Micha/homelab-infra
1
0
Fork 0
Code Issues 1 Pull Requests Actions Packages Projects Releases Wiki Activity
Files
0847d839e7e8e70419e656fc91b2c2733d1dfed2
homelab-infra/ops/renovate/run-renovate.sh
T
Micha 0847d839e7 Healthchecks heartbeats for renovate and gitea-bundle-mirror (6h jobs) 
Same endpoint-agnostic ping via EXIT trap. These two jobs have no warning
level, so only rc==0 pings success, any non-zero pings /fail. gitea-bundle
edit is POSIX-sh clean (script is /bin/sh). Capability URLs from per-job host
secret files. bash -n verified.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
2026-06-23 21:09:21 +02:00

105 lines
4.1 KiB
Bash
Raw Blame History

#!/bin/bash
set -euo pipefail
# Self-hosted Renovate runner fuer Gitea.
#
# Wird vom Host-User-Script `renovate-six-hourly` aufgerufen. Liest das
# Gitea-PAT aus einer Host-Secret-Datei, startet den Renovate-Container
# ein einziges Mal, schreibt ein Log, beendet sich.
#
# Operator-Setup-Aufgaben (einmalig):
# 1. Gitea-User `renovate` anlegen (Service-Account), 2FA nicht zwingend
# 2. Diesem User Repo-Schreibrechte auf `Micha/*` geben
# 3. Im Gitea-Profil des renovate-Users ein Access-Token erzeugen:
# Scope: `write:repository` + `read:user`
# 4. Token in `/mnt/user/appdata/secrets/renovate_token.txt` ablegen (chmod 600)
# 5. Optional: GitHub.com Read-only-PAT fuer Release Notes als
# `/mnt/user/appdata/secrets/renovate_github_com_token.txt` ablegen.
# 6. Erstlauf: `bash /mnt/user/services/homelab-infra/ops/renovate/run-renovate.sh`
# 7. User-Script `renovate-six-hourly` aktivieren
RENOVATE_IMAGE="${RENOVATE_IMAGE:-renovate/renovate:41}"
RENOVATE_TOKEN_FILE="${RENOVATE_TOKEN_FILE:-/mnt/user/appdata/secrets/renovate_token.txt}"
RENOVATE_GITHUB_COM_TOKEN_FILE="${RENOVATE_GITHUB_COM_TOKEN_FILE:-/mnt/user/appdata/secrets/renovate_github_com_token.txt}"
RENOVATE_LOG_DIR="${RENOVATE_LOG_DIR:-/mnt/user/services/renovate/logs}"
RENOVATE_STATE_DIR="${RENOVATE_STATE_DIR:-/mnt/user/services/renovate/state}"
RENOVATE_CONFIG_FILE="${RENOVATE_CONFIG_FILE:-/mnt/user/services/homelab-infra/ops/renovate/bot-config.js}"
# Gitea sitzt hinter Traefik unter git.kaleschke.info; der WAN-Pfad geht
# ueber Public-IP -> FRITZBox. Vom Docker-Container aus loest der Standard-
# Resolver den Host moeglicherweise nicht auf (siehe `extra_hosts` im Komodo-
# Compose). Wir mappen direkt auf die LAN-IP des Unraid-Hosts.
GITEA_HOST_LAN_IP="${GITEA_HOST_LAN_IP:-192.168.178.58}"
# Healthchecks Heartbeat (endpoint-agnostisch; Capability-URL ist ein Secret, nie ins Repo)
HC_URL_FILE="${HC_URL_FILE:-/mnt/user/appdata/secrets/healthchecks_renovate_url}"
hc_url=""; [ -r "$HC_URL_FILE" ] && hc_url="$(tr -d '[:space:]' < "$HC_URL_FILE")"
hc_ping() { [ -n "$hc_url" ] || return 0; curl -fsS -m 10 --retry 3 "${hc_url}${1:-}" >/dev/null 2>&1 || true; }
trap 'hc_rc=$?; [ "$hc_rc" -eq 0 ] && hc_ping "" || hc_ping "/fail"' EXIT
hc_ping "/start"
if [ ! -r "$RENOVATE_TOKEN_FILE" ]; then
echo "Renovate token file missing or unreadable: $RENOVATE_TOKEN_FILE" >&2
echo "See ops/renovate/run-renovate.sh header for operator setup steps." >&2
exit 1
fi
if [ ! -r "$RENOVATE_CONFIG_FILE" ]; then
echo "Renovate config missing: $RENOVATE_CONFIG_FILE" >&2
exit 1
fi
mkdir -p "$RENOVATE_LOG_DIR" "$RENOVATE_STATE_DIR"
TS="$(date -u '+%Y-%m-%dT%H-%M-%SZ')"
LOG_FILE="$RENOVATE_LOG_DIR/renovate-$TS.log"
LATEST_SYMLINK="$RENOVATE_LOG_DIR/latest.log"
# Renovate liest die Konfiguration ueber RENOVATE_CONFIG_FILE als Pfad im
# Container; wir mounten die Repo-Datei read-only nach /usr/src/app/config.json.
{
echo "[renovate] starting $TS"
echo "[renovate] image: $RENOVATE_IMAGE"
echo "[renovate] config: $RENOVATE_CONFIG_FILE"
echo "[renovate] log: $LOG_FILE"
echo
# Token wird ueber --env-file uebergeben, damit der Wert weder in
# `ps`-Ausgabe noch im docker inspect -Snapshot landet. Das Env-File
# liegt unter $RENOVATE_STATE_DIR/.env und wird mit 0600 angelegt.
ENV_FILE="$RENOVATE_STATE_DIR/.env"
umask 077
cat > "$ENV_FILE" <<EFEOF
RENOVATE_TOKEN=$(cat "$RENOVATE_TOKEN_FILE")
RENOVATE_CONFIG_FILE=/usr/src/app/config.js
LOG_LEVEL=${RENOVATE_LOG_LEVEL:-info}
EFEOF
if [ -r "$RENOVATE_GITHUB_COM_TOKEN_FILE" ]; then
{
printf 'RENOVATE_GITHUB_COM_TOKEN='
cat "$RENOVATE_GITHUB_COM_TOKEN_FILE"
printf '\n'
} >> "$ENV_FILE"
fi
chmod 600 "$ENV_FILE"
set +e
docker run --rm \
--name renovate-run \
--add-host "git.kaleschke.info:$GITEA_HOST_LAN_IP" \
--dns 1.1.1.1 \
--dns 8.8.8.8 \
-v "$RENOVATE_CONFIG_FILE":/usr/src/app/config.js:ro \
-v "$RENOVATE_STATE_DIR":/tmp/renovate \
--env-file "$ENV_FILE" \
"$RENOVATE_IMAGE" 2>&1
rc=$?
set -e
shred -u "$ENV_FILE" 2>/dev/null || rm -f "$ENV_FILE"
echo
echo "[renovate] finished rc=$rc"
exit $rc
} | tee "$LOG_FILE"
ln -sfn "$LOG_FILE" "$LATEST_SYMLINK"
Reference in New Issue View Git Blame Copy Permalink