.editorconfig

@@ -0,0 +1,7 @@
+[*]
+indent_style = space
+indent_size = 2
+end_of_line = lf
+charset = utf-8
+trim_trailing_whitespace = true
+insert_final_newline = true

.gitea/actions/release-git-tag/action.yaml

@@ -0,0 +1,15 @@
+name: Release Git tag
+description: Release the Git tag
+
+inputs:
+  tag:
+    description: The tag to release
+    required: true
+
+runs:
+  using: "composite"
+  steps:
+    - shell: bash
+      run: |
+        git tag ${{ inputs.tag }}
+        git push origin ${{ inputs.tag }}

.gitea/workflows/cd.yaml

@@ -0,0 +1,23 @@
+name: CD
+
+on:
+  push:
+    branches:
+      - main
+
+jobs:
+  release:
+    name: Release
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v5
+        with:
+          fetch-depth: 0
+      - name: Increment tag
+        id: tag
+        uses: https://gitea.t000-n.de/t.behrendt/conventional-semantic-git-tag-increment@0.1.1
+        with:
+          token: ${{ secrets.GITEA_TOKEN }}
+      - uses: ./.gitea/actions/release-git-tag
+        with:
+          tag: ${{ steps.tag.outputs.new-tag }}

.gitea/workflows/ci.yaml

@@ -0,0 +1,23 @@
+name: CI
+
+on:
+  pull_request:
+
+jobs:
+  test:
+    name: Test
+    runs-on: ubuntu-latest
+    strategy:
+      matrix:
+        json-file:
+          - "action.json"
+          - "k8s.json"
+          - "helm.json"
+          - "common.json"
+          - "docker-compose.json"
+    steps:
+      - uses: actions/checkout@v5
+      - name: Validate "${{ matrix.json-file }}"
+        uses: https://gitea.t000-n.de/t.behrendt/validate-json-by-json-schema-action@0.1.2
+        with:
+          json-file: "./${{ matrix.json-file }}"

.gitea/workflows/prerelease.yaml

@@ -0,0 +1,22 @@
+name: Prerelease
+
+on:
+  workflow_dispatch:
+
+jobs:
+  prerelease:
+    name: Prerelease
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v5
+        with:
+          fetch-depth: 0
+      - name: Increment tag
+        id: tag
+        uses: https://gitea.t000-n.de/t.behrendt/conventional-semantic-git-tag-increment@0.1.1
+        with:
+          token: ${{ secrets.GITEA_TOKEN }}
+          prerelease: true
+      - uses: ./.gitea/actions/release-git-tag
+        with:
+          tag: ${{ steps.tag.outputs.new-tag }}

README.md

@@ -1,3 +1,37 @@
-# renovate-configs
+# Renovate configs
 
-Reusable renovate config for T00N
+Reusable renovate configs, covering a number of use cases and opinionated "best practices".
+
+Usage:
+
+Your renovate.json
+
+```json
+{
+  "extends": [
+    "local>t.behrendt/renovate-configs:helm#1.0.0",
+    "local>t.behrendt/renovate-configs:k8s#1.0.0"
+  ]
+}
+```
+
+## Common
+
+Sets defaults such as the dependency dashboard.
+
+## k8s
+
+Keeps OCI image references for k8s deployments up-to-date. Requires the k8s manifests to be in the "./k8s" directory.
+
+## Helm
+
+Keeps the chart itself up-to-date as well as image references in chart values.
+Requires values to be in the "./values" directory. Supports both yaml and yaml.gotmpl for secrets.
+
+## Action
+
+Keeps your Gitea actions up-to-date. Also always pins to a commit hash, prevening attack vectors utilizing tag reusal.
+
+## Docker Compose
+
+Keeps Docker Compose service images up-to-date. Also always pins to a digest hash.

action.json

@@ -0,0 +1,9 @@
+{
+  "$schema": "https://docs.renovatebot.com/renovate-schema.json",
+  "packageRules": [
+    {
+      "matchManagers": ["github-actions"],
+      "addLabels": ["deps", "action"]
+    }
+  ]
+}

common.json

@@ -0,0 +1,4 @@
+{
+  "$schema": "https://docs.renovatebot.com/renovate-schema.json",
+  "dependencyDashboard": true
+}

docker-compose.json

@@ -0,0 +1,9 @@
+{
+  "$schema": "https://docs.renovatebot.com/renovate-schema.json",
+  "docker-compose": {
+    "digest": {
+      "enabled": true
+    },
+    "addLabels": ["deps", "docker-compose"]
+  }
+}

helm.json

@@ -0,0 +1,17 @@
+{
+  "$schema": "https://docs.renovatebot.com/renovate-schema.json",
+  "helm-values": {
+    "fileMatch": ["(^|/)values/.*\\.ya?ml$", "(^|/)values/.*\\.ya?ml\\.gotmpl$"]
+  },
+  "packageRules": [
+    {
+      "matchManagers": ["helm-values"],
+      "versioning": "docker",
+      "separateMinorPatch": true
+    }
+  ],
+  "helmfile": {
+    "enabled": true,
+    "addLabels": ["deps", "helm"]
+  }
+}

k8s.json

@@ -0,0 +1,8 @@
+{
+  "$schema": "https://docs.renovatebot.com/renovate-schema.json",
+  "kubernetes": {
+    "enabled": true,
+    "fileMatch": ["^k8s/*\\.json$"],
+    "labels": ["deps", "k8s"]
+  }
+}

renovate.json

@@ -0,0 +1,6 @@
+{
+  "$schema": "https://docs.renovatebot.com/renovate-schema.json",
+  "extends": [
+    "local>t.behrendt/renovate-configs:common"
+  ]
+}