From df3f6e012c6b9f03b417732b9e55fd49a138bf98 Mon Sep 17 00:00:00 2001 From: "Xuan (Sean) Hu" Date: Thu, 22 Feb 2024 01:00:27 +0800 Subject: [PATCH 1/3] chore: add initial version of renovate config (#321) --- .github/workflows/renovate.yml | 29 +++++++++++++++++++ .gitlab/workflows/ci.yml | 2 +- .gitlab/workflows/commitlint.yml | 2 +- .gitlab/workflows/devcontainer.yml | 3 +- .gitlab/workflows/renovate.yml | 21 ++++++++++++++ .renovaterc.json | 10 +++++++ .vscode/settings.json | 1 + template/.renovaterc.json.jinja | 12 ++++++++ template/.vscode/settings.json | 1 + .../workflows/renovate.yml.jinja | 29 +++++++++++++++++++ .../workflows/ci.yml.jinja | 2 +- .../workflows/commitlint.yml | 2 +- .../workflows/devcontainer.yml.jinja | 3 +- .../workflows/renovate.yml | 21 ++++++++++++++ 14 files changed, 132 insertions(+), 6 deletions(-) create mode 100644 .github/workflows/renovate.yml create mode 100644 .gitlab/workflows/renovate.yml create mode 100644 .renovaterc.json create mode 100644 template/.renovaterc.json.jinja create mode 100644 template/[% if repo_host_type == 'github.com' %].github[% endif %]/workflows/renovate.yml.jinja create mode 100644 template/[% if repo_host_type == 'gitlab.com' or repo_host_type == 'gitlab-self-managed' %].gitlab[% endif %]/workflows/renovate.yml diff --git a/.github/workflows/renovate.yml b/.github/workflows/renovate.yml new file mode 100644 index 00000000..fd92c918 --- /dev/null +++ b/.github/workflows/renovate.yml @@ -0,0 +1,29 @@ +name: Renovate +jobs: + renovate: + container: + env: + LOG_LEVEL: debug + RENOVATE_BRANCH_PREFIX: renovate-github/ + RENOVATE_ENABLED_MANAGERS: '["pep621", "github-actions"]' + RENOVATE_GIT_AUTHOR: Renovate GitHub Bot + RENOVATE_OPTIMIZE_FOR_DISABLED: 'true' + RENOVATE_PLATFORM: github + RENOVATE_REPOSITORIES: '["${{ github.repository }}"]' + RENOVATE_REPOSITORY_CACHE: enabled + RENOVATE_TOKEN: ${{ secrets.RENOVATE_TOKEN }} + image: ghcr.io/renovatebot/renovate:37.202.2 + runs-on: ubuntu-latest + steps: + - run: env | sort + - run: | + if [ -z "${{ secrets.RENOVATE_TOKEN }}" ]; then + echo "RENOVATE_TOKEN not set, skipping ..." + else + renovate $RENOVATE_EXTRA_FLAG + fi +on: + schedule: + # * is a special character in YAML so you have to quote this string + - cron: '0 * * * 0,6' + workflow_dispatch: null diff --git a/.gitlab/workflows/ci.yml b/.gitlab/workflows/ci.yml index 191593f6..711de24d 100644 --- a/.gitlab/workflows/ci.yml +++ b/.gitlab/workflows/ci.yml @@ -16,7 +16,7 @@ ci: - '3.11' - '3.12' rules: - - if: $CI_COMMIT_BRANCH == $CI_DEFAULT_BRANCH + - if: $CI_COMMIT_BRANCH == $CI_DEFAULT_BRANCH && $CI_PIPELINE_SOURCE == "push" - if: $CI_PIPELINE_SOURCE == 'merge_request_event' script: - make dev diff --git a/.gitlab/workflows/commitlint.yml b/.gitlab/workflows/commitlint.yml index 3f1c8f18..23367f53 100644 --- a/.gitlab/workflows/commitlint.yml +++ b/.gitlab/workflows/commitlint.yml @@ -4,7 +4,7 @@ commitlint: entrypoint: [""] interruptible: true rules: - - if: $CI_COMMIT_BRANCH == $CI_DEFAULT_BRANCH + - if: $CI_COMMIT_BRANCH == $CI_DEFAULT_BRANCH && $CI_PIPELINE_SOURCE == "push" - if: $CI_PIPELINE_SOURCE == 'merge_request_event' script: - | diff --git a/.gitlab/workflows/devcontainer.yml b/.gitlab/workflows/devcontainer.yml index 4938a1a4..9be72847 100644 --- a/.gitlab/workflows/devcontainer.yml +++ b/.gitlab/workflows/devcontainer.yml @@ -11,7 +11,8 @@ dev-container-publish: rules: - changes: - .devcontainer/Dockerfile - if: $CI_COMMIT_BRANCH == $CI_DEFAULT_BRANCH + if: $CI_COMMIT_BRANCH == $CI_DEFAULT_BRANCH && $CI_PIPELINE_SOURCE == "push" + - if: $CI_COMMIT_BRANCH == $CI_DEFAULT_BRANCH && $CI_PIPELINE_SOURCE == "web" script: - docker login -u ${CI_REGISTRY_USER} -p ${CI_REGISTRY_PASSWORD} ${CI_REGISTRY} - docker context create builder diff --git a/.gitlab/workflows/renovate.yml b/.gitlab/workflows/renovate.yml new file mode 100644 index 00000000..6990fb68 --- /dev/null +++ b/.gitlab/workflows/renovate.yml @@ -0,0 +1,21 @@ +renovate: + cache: + key: ${CI_COMMIT_REF_SLUG}-renovate + paths: + - renovate/cache/renovate/repository/ + image: renovate/renovate:37.202.2 + rules: + - if: $CI_PIPELINE_SOURCE == "schedule" && $RENOVATE_TOKEN != null + script: renovate $RENOVATE_EXTRA_FLAG + stage: build + variables: + LOG_LEVEL: debug + RENOVATE_BASE_DIR: $CI_PROJECT_DIR/renovate + RENOVATE_BRANCH_PREFIX: renovate-gitlab/ + RENOVATE_ENABLED_MANAGERS: '["pep621"]' + RENOVATE_ENDPOINT: $CI_API_V4_URL + RENOVATE_GIT_AUTHOR: Renovate GitLab Bot + RENOVATE_OPTIMIZE_FOR_DISABLED: 'true' + RENOVATE_PLATFORM: gitlab + RENOVATE_REPOSITORIES: '["$CI_PROJECT_PATH"]' + RENOVATE_REPOSITORY_CACHE: enabled diff --git a/.renovaterc.json b/.renovaterc.json new file mode 100644 index 00000000..eb577d2b --- /dev/null +++ b/.renovaterc.json @@ -0,0 +1,10 @@ +{ + "$schema": "https://docs.renovatebot.com/renovate-schema.json", + "extends": [ + "config:best-practices", + ":maintainLockFilesWeekly" + ], + "ignorePaths": [ + "**/template/**" + ] +} diff --git a/.vscode/settings.json b/.vscode/settings.json index ef2700b9..33936a79 100644 --- a/.vscode/settings.json +++ b/.vscode/settings.json @@ -45,6 +45,7 @@ "pyproject", "pytest", "Quickstart", + "renovatebot", "setuptools", "softprops", "sphinxcontrib", diff --git a/template/.renovaterc.json.jinja b/template/.renovaterc.json.jinja new file mode 100644 index 00000000..e9b8a2b9 --- /dev/null +++ b/template/.renovaterc.json.jinja @@ -0,0 +1,12 @@ +{ + "$schema": "https://docs.renovatebot.com/renovate-schema.json", + "extends": [ + "config:best-practices", + ":maintainLockFilesWeekly" + ] +[%- if project_name == "Serious Scaffold Python" %], + "ignorePaths": [ + "**/template/**" + ] +[%- endif %] +} diff --git a/template/.vscode/settings.json b/template/.vscode/settings.json index ef2700b9..33936a79 100644 --- a/template/.vscode/settings.json +++ b/template/.vscode/settings.json @@ -45,6 +45,7 @@ "pyproject", "pytest", "Quickstart", + "renovatebot", "setuptools", "softprops", "sphinxcontrib", diff --git a/template/[% if repo_host_type == 'github.com' %].github[% endif %]/workflows/renovate.yml.jinja b/template/[% if repo_host_type == 'github.com' %].github[% endif %]/workflows/renovate.yml.jinja new file mode 100644 index 00000000..f48cd321 --- /dev/null +++ b/template/[% if repo_host_type == 'github.com' %].github[% endif %]/workflows/renovate.yml.jinja @@ -0,0 +1,29 @@ +name: Renovate +jobs: + renovate: + container: + env: + LOG_LEVEL: debug + RENOVATE_BRANCH_PREFIX: renovate-github/ + RENOVATE_ENABLED_MANAGERS: '["pep621", "github-actions"]' + RENOVATE_GIT_AUTHOR: Renovate GitHub Bot + RENOVATE_OPTIMIZE_FOR_DISABLED: 'true' + RENOVATE_PLATFORM: github + RENOVATE_REPOSITORIES: '["{{ '${{ github.repository }}' }}"]' + RENOVATE_REPOSITORY_CACHE: enabled + RENOVATE_TOKEN: {{ '${{ secrets.RENOVATE_TOKEN }}' }} + image: ghcr.io/renovatebot/renovate:37.202.2 + runs-on: ubuntu-latest + steps: + - run: env | sort + - run: | + if [ -z "{{ '${{ secrets.RENOVATE_TOKEN }}' }}" ]; then + echo "RENOVATE_TOKEN not set, skipping ..." + else + renovate $RENOVATE_EXTRA_FLAG + fi +on: + schedule: + # * is a special character in YAML so you have to quote this string + - cron: '0 * * * 0,6' + workflow_dispatch: null diff --git a/template/[% if repo_host_type == 'gitlab.com' or repo_host_type == 'gitlab-self-managed' %].gitlab[% endif %]/workflows/ci.yml.jinja b/template/[% if repo_host_type == 'gitlab.com' or repo_host_type == 'gitlab-self-managed' %].gitlab[% endif %]/workflows/ci.yml.jinja index c2aa2fd0..9936a2ca 100644 --- a/template/[% if repo_host_type == 'gitlab.com' or repo_host_type == 'gitlab-self-managed' %].gitlab[% endif %]/workflows/ci.yml.jinja +++ b/template/[% if repo_host_type == 'gitlab.com' or repo_host_type == 'gitlab-self-managed' %].gitlab[% endif %]/workflows/ci.yml.jinja @@ -27,7 +27,7 @@ ci: - '3.12' [%- endif %] rules: - - if: $CI_COMMIT_BRANCH == $CI_DEFAULT_BRANCH + - if: $CI_COMMIT_BRANCH == $CI_DEFAULT_BRANCH && $CI_PIPELINE_SOURCE == "push" - if: $CI_PIPELINE_SOURCE == 'merge_request_event' script: - make dev diff --git a/template/[% if repo_host_type == 'gitlab.com' or repo_host_type == 'gitlab-self-managed' %].gitlab[% endif %]/workflows/commitlint.yml b/template/[% if repo_host_type == 'gitlab.com' or repo_host_type == 'gitlab-self-managed' %].gitlab[% endif %]/workflows/commitlint.yml index 3f1c8f18..23367f53 100644 --- a/template/[% if repo_host_type == 'gitlab.com' or repo_host_type == 'gitlab-self-managed' %].gitlab[% endif %]/workflows/commitlint.yml +++ b/template/[% if repo_host_type == 'gitlab.com' or repo_host_type == 'gitlab-self-managed' %].gitlab[% endif %]/workflows/commitlint.yml @@ -4,7 +4,7 @@ commitlint: entrypoint: [""] interruptible: true rules: - - if: $CI_COMMIT_BRANCH == $CI_DEFAULT_BRANCH + - if: $CI_COMMIT_BRANCH == $CI_DEFAULT_BRANCH && $CI_PIPELINE_SOURCE == "push" - if: $CI_PIPELINE_SOURCE == 'merge_request_event' script: - | diff --git a/template/[% if repo_host_type == 'gitlab.com' or repo_host_type == 'gitlab-self-managed' %].gitlab[% endif %]/workflows/devcontainer.yml.jinja b/template/[% if repo_host_type == 'gitlab.com' or repo_host_type == 'gitlab-self-managed' %].gitlab[% endif %]/workflows/devcontainer.yml.jinja index 080a2fd2..abf7a0d1 100644 --- a/template/[% if repo_host_type == 'gitlab.com' or repo_host_type == 'gitlab-self-managed' %].gitlab[% endif %]/workflows/devcontainer.yml.jinja +++ b/template/[% if repo_host_type == 'gitlab.com' or repo_host_type == 'gitlab-self-managed' %].gitlab[% endif %]/workflows/devcontainer.yml.jinja @@ -22,7 +22,8 @@ dev-container-publish: rules: - changes: - .devcontainer/Dockerfile - if: $CI_COMMIT_BRANCH == $CI_DEFAULT_BRANCH + if: $CI_COMMIT_BRANCH == $CI_DEFAULT_BRANCH && $CI_PIPELINE_SOURCE == "push" + - if: $CI_COMMIT_BRANCH == $CI_DEFAULT_BRANCH && $CI_PIPELINE_SOURCE == "web" script: - docker login -u ${CI_REGISTRY_USER} -p ${CI_REGISTRY_PASSWORD} ${CI_REGISTRY} - docker context create builder diff --git a/template/[% if repo_host_type == 'gitlab.com' or repo_host_type == 'gitlab-self-managed' %].gitlab[% endif %]/workflows/renovate.yml b/template/[% if repo_host_type == 'gitlab.com' or repo_host_type == 'gitlab-self-managed' %].gitlab[% endif %]/workflows/renovate.yml new file mode 100644 index 00000000..6990fb68 --- /dev/null +++ b/template/[% if repo_host_type == 'gitlab.com' or repo_host_type == 'gitlab-self-managed' %].gitlab[% endif %]/workflows/renovate.yml @@ -0,0 +1,21 @@ +renovate: + cache: + key: ${CI_COMMIT_REF_SLUG}-renovate + paths: + - renovate/cache/renovate/repository/ + image: renovate/renovate:37.202.2 + rules: + - if: $CI_PIPELINE_SOURCE == "schedule" && $RENOVATE_TOKEN != null + script: renovate $RENOVATE_EXTRA_FLAG + stage: build + variables: + LOG_LEVEL: debug + RENOVATE_BASE_DIR: $CI_PROJECT_DIR/renovate + RENOVATE_BRANCH_PREFIX: renovate-gitlab/ + RENOVATE_ENABLED_MANAGERS: '["pep621"]' + RENOVATE_ENDPOINT: $CI_API_V4_URL + RENOVATE_GIT_AUTHOR: Renovate GitLab Bot + RENOVATE_OPTIMIZE_FOR_DISABLED: 'true' + RENOVATE_PLATFORM: gitlab + RENOVATE_REPOSITORIES: '["$CI_PROJECT_PATH"]' + RENOVATE_REPOSITORY_CACHE: enabled From 4baaca39d1b1af5667bbab6890f2ca3de96b6e84 Mon Sep 17 00:00:00 2001 From: Xuan Hu Date: Fri, 23 Feb 2024 12:05:55 +0800 Subject: [PATCH 2/3] chore: authenticate renovate with github app --- .github/workflows/renovate.yml | 16 +++++++++++++--- 1 file changed, 13 insertions(+), 3 deletions(-) diff --git a/.github/workflows/renovate.yml b/.github/workflows/renovate.yml index fd92c918..7cdcccc8 100644 --- a/.github/workflows/renovate.yml +++ b/.github/workflows/renovate.yml @@ -13,12 +13,22 @@ jobs: RENOVATE_REPOSITORY_CACHE: enabled RENOVATE_TOKEN: ${{ secrets.RENOVATE_TOKEN }} image: ghcr.io/renovatebot/renovate:37.202.2 + options: '--user root' runs-on: ubuntu-latest steps: - run: env | sort - - run: | - if [ -z "${{ secrets.RENOVATE_TOKEN }}" ]; then - echo "RENOVATE_TOKEN not set, skipping ..." + - id: generate-token + name: Generate a token + if: vars.BOT_APP_ID + uses: actions/create-github-app-token@v1 + with: + app-id: ${{ vars.BOT_APP_ID }} + private-key: ${{ secrets.BOT_PRIVATE_KEY }} + - env: + RENOVATE_TOKEN: ${{ secrets.RENOVATE_TOKEN || steps.generate-token.outputs.token }} + run: | + if [ -z "$RENOVATE_TOKEN" ]; then + echo "RENOVATE_TOKEN is not properly configured, skipping ..." else renovate $RENOVATE_EXTRA_FLAG fi From fed3cb916e890204b7fc5969586508b63750f6e8 Mon Sep 17 00:00:00 2001 From: Renovate GitHub Bot Date: Fri, 23 Feb 2024 04:30:29 +0000 Subject: [PATCH 3/3] chore(deps): pin dependencies --- .github/workflows/ci.yml | 10 ++++---- .github/workflows/commitlint.yml | 2 +- .github/workflows/devcontainer.yml | 6 ++--- .github/workflows/readthedocs-preview.yml | 2 +- .github/workflows/release.yml | 28 +++++++++++------------ .github/workflows/renovate.yml | 4 ++-- 6 files changed, 26 insertions(+), 26 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 61dbacc9..6e7528a1 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -7,16 +7,16 @@ jobs: if: ${{ !cancelled() && ! failure() }} runs-on: ubuntu-latest steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4 with: fetch-depth: 0 - - uses: pdm-project/setup-pdm@v4 + - uses: pdm-project/setup-pdm@c050bdcb2405837648035b6678c75609d53a749f # v4 with: cache: true python-version: ${{ matrix.python-version }} - id: pages name: Setup pages - uses: actions/configure-pages@v4 + uses: actions/configure-pages@1f0c5cde4bc74cd7e1254d0cb4de8d49e9068c7d # v4 - run: env | sort - run: make dev - run: make lint @@ -35,12 +35,12 @@ jobs: if: ${{ !cancelled() && ! failure() }} runs-on: ubuntu-latest steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4 - name: Set up Git run: | git config --global user.name github-actions git config --global user.email github-actions@github.com - - uses: pdm-project/setup-pdm@v4 + - uses: pdm-project/setup-pdm@c050bdcb2405837648035b6678c75609d53a749f # v4 with: cache: true python-version: '3.12' diff --git a/.github/workflows/commitlint.yml b/.github/workflows/commitlint.yml index 2751ce2e..e228e683 100644 --- a/.github/workflows/commitlint.yml +++ b/.github/workflows/commitlint.yml @@ -6,7 +6,7 @@ jobs: commitlint: runs-on: ubuntu-latest steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4 - run: env | sort - name: Install commitlint with conventional config run: npm install --save-dev @commitlint/config-conventional @commitlint/cli diff --git a/.github/workflows/devcontainer.yml b/.github/workflows/devcontainer.yml index 4e7ca504..ec9048d9 100644 --- a/.github/workflows/devcontainer.yml +++ b/.github/workflows/devcontainer.yml @@ -9,8 +9,8 @@ jobs: packages: write runs-on: ubuntu-latest steps: - - uses: docker/setup-buildx-action@v3 - - uses: docker/login-action@v3 + - uses: docker/setup-buildx-action@f95db51fddba0c2d1ec667646a06c2ce06100226 # v3 + - uses: docker/login-action@343f7c4344506bcbf9b4de18042ae17996df046d # v3 with: password: ${{ secrets.GITHUB_TOKEN }} registry: ghcr.io @@ -18,7 +18,7 @@ jobs: - name: Build and push dev container env: SOURCE_DATE_EPOCH: 0 - uses: docker/build-push-action@v5 + uses: docker/build-push-action@4a13e500e55cf31b7a5d59a38ab2040ab0f42f56 # v5 with: build-args: | PYTHON_VERSION=${{ matrix.python-version }} diff --git a/.github/workflows/readthedocs-preview.yml b/.github/workflows/readthedocs-preview.yml index ac5e34f7..68bfc816 100644 --- a/.github/workflows/readthedocs-preview.yml +++ b/.github/workflows/readthedocs-preview.yml @@ -6,7 +6,7 @@ jobs: documentation-links: runs-on: ubuntu-latest steps: - - uses: readthedocs/actions/preview@v1 + - uses: readthedocs/actions/preview@cc0920454cf03ca8a3fbd3cbaa2ce2e509e70636 # v1 with: project-slug: ss-python on: diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 07318359..9fcd9bae 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -3,28 +3,28 @@ jobs: pages-build: runs-on: ubuntu-latest steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4 with: fetch-depth: 0 - - uses: pdm-project/setup-pdm@v4 + - uses: pdm-project/setup-pdm@c050bdcb2405837648035b6678c75609d53a749f # v4 with: cache: true python-version: '3.12' - id: pages name: Setup pages - uses: actions/configure-pages@v4 + uses: actions/configure-pages@1f0c5cde4bc74cd7e1254d0cb4de8d49e9068c7d # v4 - run: env | sort - run: make dev-doc - run: CI_PAGES_URL=${{ steps.pages.outputs.base_url }} make doc - name: Generate release notes run: make release-notes > release-notes.md - name: Upload release notes - uses: actions/upload-artifact@v4 + uses: actions/upload-artifact@5d5d22a31266ced268874388b861e4b58bb5c2f3 # v4 with: name: release-notes path: release-notes.md - name: Upload pages artifact - uses: actions/upload-pages-artifact@v3 + uses: actions/upload-pages-artifact@56afc609e74202658d3ffba0e8f6dda462b719fa # v3 with: path: public release-publish: @@ -34,7 +34,7 @@ jobs: runs-on: ubuntu-latest steps: - name: Download release notes - uses: actions/download-artifact@v4 + uses: actions/download-artifact@eaceaf801fd36c7dee90939fad912460b18a1ffe # v4 with: name: release-notes - id: prerelease @@ -46,7 +46,7 @@ jobs: echo "is_prerelease=false" > $GITHUB_OUTPUT fi - name: Create GitHub release - uses: softprops/action-gh-release@v1 + uses: softprops/action-gh-release@de2c0eb89ae2a093876385947365aca7b0e5f844 # v1 with: body_path: release-notes.md prerelease: ${{ steps.prerelease.outputs.is_prerelease }} @@ -57,8 +57,8 @@ jobs: packages: write runs-on: ubuntu-latest steps: - - uses: docker/setup-buildx-action@v3 - - uses: docker/login-action@v3 + - uses: docker/setup-buildx-action@f95db51fddba0c2d1ec667646a06c2ce06100226 # v3 + - uses: docker/login-action@343f7c4344506bcbf9b4de18042ae17996df046d # v3 with: password: ${{ secrets.GITHUB_TOKEN }} registry: ghcr.io @@ -66,7 +66,7 @@ jobs: - name: Build and push dev container env: SOURCE_DATE_EPOCH: 0 - uses: docker/build-push-action@v5 + uses: docker/build-push-action@4a13e500e55cf31b7a5d59a38ab2040ab0f42f56 # v5 with: build-args: | PYTHON_VERSION=${{ matrix.python-version }} @@ -82,7 +82,7 @@ jobs: - name: Build and push prod container env: SOURCE_DATE_EPOCH: 0 - uses: docker/build-push-action@v5 + uses: docker/build-push-action@4a13e500e55cf31b7a5d59a38ab2040ab0f42f56 # v5 with: build-args: | PYTHON_VERSION=${{ matrix.python-version }} @@ -107,8 +107,8 @@ jobs: needs: release-publish runs-on: ubuntu-latest steps: - - uses: actions/checkout@v4 - - uses: pdm-project/setup-pdm@v4 + - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4 + - uses: pdm-project/setup-pdm@c050bdcb2405837648035b6678c75609d53a749f # v4 with: cache: true python-version: '3.12' @@ -126,7 +126,7 @@ jobs: steps: - id: deployment name: Deploy to GitHub Pages - uses: actions/deploy-pages@v4 + uses: actions/deploy-pages@decdde0ac072f6dcbe43649d82d9c635fff5b4e4 # v4 on: push: tags: diff --git a/.github/workflows/renovate.yml b/.github/workflows/renovate.yml index 7cdcccc8..34358520 100644 --- a/.github/workflows/renovate.yml +++ b/.github/workflows/renovate.yml @@ -12,7 +12,7 @@ jobs: RENOVATE_REPOSITORIES: '["${{ github.repository }}"]' RENOVATE_REPOSITORY_CACHE: enabled RENOVATE_TOKEN: ${{ secrets.RENOVATE_TOKEN }} - image: ghcr.io/renovatebot/renovate:37.202.2 + image: ghcr.io/renovatebot/renovate:37.202.2@sha256:6b5508487d42dcd36f95ff1139958f3b755bc8ff77b805b86eb1c59db943ef2f options: '--user root' runs-on: ubuntu-latest steps: @@ -20,7 +20,7 @@ jobs: - id: generate-token name: Generate a token if: vars.BOT_APP_ID - uses: actions/create-github-app-token@v1 + uses: actions/create-github-app-token@e8e39f73bb84fdf315a015fa3104f314c0a258b4 # v1 with: app-id: ${{ vars.BOT_APP_ID }} private-key: ${{ secrets.BOT_PRIVATE_KEY }}