diff --git a/.github/dependabot.yml b/.github/dependabot.yml deleted file mode 100644 index 734ad9fa..00000000 --- a/.github/dependabot.yml +++ /dev/null @@ -1,66 +0,0 @@ -version: 2 -updates: - # Rust: cargo workspace at repo root - - package-ecosystem: "cargo" - directory: "/" - schedule: - interval: "weekly" - timezone: "Europe/Berlin" - day: "monday" - time: "04:00" - open-pull-requests-limit: 5 - labels: - - "chore" - commit-message: - prefix: "chore(deps)" - prefix-development: "chore(deps-dev)" - rebase-strategy: "auto" - versioning-strategy: "auto" - groups: - rust-dependencies: - patterns: - - "*" - update-types: - - "minor" - - "patch" - - # Python: uv workspace at repo root - - package-ecosystem: "uv" - directory: "/" - schedule: - interval: "weekly" - timezone: "Europe/Berlin" - day: "monday" - time: "04:00" - open-pull-requests-limit: 5 - labels: - - "chore" - commit-message: - prefix: "chore(deps-py)" - prefix-development: "chore(deps-py-dev)" - rebase-strategy: "auto" - groups: - python-dependencies: - patterns: - - "*" - update-types: - - "minor" - - "patch" - - # GitHub Actions - - package-ecosystem: "github-actions" - directory: "/" - schedule: - interval: "weekly" - timezone: "Europe/Berlin" - day: "monday" - time: "04:00" - open-pull-requests-limit: 5 - labels: - - "chore" - commit-message: - prefix: "chore(actions)" - groups: - github-actions: - patterns: - - "*" diff --git a/.github/workflows/renovate.yml b/.github/workflows/renovate.yml new file mode 100644 index 00000000..3ee4b8e4 --- /dev/null +++ b/.github/workflows/renovate.yml @@ -0,0 +1,61 @@ +name: Renovate + +on: + schedule: + # Every hour on the hour; Renovate itself decides which PRs to open based + # on `renovate.json` schedule + prConcurrentLimit. + - cron: "0 * * * *" + workflow_dispatch: + inputs: + logLevel: + description: "Renovate log level" + required: false + default: "info" + type: choice + options: + - debug + - info + - warn + +concurrency: + group: renovate-${{ github.ref }} + cancel-in-progress: true + +permissions: + contents: read + +jobs: + renovate: + name: Renovate + runs-on: ubuntu-latest + + steps: + - name: Get token + id: token + uses: actions/create-github-app-token@v2 + with: + app-id: ${{ secrets.RENOVATE_APP_ID }} + private-key: ${{ secrets.RENOVATE_APP_PRIVATE_KEY }} + + - name: Checkout + uses: actions/checkout@v7 + with: + token: ${{ steps.token.outputs.token }} + + # `postUpgradeTasks.commands` needs uv on PATH; install it before running + # Renovate so post-upgrade `uv sync && gen_requirements.py` succeeds. + - name: Install uv + uses: astral-sh/setup-uv@v7 + + - name: Renovate + uses: renovatebot/github-action@v46.1.17 + env: + # Whitelist the exact command postUpgradeTasks may run. Anything not + # matching this regex is silently ignored, which is the security + # backstop against a compromised renovate.json running arbitrary code. + RENOVATE_ALLOWED_POST_UPGRADE_COMMANDS: '["^uv sync --all-packages && uv run python scripts/gen_requirements\\.py$"]' + RENOVATE_ALLOW_POST_UPGRADE_COMMAND_TEMPLATING: "true" + LOG_LEVEL: ${{ inputs.logLevel || 'info' }} + with: + token: ${{ steps.token.outputs.token }} + configurationFile: renovate.json diff --git a/renovate.json b/renovate.json new file mode 100644 index 00000000..e723b8e6 --- /dev/null +++ b/renovate.json @@ -0,0 +1,43 @@ +{ + "$schema": "https://docs.renovatebot.com/renovate-schema.json", + "extends": [ + "config:recommended", + ":semanticCommits", + ":semanticCommitTypeAll(chore)" + ], + "timezone": "Europe/Berlin", + "schedule": ["before 05:00 on monday"], + "prConcurrentLimit": 5, + "prHourlyLimit": 0, + "labels": ["chore"], + "rebaseWhen": "conflicted", + "rangeStrategy": "auto", + "commitMessagePrefix": "chore(deps):", + "packageRules": [ + { + "matchManagers": ["cargo"], + "groupName": "rust-dependencies", + "matchUpdateTypes": ["minor", "patch"], + "commitMessagePrefix": "chore(deps):" + }, + { + "matchManagers": ["pep621"], + "groupName": "python-dependencies", + "matchUpdateTypes": ["minor", "patch"], + "commitMessagePrefix": "chore(deps-py):" + }, + { + "matchManagers": ["github-actions"], + "groupName": "github-actions", + "commitMessagePrefix": "chore(actions):" + } + ], + "postUpgradeTasks": { + "commands": ["uv sync --all-packages && uv run python scripts/gen_requirements.py"], + "fileFilters": [ + "packages/*/requirements.txt", + "uv.lock" + ], + "executionMode": "branch" + } +}