feat: add renovate bot support

e42e95e7 · Andrew Newdigate · 9ba4e7ed · e42e95e7 · e42e95e7
Unverified Commit e42e95e7 authored 2 years ago by Andrew Newdigate
--- a/README.md
+++ b/README.md
@@ -257,3 +257,37 @@ include:
  - project: 'gitlab-com/gl-infra/common-ci-tasks'
    file: terraform-validate.yml
 ```
+
+### [`renovate-bot`](./renovate-bot.yml)
+
+Runs [`renovatebot`](https://docs.renovatebot.com/) against the project to automatically upgrade dependencies.
+
+1. Ensure that a `renovate_bot` stage exists in your `.gitlab-ci.yml` configuration
+1. Create a [Project Access Token](https://docs.gitlab.com/ee/user/project/settings/project_access_tokens.html) with `api` and `write_repository` scope and make it available in your CI environment via the `RENOVATE_GITLAB_TOKEN` environment variable through the CI/CD Variables settings. Make sure the variable is **Protected** and **Masked**.
+1. Lookup the GitHub Personal Access token from [1Password Production Vault](https://gitlab.1password.com/vaults/7xbs54owvjux3cypztlhyetej4/allitems/53z2zuf7urh7hoy3nqeqsei27e) and save it into the CI environment variable `RENOVATE_GITHUB_TOKEN`. Make sure the variable is **Protected** and **Masked**.
+1. Note that you can use Group Access Tokens and Group CI/CD variables, instead of Project-level ones should you choose.
+1. Create a CI Pipeline Schedule called `Renovatebot` with a daily schedule, eg `0 1 * * *`. Ensure that the CI Pipeline schedule includes a variable, `RENOVATE_SCHEDULED` with a value of `1`.
+1. Create a `renovate.json` file in the root of the project. See below for an example configuration:
+
+```json
+{
+  "$schema": "https://docs.renovatebot.com/renovate-schema.json",
+  "extends": ["config:base"],
+
+  "requireConfig": true,
+
+  "prConcurrentLimit": 5,
+  "ignorePaths": []
+}
+```
+
+```yaml
+stages:
+  - renovate_bot
+
+include:
+  # Upgrades dependencies on a schedule
+  # see https://gitlab.com/gitlab-com/gl-infra/common-ci-tasks/-/blob/main/README.md#renovate-bot
+  - project: 'gitlab-com/gl-infra/common-ci-tasks'
+    file: renovate-bot.yml
+```
--- a/renovate-bot.yml
+++ b/renovate-bot.yml
+
+renovate_bot:
+  image: node:16-alpine
+  stage: renovate_bot
+  variables:
+    RENOVATE_ENDPOINT: "${CI_API_V4_URL}"
+    GITLAB_TOKEN: "${RENOVATE_GITLAB_TOKEN}"
+    GITHUB_COM_TOKEN: "${RENOVATE_GITHUB_TOKEN}"
+    GIT_STRATEGY: none # renovate will run it's own clone
+  needs: []
+  before_script:
+    - apk add --no-cache git
+    - npm install -g renovate
+  script:
+    - renovate --token "${RENOVATE_GITLAB_TOKEN}"
+      --platform gitlab
+      --cache-dir renovate-cache
+      ${CI_PROJECT_NAMESPACE}/${CI_PROJECT_NAME}
+  rules:
+    - if: '$RENOVATE_SCHEDULED'
+    # Run after changes to the main branch in case dependencies have changed
+    - if: '$CI_COMMIT_BRANCH == $CI_DEFAULT_BRANCH'
+  cache:
+    key: renovate-cache
+    paths:
+      - renovate-cache