Prepare Renovate bot against Gitea (F-12) + doc sweep
renovate.json: gitea platform, autodiscover Micha/*, group rules (major separate, minor+patch+digest grouped, stateful tier-1 individual, komodo-major disabled), pin range strategy, no automerge, dependency dashboard enabled. ops/renovate/run-renovate.sh: one-shot docker run wrapper that reads the Gitea PAT from /mnt/user/appdata/secrets/renovate_token.txt, runs renovate/renovate:41, logs into /mnt/user/services/renovate/logs/. docs/RENOVATE.md: 5-step operator setup (Gitea service account, PAT, token file, first run, six-hourly user script). Explicit no-automerge stance with notfall-stop checklist. Cross-doc sweep: SECRETS_MAP entry for renovate_token.txt, REPO_MAP entry for RENOVATE.md, AUDIT_2026-05-25_TODO new Sprint 8 with F-15, F-07, F-09 rest, F-12 status, MIGRATION_LOG captures the four-block sprint in one entry. Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
This commit is contained in:
@@ -0,0 +1,68 @@
|
||||
#!/bin/bash
|
||||
set -euo pipefail
|
||||
|
||||
# Self-hosted Renovate runner fuer Gitea.
|
||||
#
|
||||
# Wird vom Host-User-Script `renovate-six-hourly` aufgerufen. Liest das
|
||||
# Gitea-PAT aus einer Host-Secret-Datei, startet den Renovate-Container
|
||||
# ein einziges Mal, schreibt ein Log, beendet sich.
|
||||
#
|
||||
# Operator-Setup-Aufgaben (einmalig):
|
||||
# 1. Gitea-User `renovate` anlegen (Service-Account), 2FA nicht zwingend
|
||||
# 2. Diesem User Repo-Schreibrechte auf `Micha/*` geben
|
||||
# 3. Im Gitea-Profil des renovate-Users ein Access-Token erzeugen:
|
||||
# Scope: `write:repository` + `read:user`
|
||||
# 4. Token in `/mnt/user/appdata/secrets/renovate_token.txt` ablegen (chmod 600)
|
||||
# 5. Erstlauf: `bash /mnt/user/services/homelab-infra/ops/renovate/run-renovate.sh`
|
||||
# 6. User-Script `renovate-six-hourly` aktivieren
|
||||
|
||||
RENOVATE_IMAGE="${RENOVATE_IMAGE:-renovate/renovate:41}"
|
||||
RENOVATE_TOKEN_FILE="${RENOVATE_TOKEN_FILE:-/mnt/user/appdata/secrets/renovate_token.txt}"
|
||||
RENOVATE_LOG_DIR="${RENOVATE_LOG_DIR:-/mnt/user/services/renovate/logs}"
|
||||
RENOVATE_STATE_DIR="${RENOVATE_STATE_DIR:-/mnt/user/services/renovate/state}"
|
||||
RENOVATE_CONFIG_FILE="${RENOVATE_CONFIG_FILE:-/mnt/user/services/homelab-infra/renovate.json}"
|
||||
|
||||
if [ ! -r "$RENOVATE_TOKEN_FILE" ]; then
|
||||
echo "Renovate token file missing or unreadable: $RENOVATE_TOKEN_FILE" >&2
|
||||
echo "See ops/renovate/run-renovate.sh header for operator setup steps." >&2
|
||||
exit 1
|
||||
fi
|
||||
|
||||
if [ ! -r "$RENOVATE_CONFIG_FILE" ]; then
|
||||
echo "Renovate config missing: $RENOVATE_CONFIG_FILE" >&2
|
||||
exit 1
|
||||
fi
|
||||
|
||||
mkdir -p "$RENOVATE_LOG_DIR" "$RENOVATE_STATE_DIR"
|
||||
|
||||
TS="$(date -u '+%Y-%m-%dT%H-%M-%SZ')"
|
||||
LOG_FILE="$RENOVATE_LOG_DIR/renovate-$TS.log"
|
||||
LATEST_SYMLINK="$RENOVATE_LOG_DIR/latest.log"
|
||||
|
||||
# Renovate liest die Konfiguration ueber RENOVATE_CONFIG_FILE als Pfad im
|
||||
# Container; wir mounten die Repo-Datei read-only nach /usr/src/app/config.json.
|
||||
{
|
||||
echo "[renovate] starting $TS"
|
||||
echo "[renovate] image: $RENOVATE_IMAGE"
|
||||
echo "[renovate] config: $RENOVATE_CONFIG_FILE"
|
||||
echo "[renovate] log: $LOG_FILE"
|
||||
echo
|
||||
|
||||
docker run --rm \
|
||||
--name renovate-run \
|
||||
-v "$RENOVATE_CONFIG_FILE":/usr/src/app/config.json:ro \
|
||||
-v "$RENOVATE_STATE_DIR":/tmp/renovate \
|
||||
-e RENOVATE_CONFIG_FILE=/usr/src/app/config.json \
|
||||
-e RENOVATE_PLATFORM=gitea \
|
||||
-e RENOVATE_ENDPOINT=https://git.kaleschke.info/api/v1 \
|
||||
-e RENOVATE_TOKEN="$(cat "$RENOVATE_TOKEN_FILE")" \
|
||||
-e LOG_LEVEL="${RENOVATE_LOG_LEVEL:-info}" \
|
||||
"$RENOVATE_IMAGE" 2>&1
|
||||
|
||||
rc=$?
|
||||
echo
|
||||
echo "[renovate] finished rc=$rc"
|
||||
exit $rc
|
||||
} | tee "$LOG_FILE"
|
||||
|
||||
ln -sfn "$LOG_FILE" "$LATEST_SYMLINK"
|
||||
Reference in New Issue
Block a user