From a1ef75fcea93dfaf9249d02a43299fcb8e3af930 Mon Sep 17 00:00:00 2001 From: "t.behrendt" Date: Wed, 8 Oct 2025 15:36:27 +0200 Subject: [PATCH 01/10] sync --- .editorconfig | 7 +++++++ .gitea/workflows/ci.yaml | 26 ++++++++++++++++++++++++++ README.md | 31 +++++++++++++++++++++++++++++-- action.json | 14 ++++++++++++++ common.json | 4 ++++ docker-compose.json | 8 ++++++++ helm.json | 25 +++++++++++++++++++++++++ k8s.json | 13 +++++++++++++ 8 files changed, 126 insertions(+), 2 deletions(-) create mode 100644 .editorconfig create mode 100644 .gitea/workflows/ci.yaml create mode 100644 action.json create mode 100644 common.json create mode 100644 docker-compose.json create mode 100644 helm.json create mode 100644 k8s.json diff --git a/.editorconfig b/.editorconfig new file mode 100644 index 0000000..b6330b2 --- /dev/null +++ b/.editorconfig @@ -0,0 +1,7 @@ +[*] +indent_style = space +indent_size = 2 +end_of_line = lf +charset = utf-8 +trim_trailing_whitespace = true +insert_final_newline = true diff --git a/.gitea/workflows/ci.yaml b/.gitea/workflows/ci.yaml new file mode 100644 index 0000000..0ea72f1 --- /dev/null +++ b/.gitea/workflows/ci.yaml @@ -0,0 +1,26 @@ +name: CI + +on: + pull_request: + +jobs: + build: + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@v3 + - name: Validate "action.json" + uses: https://gitea.t000-n.de/t.behrendt/validate-json-by-json-schema-action@0.1.0 + with: + json-file: "./action.json" + - name: Validate "k8s.json" + uses: https://gitea.t000-n.de/t.behrendt/validate-json-by-json-schema-action@0.1.0 + with: + json-file: "./k8s.json" + - name: Validate "helm.json" + uses: https://gitea.t000-n.de/t.behrendt/validate-json-by-json-schema-action@0.1.0 + with: + json-file: "./helm.json" + - name: Validate "common.json" + uses: https://gitea.t000-n.de/t.behrendt/validate-json-by-json-schema-action@0.1.0 + with: + json-file: "./common.json" diff --git a/README.md b/README.md index a187c71..034697b 100644 --- a/README.md +++ b/README.md @@ -1,3 +1,30 @@ -# renovate-configs +# Renovate configs -Reusable renovate config for T00N \ No newline at end of file +Reusable renovate configs, covering a number of use cases and opinionated "best practices". + +Usage: + +Your renovate.json +```json +{ + "extends": [ + "local>t.behrendt/renovate-configs:helm#1.0.0", + "local>t.behrendt/renovate-configs:k8s#1.0.0" + ] +} +``` + +## Common + +Sets defaults such as the dependency dashboard. + +## k8s + +Keeps OCI image references for k8s deployments up-to-date. Requires the k8s manifests to be in the "./k8s" directory. + +## Helm + +Keeps the chart itself up-to-date as well as image references in chart values. +Requires values to be in the "./values" directory. Supports both yaml and yaml.gotmpl for secrets. + +## Action diff --git a/action.json b/action.json new file mode 100644 index 0000000..4c6b5f7 --- /dev/null +++ b/action.json @@ -0,0 +1,14 @@ +{ + "$schema": "https://docs.renovatebot.com/renovate-schema.json", + "packageRules": [ + { + "matchManagers": [ + "github-actions" + ], + "addLabels": [ + "deps", + "action" + ] + } + ] +} diff --git a/common.json b/common.json new file mode 100644 index 0000000..02ae055 --- /dev/null +++ b/common.json @@ -0,0 +1,4 @@ +{ + "$schema": "https://docs.renovatebot.com/renovate-schema.json", + "dependencyDashboard": true +} diff --git a/docker-compose.json b/docker-compose.json new file mode 100644 index 0000000..11c5bbe --- /dev/null +++ b/docker-compose.json @@ -0,0 +1,8 @@ +{ + "$schema": "https://docs.renovatebot.com/renovate-schema.json", + "docker-compose": { + "digest": { + "enabled": true + } + } +} diff --git a/helm.json b/helm.json new file mode 100644 index 0000000..62e0e9c --- /dev/null +++ b/helm.json @@ -0,0 +1,25 @@ +{ + "$schema": "https://docs.renovatebot.com/renovate-schema.json", + "helm-values": { + "fileMatch": [ + "(^|/)values/.*\\.ya?ml$", + "(^|/)values/.*\\.ya?ml\\.gotmpl$" + ] + }, + "packageRules": [ + { + "matchManagers": [ + "helm-values" + ], + "versioning": "docker", + "separateMinorPatch": true + } + ], + "helmfile": { + "enabled": true, + "addLabels": [ + "deps", + "helm" + ] + } +} diff --git a/k8s.json b/k8s.json new file mode 100644 index 0000000..d0694c7 --- /dev/null +++ b/k8s.json @@ -0,0 +1,13 @@ +{ + "$schema": "https://docs.renovatebot.com/renovate-schema.json", + "kubernetes": { + "enabled": true, + "fileMatch": [ + "^k8s/*\\.json$" + ], + "labels": [ + "deps", + "k8s" + ] + } +} -- 2.49.1 From bc3a28870391ce2d96007899b46a2d923124775b Mon Sep 17 00:00:00 2001 From: "t.behrendt" Date: Wed, 8 Oct 2025 15:48:00 +0200 Subject: [PATCH 02/10] docs: for actions --- README.md | 2 ++ 1 file changed, 2 insertions(+) diff --git a/README.md b/README.md index 034697b..59d55cf 100644 --- a/README.md +++ b/README.md @@ -28,3 +28,5 @@ Keeps the chart itself up-to-date as well as image references in chart values. Requires values to be in the "./values" directory. Supports both yaml and yaml.gotmpl for secrets. ## Action + +Keeps your Gitea actions up-to-date. Also always pins to a commit hash, prevening attack vectors utilizing tag reusal. -- 2.49.1 From e252f852f9650b1b27f3f371178c1eda862728ec Mon Sep 17 00:00:00 2001 From: "t.behrendt" Date: Wed, 8 Oct 2025 15:48:11 +0200 Subject: [PATCH 03/10] bump checkut action to v5 --- .gitea/workflows/ci.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.gitea/workflows/ci.yaml b/.gitea/workflows/ci.yaml index 0ea72f1..9a97aba 100644 --- a/.gitea/workflows/ci.yaml +++ b/.gitea/workflows/ci.yaml @@ -7,7 +7,7 @@ jobs: build: runs-on: ubuntu-latest steps: - - uses: actions/checkout@v3 + - uses: actions/checkout@v5 - name: Validate "action.json" uses: https://gitea.t000-n.de/t.behrendt/validate-json-by-json-schema-action@0.1.0 with: -- 2.49.1 From 3a45394d899fa14eb28c1034f7aee25413f09285 Mon Sep 17 00:00:00 2001 From: "t.behrendt" Date: Wed, 8 Oct 2025 15:48:57 +0200 Subject: [PATCH 04/10] ci(renovate): add config extending itself --- renovate.json | 6 ++++++ 1 file changed, 6 insertions(+) create mode 100644 renovate.json diff --git a/renovate.json b/renovate.json new file mode 100644 index 0000000..497e477 --- /dev/null +++ b/renovate.json @@ -0,0 +1,6 @@ +{ + "$schema": "https://docs.renovatebot.com/renovate-schema.json", + "extends": [ + "local>t.behrendt/renovate-configs:common" + ] +} -- 2.49.1 From c6f7491be33efe56c6b4c13d4bb43e6dbf85ade2 Mon Sep 17 00:00:00 2001 From: "t.behrendt" Date: Wed, 8 Oct 2025 16:02:40 +0200 Subject: [PATCH 05/10] test fix for json valid --- .gitea/workflows/ci.yaml | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/.gitea/workflows/ci.yaml b/.gitea/workflows/ci.yaml index 9a97aba..bd43e19 100644 --- a/.gitea/workflows/ci.yaml +++ b/.gitea/workflows/ci.yaml @@ -9,18 +9,18 @@ jobs: steps: - uses: actions/checkout@v5 - name: Validate "action.json" - uses: https://gitea.t000-n.de/t.behrendt/validate-json-by-json-schema-action@0.1.0 + uses: https://gitea.t000-n.de/t.behrendt/validate-json-by-json-schema-action@0.1.2-rc-456ff025c8de79ef516582030a76c156cfab8c07 with: json-file: "./action.json" - name: Validate "k8s.json" - uses: https://gitea.t000-n.de/t.behrendt/validate-json-by-json-schema-action@0.1.0 + uses: https://gitea.t000-n.de/t.behrendt/validate-json-by-json-schema-action@0.1.2-rc-456ff025c8de79ef516582030a76c156cfab8c07 with: json-file: "./k8s.json" - name: Validate "helm.json" - uses: https://gitea.t000-n.de/t.behrendt/validate-json-by-json-schema-action@0.1.0 + uses: https://gitea.t000-n.de/t.behrendt/validate-json-by-json-schema-action@0.1.2-rc-456ff025c8de79ef516582030a76c156cfab8c07 with: json-file: "./helm.json" - name: Validate "common.json" - uses: https://gitea.t000-n.de/t.behrendt/validate-json-by-json-schema-action@0.1.0 + uses: https://gitea.t000-n.de/t.behrendt/validate-json-by-json-schema-action@0.1.2-rc-456ff025c8de79ef516582030a76c156cfab8c07 with: json-file: "./common.json" -- 2.49.1 From d6fb505c5a783dd54e8f88196b012d7076fdb665 Mon Sep 17 00:00:00 2001 From: Timo Behrendt Date: Wed, 8 Oct 2025 16:26:23 +0200 Subject: [PATCH 06/10] improve docs --- README.md | 13 +++++++++---- 1 file changed, 9 insertions(+), 4 deletions(-) diff --git a/README.md b/README.md index 59d55cf..f87657a 100644 --- a/README.md +++ b/README.md @@ -5,12 +5,13 @@ Reusable renovate configs, covering a number of use cases and opinionated "best Usage: Your renovate.json + ```json { - "extends": [ - "local>t.behrendt/renovate-configs:helm#1.0.0", - "local>t.behrendt/renovate-configs:k8s#1.0.0" - ] + "extends": [ + "local>t.behrendt/renovate-configs:helm#1.0.0", + "local>t.behrendt/renovate-configs:k8s#1.0.0" + ] } ``` @@ -30,3 +31,7 @@ Requires values to be in the "./values" directory. Supports both yaml and yaml.g ## Action Keeps your Gitea actions up-to-date. Also always pins to a commit hash, prevening attack vectors utilizing tag reusal. + +## Docker Compose + +Keeps Docker Compose service images up-to-date. Also always pins to a digest hash. -- 2.49.1 From 1a850b98e38618e841b774ec3d8d880e2bb751ae Mon Sep 17 00:00:00 2001 From: Timo Behrendt Date: Wed, 8 Oct 2025 16:26:31 +0200 Subject: [PATCH 07/10] complete ci --- .gitea/actions/release-git-tag/action.yaml | 15 ++++++++++++++ .gitea/workflows/cd.yaml | 23 ++++++++++++++++++++++ .gitea/workflows/ci.yaml | 3 ++- .gitea/workflows/prerelease.yaml | 22 +++++++++++++++++++++ 4 files changed, 62 insertions(+), 1 deletion(-) create mode 100644 .gitea/actions/release-git-tag/action.yaml create mode 100644 .gitea/workflows/cd.yaml create mode 100644 .gitea/workflows/prerelease.yaml diff --git a/.gitea/actions/release-git-tag/action.yaml b/.gitea/actions/release-git-tag/action.yaml new file mode 100644 index 0000000..c7e3fab --- /dev/null +++ b/.gitea/actions/release-git-tag/action.yaml @@ -0,0 +1,15 @@ +name: Release Git tag +description: Release the Git tag + +inputs: + tag: + description: The tag to release + required: true + +runs: + using: "composite" + steps: + - shell: bash + run: | + git tag ${{ inputs.tag }} + git push origin ${{ inputs.tag }} diff --git a/.gitea/workflows/cd.yaml b/.gitea/workflows/cd.yaml new file mode 100644 index 0000000..629e7ae --- /dev/null +++ b/.gitea/workflows/cd.yaml @@ -0,0 +1,23 @@ +name: CD + +on: + push: + branches: + - main + +jobs: + release: + name: Release + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@v5 + with: + fetch-depth: 0 + - name: Increment tag + id: tag + uses: https://gitea.t000-n.de/t.behrendt/conventional-semantic-git-tag-increment@0.1.1 + with: + token: ${{ secrets.GITEA_TOKEN }} + - uses: ./.gitea/actions/release-git-tag + with: + tag: ${{ steps.tag.outputs.new-tag }} diff --git a/.gitea/workflows/ci.yaml b/.gitea/workflows/ci.yaml index bd43e19..8309b5f 100644 --- a/.gitea/workflows/ci.yaml +++ b/.gitea/workflows/ci.yaml @@ -4,7 +4,8 @@ on: pull_request: jobs: - build: + test: + name: Test runs-on: ubuntu-latest steps: - uses: actions/checkout@v5 diff --git a/.gitea/workflows/prerelease.yaml b/.gitea/workflows/prerelease.yaml new file mode 100644 index 0000000..0226d22 --- /dev/null +++ b/.gitea/workflows/prerelease.yaml @@ -0,0 +1,22 @@ +name: Prerelease + +on: + workflow_dispatch: + +jobs: + prerelease: + name: Prerelease + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@v5 + with: + fetch-depth: 0 + - name: Increment tag + id: tag + uses: https://gitea.t000-n.de/t.behrendt/conventional-semantic-git-tag-increment@0.1.1 + with: + token: ${{ secrets.GITEA_TOKEN }} + prerelease: true + - uses: ./.gitea/actions/release-git-tag + with: + tag: ${{ steps.tag.outputs.new-tag }} -- 2.49.1 From 20bbd0982e3fe788123d35629e56014cfa0213df Mon Sep 17 00:00:00 2001 From: Timo Behrendt Date: Wed, 8 Oct 2025 16:26:40 +0200 Subject: [PATCH 08/10] finish configs --- action.json | 9 ++------- docker-compose.json | 3 ++- helm.json | 14 +++----------- k8s.json | 9 ++------- 4 files changed, 9 insertions(+), 26 deletions(-) diff --git a/action.json b/action.json index 4c6b5f7..6eb904f 100644 --- a/action.json +++ b/action.json @@ -2,13 +2,8 @@ "$schema": "https://docs.renovatebot.com/renovate-schema.json", "packageRules": [ { - "matchManagers": [ - "github-actions" - ], - "addLabels": [ - "deps", - "action" - ] + "matchManagers": ["github-actions"], + "addLabels": ["deps", "action"] } ] } diff --git a/docker-compose.json b/docker-compose.json index 11c5bbe..fcbcf53 100644 --- a/docker-compose.json +++ b/docker-compose.json @@ -3,6 +3,7 @@ "docker-compose": { "digest": { "enabled": true - } + }, + "addLabels": ["deps", "docker-compose"] } } diff --git a/helm.json b/helm.json index 62e0e9c..0e09f7f 100644 --- a/helm.json +++ b/helm.json @@ -1,25 +1,17 @@ { "$schema": "https://docs.renovatebot.com/renovate-schema.json", "helm-values": { - "fileMatch": [ - "(^|/)values/.*\\.ya?ml$", - "(^|/)values/.*\\.ya?ml\\.gotmpl$" - ] + "fileMatch": ["(^|/)values/.*\\.ya?ml$", "(^|/)values/.*\\.ya?ml\\.gotmpl$"] }, "packageRules": [ { - "matchManagers": [ - "helm-values" - ], + "matchManagers": ["helm-values"], "versioning": "docker", "separateMinorPatch": true } ], "helmfile": { "enabled": true, - "addLabels": [ - "deps", - "helm" - ] + "addLabels": ["deps", "helm"] } } diff --git a/k8s.json b/k8s.json index d0694c7..daa72dc 100644 --- a/k8s.json +++ b/k8s.json @@ -2,12 +2,7 @@ "$schema": "https://docs.renovatebot.com/renovate-schema.json", "kubernetes": { "enabled": true, - "fileMatch": [ - "^k8s/*\\.json$" - ], - "labels": [ - "deps", - "k8s" - ] + "fileMatch": ["^k8s/*\\.json$"], + "labels": ["deps", "k8s"] } } -- 2.49.1 From 5cae61b0320df3af0ad318893973e3729c5c4909 Mon Sep 17 00:00:00 2001 From: Timo Behrendt Date: Wed, 8 Oct 2025 16:31:07 +0200 Subject: [PATCH 09/10] remove pre-releases --- .gitea/workflows/ci.yaml | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/.gitea/workflows/ci.yaml b/.gitea/workflows/ci.yaml index 8309b5f..3cb40f5 100644 --- a/.gitea/workflows/ci.yaml +++ b/.gitea/workflows/ci.yaml @@ -10,18 +10,18 @@ jobs: steps: - uses: actions/checkout@v5 - name: Validate "action.json" - uses: https://gitea.t000-n.de/t.behrendt/validate-json-by-json-schema-action@0.1.2-rc-456ff025c8de79ef516582030a76c156cfab8c07 + uses: https://gitea.t000-n.de/t.behrendt/validate-json-by-json-schema-action@0.1.2 with: json-file: "./action.json" - name: Validate "k8s.json" - uses: https://gitea.t000-n.de/t.behrendt/validate-json-by-json-schema-action@0.1.2-rc-456ff025c8de79ef516582030a76c156cfab8c07 + uses: https://gitea.t000-n.de/t.behrendt/validate-json-by-json-schema-action@0.1.2 with: json-file: "./k8s.json" - name: Validate "helm.json" - uses: https://gitea.t000-n.de/t.behrendt/validate-json-by-json-schema-action@0.1.2-rc-456ff025c8de79ef516582030a76c156cfab8c07 + uses: https://gitea.t000-n.de/t.behrendt/validate-json-by-json-schema-action@0.1.2 with: json-file: "./helm.json" - name: Validate "common.json" - uses: https://gitea.t000-n.de/t.behrendt/validate-json-by-json-schema-action@0.1.2-rc-456ff025c8de79ef516582030a76c156cfab8c07 + uses: https://gitea.t000-n.de/t.behrendt/validate-json-by-json-schema-action@0.1.2 with: json-file: "./common.json" -- 2.49.1 From 2b734a3cacdac3f30a5804ac53ab6588b6a97901 Mon Sep 17 00:00:00 2001 From: Timo Behrendt Date: Wed, 8 Oct 2025 16:39:34 +0200 Subject: [PATCH 10/10] refactor test to run as matrix --- .gitea/workflows/ci.yaml | 24 ++++++++++-------------- 1 file changed, 10 insertions(+), 14 deletions(-) diff --git a/.gitea/workflows/ci.yaml b/.gitea/workflows/ci.yaml index 3cb40f5..63ac466 100644 --- a/.gitea/workflows/ci.yaml +++ b/.gitea/workflows/ci.yaml @@ -7,21 +7,17 @@ jobs: test: name: Test runs-on: ubuntu-latest + strategy: + matrix: + json-file: + - "action.json" + - "k8s.json" + - "helm.json" + - "common.json" + - "docker-compose.json" steps: - uses: actions/checkout@v5 - - name: Validate "action.json" + - name: Validate "${{ matrix.json-file }}" uses: https://gitea.t000-n.de/t.behrendt/validate-json-by-json-schema-action@0.1.2 with: - json-file: "./action.json" - - name: Validate "k8s.json" - uses: https://gitea.t000-n.de/t.behrendt/validate-json-by-json-schema-action@0.1.2 - with: - json-file: "./k8s.json" - - name: Validate "helm.json" - uses: https://gitea.t000-n.de/t.behrendt/validate-json-by-json-schema-action@0.1.2 - with: - json-file: "./helm.json" - - name: Validate "common.json" - uses: https://gitea.t000-n.de/t.behrendt/validate-json-by-json-schema-action@0.1.2 - with: - json-file: "./common.json" + json-file: "./${{ matrix.json-file }}" -- 2.49.1