Renovate #20897
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Renovate | |
| on: | |
| # This lets you dispatch a renovate job with different cache options if you want to reset or disable the cache manually. | |
| workflow_dispatch: | |
| inputs: | |
| repoCache: | |
| description: "Reset or disable the cache?" | |
| type: choice | |
| default: enabled | |
| options: | |
| - enabled | |
| - disabled | |
| - reset | |
| schedule: | |
| # Run every 30 minutes: | |
| - cron: "0,30 * * * *" | |
| # Adding these as env variables makes it easy to reuse them in different steps and in bash. | |
| env: | |
| cache_archive: renovate_cache.tar.gz | |
| # This is the dir renovate provides -- if we set our own directory via cacheDir, we can run into permissions issues. | |
| # It is also possible to cache a higher level of the directory, but it has minimal benefit. While renovate execution | |
| # time gets faster, it also takes longer to upload the cache as it grows bigger. | |
| cache_dir: /tmp/renovate/cache/renovate/repository | |
| # This can be manually changed to bust the cache if necessary. | |
| cache_key: renovate-cache | |
| jobs: | |
| renovate: | |
| runs-on: ubuntu-latest | |
| # Prevent running this workflow on forks, it's unnecessary for external contributors | |
| if: github.repository_owner == 'WordPress' | |
| steps: | |
| - uses: actions/checkout@v4 | |
| - uses: actions/cache@v4 | |
| if: github.event.inputs.repoCache != 'disabled' | |
| continue-on-error: true | |
| with: | |
| path: cache-download | |
| key: ${{ env.cache_key }} | |
| # Using tar to compress and extract the archive isn't strictly necessary, but it can improve | |
| # performance significantly when uploading artifacts with lots of files. | |
| - name: Extract renovate cache | |
| run: | | |
| set -x | |
| # Skip if no cache is set, such as the first time it runs. | |
| if [ ! -d cache-download ] ; then | |
| echo "No cache found." | |
| exit 0 | |
| fi | |
| # Make sure the directory exists, and extract it there. Note that it's nested in the download directory. | |
| mkdir -p "$cache_dir" | |
| tar -xzf "cache-download/$cache_archive" -C "$cache_dir" | |
| # Unfortunately, the permissions expected within renovate's docker container | |
| # are different than the ones given after the cache is restored. We have to | |
| # change ownership to solve this. We also need to have correct permissions in | |
| # the entire /tmp/renovate tree, not just the section with the repo cache. | |
| sudo chown -R runneradmin:root /tmp/renovate/ | |
| ls -R "$cache_dir" | |
| - uses: renovatebot/github-action@v40.1.11 | |
| with: | |
| configurationFile: .github/renovate.json | |
| token: ${{ secrets.ACCESS_TOKEN }} | |
| env: | |
| # This enables the cache -- if this is set, it's not necessary to add it to renovate.json. | |
| RENOVATE_REPOSITORY_CACHE: ${{ github.event.inputs.repoCache || 'enabled' }} | |
| # Debug logs to figure out why vulnerability updates aren't occurring | |
| LOG_LEVEL: debug | |
| # Compression helps performance in the upload step! | |
| - name: Compress renovate cache | |
| run: | | |
| ls "$cache_dir" | |
| # The -C is important -- otherwise we end up extracting the files with | |
| # their full path, ultimately leading to a nested directory situation. | |
| # To solve *that*, we'd have to extract to root (/), which isn't safe. | |
| tar -czvf "$cache_archive" -C "$cache_dir" . | |
| - uses: actions/upload-artifact@v4 | |
| if: github.event.inputs.repoCache != 'disabled' | |
| with: | |
| name: ${{ env.cache_key }} | |
| path: ${{ env.cache_archive }} | |
| # Since this is updated and restored on every run, we don't need to keep it | |
| # for long. Just make sure this value is large enough that multiple renovate | |
| # runs can happen before older cache archives are deleted. | |
| retention-days: 1 |