From fcfae4cadcebaa61929c83584d43136172d783f6 Mon Sep 17 00:00:00 2001
From: Jack Baldry <jack.baldry@grafana.com>
Date: Tue, 14 Jan 2025 12:13:10 +0000
Subject: [PATCH] Add Renovate workflow to keep actions, workflows, and tool
 dependencies up to date (#946)

---
 .github/renovate-config.json5  | 51 +++++++++++++++++++++++
 .github/workflows/renovate.yml | 74 ++++++++++++++++++++++++++++++++++
 2 files changed, 125 insertions(+)
 create mode 100644 .github/renovate-config.json5
 create mode 100644 .github/workflows/renovate.yml

diff --git a/.github/renovate-config.json5 b/.github/renovate-config.json5
new file mode 100644
index 000000000..c2f0d66f9
--- /dev/null
+++ b/.github/renovate-config.json5
@@ -0,0 +1,51 @@
+{
+  $schema: "https://docs.renovatebot.com/renovate-schema.json",
+  branchPrefix: "grafanarenovatebot/",
+  customManagers: [
+    {
+      customType: "regex",
+      fileMatch: [
+        "(?:^|/)\\.github/(?:workflows|actions)/.+\\.ya?ml$",
+        "(?:^|/)action\\.ya?ml$",
+      ],
+      matchStrings: [
+        "# renovate: datasource=(?<datasource>[a-z-.]+?) depName=(?<depName>[^\\s]+?)(?: (?:lookupName|packageName)=(?<packageName>[^\\s]+?))?(?: versioning=(?<versioning>[^\\s]+?))?(?: extractVersion=(?<extractVersion>[^\\s]+?))?\\s+[A-Za-z0-9_-]+?[_-](?:VERSION|version)\\s*:\\s*[\"']?(?<currentValue>[^@]+)(?:@(?<currentDigest>sha256:[a-f0-9]+))?[\"']?",
+      ],
+    },
+  ],
+  dependencyDashboard: false,
+  enabledManagers: ["custom.regex", "github-actions", "gomod", "npm"],
+  forkProcessing: "enabled",
+  globalExtends: [":pinDependencies", "config:best-practices"],
+  onboarding: false,
+  osvVulnerabilityAlerts: true,
+  packageRules: [
+    {
+      labels: ["update-major"],
+      matchUpdateTypes: ["major"],
+    },
+    {
+      labels: ["update-minor"],
+      matchUpdateTypes: ["minor"],
+    },
+    {
+      labels: ["update-patch"],
+      matchUpdateTypes: ["patch"],
+    },
+    {
+      labels: ["update-digest"],
+      matchUpdateTypes: ["digest"],
+    },
+    {
+      // Run the custom matcher on early Monday mornings (UTC)
+      schedule: "* 0-4 * * 1",
+      matchPackageNames: ["ghcr.io/renovatebot/renovate"],
+    },
+  ],
+  platformCommit: "enabled",
+  rebaseWhen: "behind-base-branch",
+  requireConfig: "optional",
+  vulnerabilityAlerts: {
+    enabled: true,
+  },
+}
\ No newline at end of file
diff --git a/.github/workflows/renovate.yml b/.github/workflows/renovate.yml
new file mode 100644
index 000000000..e3a854130
--- /dev/null
+++ b/.github/workflows/renovate.yml
@@ -0,0 +1,74 @@
+name: Renovate
+on:
+  schedule:
+    - cron: 13 */4 * * *
+
+  pull_request:
+    paths:
+      - .github/renovate-config.json5
+      - .github/workflows/renovate.yml
+    types:
+      - edited
+      - opened
+      - ready_for_review
+      - synchronize
+
+  push:
+    branches:
+      - main
+    paths:
+      - .github/renovate-config.json5
+      - .github/workflows/renovate.yml
+
+  workflow_dispatch:
+    inputs:
+      dry-run:
+        description: "Run Renovate in dry-run mode"
+        required: false
+        default: false
+        type: boolean
+
+jobs:
+  renovate:
+    permissions:
+      contents: read
+      id-token: write
+    runs-on: ubuntu-latest
+    timeout-minutes: 5
+
+    steps:
+      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+        with:
+          persist-credentials: false
+          sparse-checkout: |
+            .github/renovate-config.json5
+            actions/get-vault-secrets
+
+      - uses: grafana/shared-workflows/actions/get-vault-secrets@97c6f45f01d4bca8a3b1acfe397113ce88858a81 # get-vault-secrets-v1.0.1
+        with:
+          common_secrets: |
+            GRAFANA_RENOVATE_APP_ID=grafana-renovate-app:app-id
+            GRAFANA_RENOVATE_PRIVATE_KEY=grafana-renovate-app:private-key
+
+      - id: generate-token
+        uses: actions/create-github-app-token@c1a285145b9d317df6ced56c09f525b5c2b6f755 # v1.11.1
+        with:
+          app-id: ${{ env.GRAFANA_RENOVATE_APP_ID }}
+          private-key: ${{ env.GRAFANA_RENOVATE_PRIVATE_KEY }}
+
+      - uses: renovatebot/github-action@f24426972367551f3391720e34317783a92fd32b # v41.0.8
+        with:
+          configurationFile: .github/renovate-config.json5
+          # renovate: datasource=docker depName=ghcr.io/renovatebot/renovate
+          renovate-version: 39.91.0@sha256:60d04619493d43fe67d728121dfef56b893bf90695219d352e772e881403d158
+          token: ${{ steps.generate-token.outputs.token }}
+        env:
+          LOG_LEVEL: ${{ github.event_name == 'pull_request' && 'debug' || 'info' }}
+          # On pull requests, use the branch HEAD ref, so you can change things and see the results in the PR workflow run.
+          # By default, Renovate will clone the main/default branch.
+          RENOVATE_BASE_BRANCHES: ${{ github.event_name == 'pull_request' && github.event.pull_request.head.ref || null }}
+          # Dry run if the event is pull_request, or workflow_dispatch AND the dry-run input is true
+          RENOVATE_DRY_RUN: ${{ (github.event_name == 'pull_request' || (github.event_name == 'workflow_dispatch' && github.event.inputs.dry-run == 'true')) && 'full' || null }}
+          RENOVATE_PLATFORM: github
+          RENOVATE_REPOSITORIES: ${{ github.repository }}
+          RENOVATE_USERNAME: GrafanaRenovateBot