@v43.0.18 with: configurationFile: ${{ inputs.renovate_config_file }} - token: ${{ secrets.GITHUB_TOKEN }} + token: ${{ inputs.github_token }} env: LOG_LEVEL: ${{ env.LOG_LEVEL }} RENOVATE_DRY_RUN: ${{ env.RENOVATE_DRY_RUN }} @@ -96,6 +100,6 @@ jobs: echo "EOF" >> $GITHUB_OUTPUT echo "pr_count=$PR_COUNT" >> $GITHUB_OUTPUT env: - GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} + GH_TOKEN: ${{ inputs.github_token }} # - name: Post text to a Discord channel From 38b661ece15a815ebf2cf20e5332f286c0f0ddc4 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Gonzalo=20Su=C3=A1rez=20Losada?= Date: Fri, 24 Oct 2025 14:22:29 +0200 Subject: [PATCH 06/14] fix: moved create token to base action --- .github/workflows/renovate.yml | 26 +++++++++++++++++++++++--- 1 file changed, 23 insertions(+), 3 deletions(-) diff --git a/.github/workflows/renovate.yml b/.github/workflows/renovate.yml index bc0be41..2d7906e 100644 --- a/.github/workflows/renovate.yml +++ b/.github/workflows/renovate.yml @@ -28,11 +28,22 @@ on: required: false type: string default: 'actions-runners' - github_token: - description: 'GitHub Personal Access Token (PAT)' + github_app_id: + description: 'GitHub App ID' + required: true + type: string + github_app_private_key: + description: 'GitHub App private key (in .pem format)' + required: true + type: string + owner: + description: 'Owner of the repository' + required: true + type: string + repositories: + description: 'Repositories to be applied the changes to' required: true type: string - env: LOG_LEVEL: ${{ inputs.log_level }} RENOVATE_DRY_RUN: ${{ inputs.dry_run }} @@ -51,6 +62,15 @@ jobs: sudo apt update sudo apt install gh -y + - name: Create GitHub App Token + id: create-token + uses: actions/create-github-app-token@v2 + with: + app-id: ${{ inputs.github_app_id }} + private-key: ${{ inputs.github_app_private_key }} + owner: ${{ inputs.owner }} + repositories: ${{ inputs.repositories }} + - name: Self-hosted Renovate uses: renovatebot/github-action@v43.0.18 with: From 2498b5efec8dc9f18c6f731b16d5ebe0ba964299 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Gonzalo=20Su=C3=A1rez=20Losada?= Date: Mon, 27 Oct 2025 12:35:20 +0100 Subject: [PATCH 07/14] fix: moved github_app_private_key from 'inputs' to 'secrets' --- .github/workflows/renovate.yml | 9 +++++---- 1 file changed, 5 insertions(+), 4 deletions(-) diff --git a/.github/workflows/renovate.yml b/.github/workflows/renovate.yml index 2d7906e..1fbd373 100644 --- a/.github/workflows/renovate.yml +++ b/.github/workflows/renovate.yml @@ -32,10 +32,6 @@ on: description: 'GitHub App ID' required: true type: string - github_app_private_key: - description: 'GitHub App private key (in .pem format)' - required: true - type: string owner: description: 'Owner of the repository' required: true @@ -44,6 +40,11 @@ on: description: 'Repositories to be applied the changes to' required: true type: string + secrets: + github_app_private_key: + description: 'GitHub App private key (in .pem format)' + required: true + type: string env: LOG_LEVEL: ${{ inputs.log_level }} RENOVATE_DRY_RUN: ${{ inputs.dry_run }} From ddae9eeb64d6747a2eb070158f0cf8b076344db7 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Gonzalo=20Su=C3=A1rez=20Losada?= Date: Mon, 27 Oct 2025 12:38:01 +0100 Subject: [PATCH 08/14] fix: deleted type field in github_app_private_key 'secrets' --- .github/workflows/renovate.yml | 1 - 1 file changed, 1 deletion(-) diff --git a/.github/workflows/renovate.yml b/.github/workflows/renovate.yml index 1fbd373..7b51c7a 100644 --- a/.github/workflows/renovate.yml +++ b/.github/workflows/renovate.yml @@ -44,7 +44,6 @@ on: github_app_private_key: description: 'GitHub App private key (in .pem format)' required: true - type: string env: LOG_LEVEL: ${{ inputs.log_level }} RENOVATE_DRY_RUN: ${{ inputs.dry_run }} From 6e1ca9222b27e1bd8b1b5046e30069f7787b4898 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Gonzalo=20Su=C3=A1rez=20Losada?= Date: Mon, 27 Oct 2025 12:41:07 +0100 Subject: [PATCH 09/14] fix: fixed reference in github_app_private_key --- .github/workflows/renovate.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/renovate.yml b/.github/workflows/renovate.yml index 7b51c7a..758ee49 100644 --- a/.github/workflows/renovate.yml +++ b/.github/workflows/renovate.yml @@ -67,7 +67,7 @@ jobs: uses: actions/create-github-app-token@v2 with: app-id: ${{ inputs.github_app_id }} - private-key: ${{ inputs.github_app_private_key }} + private-key: ${{ secrets.github_app_private_key }} owner: ${{ inputs.owner }} repositories: ${{ inputs.repositories }} From b6d67748b243a8f9bb9f3f4dba765a16c6d1263c Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Gonzalo=20Su=C3=A1rez=20Losada?= Date: Mon, 27 Oct 2025 12:44:21 +0100 Subject: [PATCH 10/14] fix: fixed wrong reference for token in previous step --- .github/workflows/renovate.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/renovate.yml b/.github/workflows/renovate.yml index 758ee49..e22bf3d 100644 --- a/.github/workflows/renovate.yml +++ b/.github/workflows/renovate.yml @@ -75,7 +75,7 @@ jobs: uses: renovatebot/github-action@v43.0.18 with: configurationFile: ${{ inputs.renovate_config_file }} - token: ${{ inputs.github_token }} + token: ${{ steps.create-token.outputs.token }} env: LOG_LEVEL: ${{ env.LOG_LEVEL }} RENOVATE_DRY_RUN: ${{ env.RENOVATE_DRY_RUN }} From 8d850659f0a186158aecbb1c7fe4ca7d3c8c33f5 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Gonzalo=20Su=C3=A1rez=20Losada?= Date: Wed, 29 Oct 2025 12:18:46 +0100 Subject: [PATCH 11/14] fead: added renovate dc chanel id and bot token secret --- .github/workflows/renovate.yml | 30 +++++++++++++++++++++++++++++- 1 file changed, 29 insertions(+), 1 deletion(-) diff --git a/.github/workflows/renovate.yml b/.github/workflows/renovate.yml index e22bf3d..98a6d15 100644 --- a/.github/workflows/renovate.yml +++ b/.github/workflows/renovate.yml @@ -44,6 +44,13 @@ on: github_app_private_key: description: 'GitHub App private key (in .pem format)' required: true + renovate_update_discord_channel_id: + description: 'Discord channel ID where message will be updated to' + required: true + discord_bot_token: + description: 'Discord bot token for auth' + required: true + env: LOG_LEVEL: ${{ inputs.log_level }} RENOVATE_DRY_RUN: ${{ inputs.dry_run }} @@ -122,4 +129,25 @@ jobs: env: GH_TOKEN: ${{ inputs.github_token }} - # - name: Post text to a Discord channel + - name: Building a message + run: | + COLOR="65280" # Green for success + TITLE="Test message" + DESCRIPTION="🚀 **This is a test**\n\n" + + EMBEDS_PAYLOAD="[{ + \"title\": \"$TITLE\", + \"description\": \"$DESCRIPTION\", + \"color\": $COLOR + }]" + echo "EMBEDS_PAYLOAD<> $GITHUB_ENV + # here we can place the command that will generate multi-line text + echo $EMBEDS_PAYLOAD >> $GITHUB_ENV + echo "EOF" >> $GITHUB_ENV + + - name: Post text to a Discord channel + uses: resizes/github-actions/discord/post-message@v1 + with: + discord_channel_id: ${{ secrets.renovate_update_discord_channel_id }} + discord_bot_token: ${{ secrets.discord_bot_token }} + message_embeds: ${{ env.EMBEDS_PAYLOAD }} \ No newline at end of file From 8d04af8dfe52d6dfdef730285f6171442a72339e Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Gonzalo=20Su=C3=A1rez=20Losada?= Date: Sun, 9 Nov 2025 17:53:33 +0100 Subject: [PATCH 12/14] style: removed discord message steps --- .github/workflows/renovate.yml | 23 ----------------------- 1 file changed, 23 deletions(-) diff --git a/.github/workflows/renovate.yml b/.github/workflows/renovate.yml index 98a6d15..4a57860 100644 --- a/.github/workflows/renovate.yml +++ b/.github/workflows/renovate.yml @@ -128,26 +128,3 @@ jobs: echo "pr_count=$PR_COUNT" >> $GITHUB_OUTPUT env: GH_TOKEN: ${{ inputs.github_token }} - - - name: Building a message - run: | - COLOR="65280" # Green for success - TITLE="Test message" - DESCRIPTION="🚀 **This is a test**\n\n" - - EMBEDS_PAYLOAD="[{ - \"title\": \"$TITLE\", - \"description\": \"$DESCRIPTION\", - \"color\": $COLOR - }]" - echo "EMBEDS_PAYLOAD<> $GITHUB_ENV - # here we can place the command that will generate multi-line text - echo $EMBEDS_PAYLOAD >> $GITHUB_ENV - echo "EOF" >> $GITHUB_ENV - - - name: Post text to a Discord channel - uses: resizes/github-actions/discord/post-message@v1 - with: - discord_channel_id: ${{ secrets.renovate_update_discord_channel_id }} - discord_bot_token: ${{ secrets.discord_bot_token }} - message_embeds: ${{ env.EMBEDS_PAYLOAD }} \ No newline at end of file From 351a7ea8970b1fdda3df82f3394556eb490523f8 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Gonzalo=20Su=C3=A1rez=20Losada?= Date: Sun, 9 Nov 2025 18:00:41 +0100 Subject: [PATCH 13/14] fix: removed unnecessary discord secrets --- .github/workflows/README.md | 0 .github/workflows/renovate.yml | 6 ------ 2 files changed, 6 deletions(-) create mode 100644 .github/workflows/README.md diff --git a/.github/workflows/README.md b/.github/workflows/README.md new file mode 100644 index 0000000..e69de29 diff --git a/.github/workflows/renovate.yml b/.github/workflows/renovate.yml index 4a57860..59529d3 100644 --- a/.github/workflows/renovate.yml +++ b/.github/workflows/renovate.yml @@ -44,12 +44,6 @@ on: github_app_private_key: description: 'GitHub App private key (in .pem format)' required: true - renovate_update_discord_channel_id: - description: 'Discord channel ID where message will be updated to' - required: true - discord_bot_token: - description: 'Discord bot token for auth' - required: true env: LOG_LEVEL: ${{ inputs.log_level }} From 2a9944c9bedb17650c01248aa4253b6467e5c931 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Gonzalo=20Su=C3=A1rez=20Losada?= Date: Sun, 9 Nov 2025 18:03:27 +0100 Subject: [PATCH 14/14] docs: added readme --- .github/workflows/README.md | 135 ++++++++++++++++++++++++++++++++++++ 1 file changed, 135 insertions(+) diff --git a/.github/workflows/README.md b/.github/workflows/README.md index e69de29..2620c59 100644 --- a/.github/workflows/README.md +++ b/.github/workflows/README.md @@ -0,0 +1,135 @@ +# Renovate +## What is Renovate +Renovate is an open-source tool (by Mend) that **automates dependency updates** across basically any language or ecosystem. It supports npm, pip, Terraform, Docker, Maven, Go modules, and a bunch more. + +At a high level, Renovate: +- Scans your repo for dependencies. +- Checks if newer versions are available. +- Creates pull requests with the updates. + +## How to use Renovate Action +### **Create your own ``renovate.json``:** +You can use this as a template and adapt it to your needs later on. Add it to your repo's root level: +```json +{ + "$schema": "https://docs.renovatebot.com/renovate-schema.json", + "extends": [ + "config:recommended", + ":dependencyDashboard", + ":semanticCommits", + ":automergeBranch" + ], + "timezone": "Europe/London", + "schedule": [ + "at any time" + ], + "labels": [ + "renovate", + "terraform" + ], + "assignees": [], + "reviewers": [], + "prConcurrentLimit": 0, + "prHourlyLimit": 0, + "rebaseWhen": "conflicted", + "lockFileMaintenance": { + "enabled": false + }, + "digest": { + "automerge": true + }, + + "packageRules": [ + { + "description": "Terraform providers and modules", + "matchManagers": [ + "terraform" + ], + "commitMessageTopic": "Terraform {{depName}}", + "pinDigests": false + },{ + "matchManagers": ["nvm", "node-version", "asdf"], + "groupName": "Node.js version", + "groupSlug": "node-version", + "semanticCommitType": "chore", + "semanticCommitScope": "node", + "commitMessageTopic": "Node.js version", + "commitMessageExtra": "update Node.js runtime version" + }, + { + "matchManagers": ["npm"], + "groupName": "npm dependencies", + "semanticCommitType": "chore", + "semanticCommitScope": "deps" + } + ], + + "npm": { + "enabled": true + }, + + "nvm": { + "enabled": true + }, + + "asdf": { + "enabled": true + } + +} +``` + +### **Invoke our reusable workflow from your repo:** You can use our reusable workflow from our [GitHub Actions repo](https://github.com/resizes/github-actions/blob/main/.github/workflows/renovate.yml): +```yaml +name: Renovate + +on: + schedule: + # Run every Monday at 5:00 AM UTC + - cron: '0 5 * * 1' + workflow_dispatch: + inputs: + log_level: + description: 'Log level' + required: false + default: 'info' + type: choice + options: + - info + - debug + - trace + dry_run: + description: 'Dry run (no PRs will be created)' + required: false + default: false + type: boolean + force_refresh: + description: 'Force refresh all dependencies' + required: false + default: false + type: boolean + +permissions: + contents: write # To create branches and commits + pull-requests: write # To create and update pull requests + issues: write # For dependency dashboard (if enabled) + checks: read # To read check status + statuses: read # To read commit statuses + actions: read # To read workflow runs + security-events: read # To read security events + +jobs: + renovate: + uses: resizes/github-actions/.github/workflows/renovate.yml@v1 + with: + log_level: ${{ inputs.log_level }} + dry_run: ${{ inputs.dry_run }} + force_refresh: ${{ inputs.force_refresh }} + runner: 'ubuntu-latest' + github_app_id: ${{ secrets.RENOVATE_APP_ID }} + owner: 'Resizes' + repositories: | + + secrets: + github_app_private_key: ${{ secrets.RENOVATE_APP_PRIVATE_KEY }} +``` \ No newline at end of file