diff --git a/.gitea/workflows/renovate.yml b/.gitea/workflows/renovate.yml new file mode 100644 index 00000000..da9e454d --- /dev/null +++ b/.gitea/workflows/renovate.yml @@ -0,0 +1,44 @@ +name: Renovate + +# Runs Renovate daily to surface newly-published advisories via OSV.dev +# (osvVulnerabilityAlerts) and open routine update PRs on a weekly batch +# schedule (see renovate.json §schedule). Security/vulnerability PRs are +# raised immediately regardless of the weekly schedule window. +# +# Required Gitea secrets (see docs/adr/041-renovate-runner-setup.md): +# RENOVATE_TOKEN — PAT with scopes: contents + pull_request + issues +# Belongs to a dedicated bot account. Branch protection +# on main must forbid this bot pushing directly. +# +# Platform config is injected via env vars below; the renovate.json in the +# repo root carries only dependency rules (no platform/endpoint/repos). +# +# Digest pin: renovatebot/github-action@8217b3fc286df088d7c27f3255fe8414463bc0fd +# corresponds to release v46.1.15. Update by bumping both the digest and the +# renovate-version when Renovate publishes a new release. Renovate itself +# will open a PR to bump this digest once it runs. + +on: + schedule: + - cron: "0 3 * * *" # daily at 03:00 UTC — cuts OSV-alert latency to ≤1 day + workflow_dispatch: + +jobs: + renovate: + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@v4 + + - name: Run Renovate + # Pinned by digest — this action holds contents+pull_request+issues + # scopes; an unpinned tag is a supply-chain risk (see ADR-041). + uses: renovatebot/github-action@8217b3fc286df088d7c27f3255fe8414463bc0fd # v46.1.15 + with: + configurationFile: renovate.json + token: ${{ secrets.RENOVATE_TOKEN }} + renovate-version: "46.1.15" + env: + RENOVATE_PLATFORM: gitea + RENOVATE_ENDPOINT: https://git.raddatz.cloud + RENOVATE_REPOSITORIES: '["marcel/familienarchiv"]' + LOG_LEVEL: info