Skip to content

Commit

Permalink
ci: add renovate (#1262)
Browse files Browse the repository at this point in the history
We need a way to update the dependencies mentioned inside the Dockerfile
definition. Dependabot does not support this but Renovate does, allowing
to treat arbitrary strings as version identifiers.

This also includes support for updating the kubectl, kustomize, and helm
versions included in the Dockerfile.
  • Loading branch information
zerok authored Dec 4, 2024
1 parent d30882b commit 3c9a48d
Show file tree
Hide file tree
Showing 8 changed files with 197 additions and 112 deletions.
97 changes: 97 additions & 0 deletions .github/renovate-config.json5
Original file line number Diff line number Diff line change
@@ -0,0 +1,97 @@
{
$schema: "https://docs.renovatebot.com/renovate-schema.json",
branchPrefix: "grafanarenovatebot/",
customDatasources: {
"kubectl": {
"defaultRegistryUrlTemplate": "https://cdn.dl.k8s.io/release/stable.txt",
"format": "plain",
"transformTemplates": [
"{\"releases\": [releases . {\"version\": $substring(version, 1)}]}",
],
},
"helm": {
"defaultRegistryUrlTemplate": "https://api.github.com/repos/helm/helm/releases",
"format": "json",
"transformTemplates": [
"{\"releases\": [$.tag_name . {\"version\": $substring($, 1)}]}",
],
},
"kustomize": {
"defaultRegistryUrlTemplate": "https://api.github.com/repos/kubernetes-sigs/kustomize/releases",
"format": "json",
"transformTemplates": [
"{\"releases\": [$$ [$match(tag_name, /kustomize.*/) and $not(draft) and $not(prerelease) ] . {\"version\": $substringAfter(tag_name, \"/v\")}]}",
],
},
},

customManagers: [
{
"customType": "regex",
"fileMatch": ["Dockerfile"],
"matchStrings": [
"ARG KUBECTL_VERSION=(?<currentValue>\\S+)",
],
"datasourceTemplate": "custom.kubectl",
"depNameTemplate": "kubectl",
},
{
"customType": "regex",
"fileMatch": ["Dockerfile"],
"matchStrings": [
"ARG HELM_VERSION=(?<currentValue>\\S+)",
],
"datasourceTemplate": "custom.helm",
"depNameTemplate": "helm",
"versioningTemplate": "semver",
},
{
"customType": "regex",
"fileMatch": ["Dockerfile"],
"matchStrings": [
"ARG KUSTOMIZE_VERSION=(?<currentValue>\\S+)",
],
"datasourceTemplate": "custom.kustomize",
"depNameTemplate": "kustomize",
"versioningTemplate": "semver",
},
],
dependencyDashboard: false,
enabledManagers: ["custom.regex"],
forkProcessing: "enabled",
globalExtends: [":pinDependencies", "config:best-practices"],
onboarding: false,
osvVulnerabilityAlerts: true,
packageRules: [
{
labels: ["update-major"],
matchUpdateTypes: ["major"],
},
{
labels: ["update-minor"],
matchUpdateTypes: ["minor"],
},
{
automerge: true,
labels: ["automerge-patch"],
matchUpdateTypes: ["patch"],
},
{
labels: ["update-digest"],
matchUpdateTypes: ["digest"],
},
{
// Run the custom matcher on early Monday mornings (UTC)
schedule: "* 0-4 * * 1",
matchPackageNames: ["ghcr.io/renovatebot/renovate"],
},
],
platformCommit: "enabled",
rebaseWhen: "behind-base-branch",
requireConfig: "optional",
vulnerabilityAlerts: {
automerge: true,
enabled: true,
labels: ["automerge-security-update"],
},
}
21 changes: 1 addition & 20 deletions .github/workflows/acceptance-tests.yml
Original file line number Diff line number Diff line change
Expand Up @@ -21,30 +21,11 @@ jobs:
- name: Checkout
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2

- name: "Determine dependency versions"
id: "versions"
uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea # v7.0.1
with:
script: |
const helmRelease = await github.rest.repos.getLatestRelease({
'owner': 'helm',
'repo': 'helm',
});
core.setOutput('helm', helmRelease.data.tag_name);
console.log('Helm version', helmRelease.data.tag_name);
const kustomizeReleases = await github.rest.repos.listReleases({
'owner': 'kubernetes-sigs',
'repo': 'kustomize',
});
const kustomizeRelease = kustomizeReleases.data.filter(release => release.tag_name.startsWith('kustomize') && !release.draft && !release.prerelease).map(release => release.tag_name.split('/')[1])[0];
console.log('Kustomize version', kustomizeRelease);
core.setOutput('kustomize', kustomizeRelease);
- name: Call Dagger Function
id: dagger
uses: dagger/dagger-for-github@e5153f5610d82ac9f3f848f3a25ad9d696641068 # v7.0.1
with:
version: "0.14.0"
verb: call
dagger-flags: "--silent"
args: "acceptance-tests --root-dir .:source-files --acceptance-tests-dir ./acceptance-tests --kustomize-version ${{ steps.versions.outputs.kustomize }} --helm-version ${{ steps.versions.outputs.helm }}"
args: "acceptance-tests --root-dir .:source-files --acceptance-tests-dir ./acceptance-tests"
30 changes: 0 additions & 30 deletions .github/workflows/docker.yml
Original file line number Diff line number Diff line change
Expand Up @@ -36,34 +36,7 @@ env:
type=semver,pattern={{version}},value=${{ inputs.tag }},enable=${{ inputs.tag != '' }}
jobs:
determine-versions:
runs-on: ubuntu-latest
outputs:
helm: ${{ steps.versions.outputs.helm }}
kustomize: ${{ steps.versions.outputs.kustomize }}
steps:
- name: "Determine dependency versions"
id: "versions"
uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea # v7.0.1
with:
script: |
const helmRelease = await github.rest.repos.getLatestRelease({
'owner': 'helm',
'repo': 'helm',
});
core.setOutput('helm', helmRelease.data.tag_name);
console.log('Helm version', helmRelease.data.tag_name);
const kustomizeReleases = await github.rest.repos.listReleases({
'owner': 'kubernetes-sigs',
'repo': 'kustomize',
});
const kustomizeRelease = kustomizeReleases.data.filter(release => release.tag_name.startsWith('kustomize') && !release.draft && !release.prerelease).map(release => release.tag_name.split('/')[1])[0];
console.log('Kustomize version', kustomizeRelease);
core.setOutput('kustomize', kustomizeRelease);
build:
needs:
- determine-versions
strategy:
fail-fast: false
matrix:
Expand Down Expand Up @@ -98,9 +71,6 @@ jobs:
context: .
labels: ${{ steps.meta.outputs.labels }}
outputs: type=image,name=${{ env.REGISTRY_IMAGE }},push-by-digest=true,name-canonical=true,push=${{ github.event_name == 'push' }}
build-args: |
HELM_VERSION=${{ needs.determine-versions.outputs.helm }}
KUSTOMIZE_VERSION=${{ needs.determine-versions.outputs.kustomize }}

- name: Export digest
id: digest
Expand Down
79 changes: 79 additions & 0 deletions .github/workflows/renovate.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,79 @@
name: Renovate
on:
schedule:
# Offset by 12 minutes to avoid busy times on the hour
- cron: 12 */4 * * *

pull_request:
paths:
- .github/renovate-config.json5
- .github/workflows/renovate.yml
types:
- edited
- opened
- ready_for_review
- synchronize

push:
branches:
- main
paths:
- .github/renovate-config.json5
- .github/workflows/renovate.yml

workflow_dispatch:
inputs:
dry-run:
description: "Run Renovate in dry-run mode"
required: false
default: false
type: boolean

jobs:
renovate:
permissions:
contents: read
id-token: write
runs-on: ubuntu-latest
timeout-minutes: 5

steps:
- name: Checkout Code
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
with:
sparse-checkout: |
.github/renovate-config.json5
- name: Retrieve renovate secrets
id: get-secrets
uses: grafana/shared-workflows/actions/get-vault-secrets@97c6f45f01d4bca8a3b1acfe397113ce88858a81 # get-vault-secrets-v1.0.1
with:
common_secrets: |
GRAFANA_RENOVATE_APP_ID=grafana-renovate-app:app-id
GRAFANA_RENOVATE_PRIVATE_KEY=grafana-renovate-app:private-key
- name: Generate token
id: generate-token
uses: actions/create-github-app-token@5d869da34e18e7287c1daad50e0b8ea0f506ce69 # v1.11.0
with:
app-id: ${{ env.GRAFANA_RENOVATE_APP_ID }}
private-key: ${{ env.GRAFANA_RENOVATE_PRIVATE_KEY }}

- name: Self-hosted Renovate
uses: renovatebot/github-action@936628dfbff213ab2eb95033c5e123cfcaf09ebb # v41.0.5
with:
configurationFile: .github/renovate-config.json5
# renovate: datasource=docker depName=ghcr.io/renovatebot/renovate
renovate-version: 39.42.4@sha256:c5d718e312cdacc0746e37f13c215ff498be28c51e50efd24c070ae29f5b636a
token: ${{ steps.generate-token.outputs.token }}
env:
LOG_LEVEL: ${{ github.event_name == 'pull_request' && 'debug' || 'info' }}
# For pull requests, this means we'll get the dependencies of the PR's
# branch, so you can fix/change things and see the results in the PR's
# run. By default, Renovate will clone the main/default branch.
RENOVATE_BASE_BRANCHES: ${{ github.event_name == 'pull_request' && github.event.pull_request.head.ref || null }}
# Dry run if the event is pull_request, or workflow_dispatch AND the dry-run input is true
RENOVATE_DRY_RUN: ${{ (github.event_name == 'pull_request' || (github.event_name == 'workflow_dispatch' && github.event.inputs.dry-run == 'true')) && 'full' || null }}
RENOVATE_PLATFORM: github
RENOVATE_REPOSITORIES: ${{ github.repository }}
RENOVATE_USERNAME: GrafanaRenovateBot
20 changes: 8 additions & 12 deletions Dockerfile
Original file line number Diff line number Diff line change
@@ -1,10 +1,10 @@
# download kubectl
FROM golang:1.23.3-alpine AS kubectl
ARG KUBECTL_VERSION=1.31.3
RUN apk add --no-cache curl
RUN export VERSION=$(curl -s https://cdn.dl.k8s.io/release/stable.txt) &&\
export OS=$(go env GOOS) && \
RUN export OS=$(go env GOOS) && \
export ARCH=$(go env GOARCH) &&\
curl -o /usr/local/bin/kubectl -L https://cdn.dl.k8s.io/release/${VERSION}/bin/${OS}/${ARCH}/kubectl &&\
curl -o /usr/local/bin/kubectl -L https://cdn.dl.k8s.io/release/v${KUBECTL_VERSION}/bin/${OS}/${ARCH}/kubectl &&\
chmod +x /usr/local/bin/kubectl

# build jsonnet-bundler
Expand All @@ -19,25 +19,21 @@ RUN apk add --no-cache git make bash &&\

FROM golang:1.23.3-alpine AS helm
WORKDIR /tmp/helm
ARG HELM_VERSION
ARG HELM_VERSION=3.16.3
RUN apk add --no-cache jq curl
RUN export OS=$(go env GOOS) && \
export ARCH=$(go env GOARCH) &&\
if [[ -z ${HELM_VERSION} ]]; then export HELM_VERSION=$(curl --silent "https://api.github.com/repos/helm/helm/releases" | jq -r '.[0].tag_name'); fi && \
curl -SL "https://get.helm.sh/helm-${HELM_VERSION}-${OS}-${ARCH}.tar.gz" > helm.tgz && \
curl -SL "https://get.helm.sh/helm-v${HELM_VERSION}-${OS}-${ARCH}.tar.gz" > helm.tgz && \
tar -xvf helm.tgz --strip-components=1

FROM golang:1.23.3-alpine AS kustomize
WORKDIR /tmp/kustomize
ARG KUSTOMIZE_VERSION
ARG KUSTOMIZE_VERSION=5.5.0
RUN apk add --no-cache jq curl
# Get the latest version of kustomize
# Releases are filtered by their name since the kustomize repository exposes multiple products in the releases
RUN export OS=$(go env GOOS) &&\
export ARCH=$(go env GOARCH) &&\
if [[ -z ${KUSTOMIZE_VERSION} ]]; then export KUSTOMIZE_VERSION=$(curl --silent "https://api.github.com/repos/kubernetes-sigs/kustomize/releases" | jq -r '[ .[] | select(.name | startswith("kustomize")) ] | .[0].tag_name | split("/")[1]'); fi && \
echo "https://github.com/kubernetes-sigs/kustomize/releases/download/kustomize/${KUSTOMIZE_VERSION}/kustomize_${KUSTOMIZE_VERSION}_${OS}_${ARCH}.tar.gz" && \
curl -SL "https://github.com/kubernetes-sigs/kustomize/releases/download/kustomize/${KUSTOMIZE_VERSION}/kustomize_${KUSTOMIZE_VERSION}_${OS}_${ARCH}.tar.gz" > kustomize.tgz && \
echo "https://github.com/kubernetes-sigs/kustomize/releases/download/kustomize/v${KUSTOMIZE_VERSION}/kustomize_v${KUSTOMIZE_VERSION}_${OS}_${ARCH}.tar.gz" && \
curl -SL "https://github.com/kubernetes-sigs/kustomize/releases/download/kustomize/v${KUSTOMIZE_VERSION}/kustomize_v${KUSTOMIZE_VERSION}_${OS}_${ARCH}.tar.gz" > kustomize.tgz && \
tar -xvf kustomize.tgz

FROM golang:1.23.3 AS build
Expand Down
2 changes: 1 addition & 1 deletion Makefile
Original file line number Diff line number Diff line change
Expand Up @@ -16,7 +16,7 @@ test:
go test ./... -bench=. -benchmem

acceptance-tests:
dagger call acceptance-tests --root-dir .:source-files --acceptance-tests-dir ./acceptance-tests --kustomize-version "" --helm-version ""
dagger call acceptance-tests --root-dir .:source-files --acceptance-tests-dir ./acceptance-tests

# Compilation
dev:
Expand Down
48 changes: 8 additions & 40 deletions dagger/dagger.gen.go

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

Loading

0 comments on commit 3c9a48d

Please sign in to comment.