-
Notifications
You must be signed in to change notification settings - Fork 271
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
add renovatebot to run hourly in a self-hosted github action instead of using dependabot #574
base: main
Are you sure you want to change the base?
Conversation
I think it is better to use the Github App instead of Actions as it avoids potentially leaking any secrets and doesn't need any config except for the main config file. I just requested the App to be enabled on this repo, so hopefully someone with access allows it soon. I will take a closer look at the changes of this PR soon. |
The action does actually use a GitHub App to get the one-time token, but an org admin has to create it. The reason we can't use the default one from mend.io (the company that maintains the official renovateBot github app) is because it will not let us do custom post upgrade tasks. That is a self-hosted feature. Also, it does not leak any secrets. That is not possible, even with debug logging on, in part because github automatically prunes known repo secrets. I have tested this and you can view a run here: |
Ok I didn't know that.
I know, but at Nextcloud we have a special problem: Many more or less trustworthy people are part of the Github organization which makes it possible for them to see the secrets in the settings. I'm not sure how problematic this token is, but this problem should be kept in mind. |
I can't actually see secrets in the settings here. I think you're more powerful than me haha :) However, once a repo secret is added, it can't be seen again. You can only update it. Here's a video showing what happens if you try to update a repo level github actions secret though (in a repo where I am actually powerful): Screen.Recording.2024-05-29.at.14.34.29.movAnd in the logs, it is obscured with |
Ok interesting, maybe this was fixed by Github at some point. This problem was explained to me by one of our security peeps last year, so I just trusted them 🙈 |
Dang that picture looks weird, but I also love it! |
…of using dependabot Signed-off-by: jessebot <[email protected]>
Signed-off-by: jessebot <[email protected]>
Signed-off-by: jessebot <[email protected]>
Signed-off-by: jessebot <[email protected]>
Signed-off-by: jessebot <[email protected]>
…ub exactly for id Signed-off-by: jessebot <[email protected]>
Signed-off-by: Jesse Hitch <[email protected]>
Pull Request
Description of the change
This switches us from Dependabot (can't do helm updates) to RenovateBot (can do some helm updates).
Benefits
This would generate all the same PRs that dependabot would, but it would also catch sub-chart updates, updates to the main appVerison image, and updates to the nested image versions (like for the metrics image).
Possible drawbacks
It cannot update the
version
in Chart.yaml for docker image updates, however, it can update the version for sub-chart updates. In the meantime, it will still generate a useful PR, to update what it can update, that can be edited by a maintainer to manually bump the version. There's an ongoing discussion about making this actually bump theversion
in Chart.yaml for updates to docker images and appVerison, so when that is solid, I'll port those changes here as well.Applicable issues
Additional information
Before this can work, we need a nextcloud member with org settings access to create a GitHub App as described here:
Checklist
Chart.yaml
according to semver.