diff --git a/CHANGELOG.md b/CHANGELOG.md index c0f58bd188d963bd8afbb7eb3ad45fe35298ee24..ede2a51c78fab82f1913b6f694175f90d63ba535 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,4 +1,19 @@ -# [1.3.0](https://git.code.tecnalia.dev/smartdatalab/public/ci-cd-components/renovate/compare/1.2.2...1.3.0) (2024-08-29) +## [1.4.1](https://gitlab.com/to-be-continuous/renovate/compare/1.4.0...1.4.1) (2024-12-09) + + +### Bug Fixes + +* renovate cannot upgrade overwritten TBC Docker images ([6a3794b](https://gitlab.com/to-be-continuous/renovate/commit/6a3794bddfeed511543c3b8a912729302739f6ff)) +* specifiy user agent to fix check links issue on mend.io ([2814754](https://gitlab.com/to-be-continuous/renovate/commit/2814754b05915cafb1e171df4a212f65f855c2a7)) + +# [1.4.0](https://gitlab.com/to-be-continuous/renovate/compare/1.3.0...1.4.0) (2024-08-30) + + +### Features + +* standard TBC secrets decoding ([adf9450](https://gitlab.com/to-be-continuous/renovate/commit/adf9450f9392d5ec7aced16a281e23346d190622)) + +# [1.3.0](https://gitlab.com/to-be-continuous/renovate/compare/1.2.2...1.3.0) (2024-08-23) ### Bug Fixes diff --git a/README.md b/README.md index dff8f2313af207cdffcc356a868f086b7f34f1f2..2f45bb77b320fa7db6c83c85223cc88bf71d9c17 100644 --- a/README.md +++ b/README.md @@ -14,7 +14,7 @@ Add the following to your `.gitlab-ci.yml`: ```yaml include: # include the component - - component: $CI_SERVER_FQDN/to-be-continuous/renovate/gitlab-ci-renovate@1.3.0 + - component: $CI_SERVER_FQDN/to-be-continuous/renovate/gitlab-ci-renovate@1.4.1 ``` ### Use as a CI/CD template (legacy) @@ -25,7 +25,7 @@ Add the following to your `.gitlab-ci.yml`: include: # include the template - project: "to-be-continuous/renovate" - ref: "1.2.2" + ref: "1.4.1" file: "/templates/gitlab-ci-renovate.yml" ``` @@ -72,6 +72,38 @@ Defaults values are set to manage GitLab features : | [`RENOVATE_LOG_FILE`](https://docs.renovatebot.com/config-overview/#logging-variables) | `renovate-log.ndjson` | | [`RENOVATE_LOG_FILE_LEVEL`](https://docs.renovatebot.com/config-overview/#logging-variables) | `debug` | +#### Default onboarding configuration +` +The default [onboarding configuration](https://docs.renovatebot.com/self-hosted-configuration/#onboardingconfig) is suitable for projects using to-be-continuous: + +- looks for user-defined inputs and variables in your `.gitlab-ci.yml` defining Docker images (ex: `SOMETOOL_IMAGE: docker.io/sometool:1.2.2`) + +```json +{ + "$schema": "https://docs.renovatebot.com/renovate-schema.json", + "extends": [ + "config:recommended", + ":dependencyDashboard" + ], + "labels": [ + "dependencies" + ], + "customManagers": [ + { + "customType": "regex", + "fileMatch": [ "\\.gitlab-ci\\.ya?ml$" ], + "matchStrings": [ "\\s?_IMAGE:\\s['\"](?<registryUrls>.*?)\\/(?<depName>.*?):(?<currentValue>.*)['\"]" ], + "datasourceTemplate": "docker" + }, + { + "customType": "regex", + "fileMatch": [ "\\.gitlab-ci\\.ya?ml$" ], + "matchStrings": [ "\\s?image:\\s['\"](?<registryUrls>.*?)\\/(?<depName>.*?):(?<currentValue>.*)['\"]" ], + "datasourceTemplate": "docker" + } + ] +} +``` ### Dry-run implementation details Depending on the source of a pipeline, the template will either perform your dependency updates (create/update/delete branches and MRs) diff --git a/bumpversion.sh b/bumpversion.sh index 329e866dac988c049574a0a9f26ba89979c523a8..708faf434d2459d63b2bdaceada5eb32b0fd39eb 100755 --- a/bumpversion.sh +++ b/bumpversion.sh @@ -27,7 +27,7 @@ if [[ "$curVer" ]]; then log_info "Bump version from \\e[33;1m${curVer}\\e[0m to \\e[33;1m${nextVer}\\e[0m (release type: $relType)..." # replace in README - sed -e "s/ref: *'$curVer'/ref: '$nextVer'/" -e "s/ref: *\"$curVer\”/ref: \”$nextVer\”/" -e "s/component: *\(.*\)@$curVer/component: \1@$nextVer/" README.md > README.md.next + sed -e "s/ref: *'$curVer'/ref: '$nextVer'/" -e "s/ref: *\"$curVer\"/ref: \"$nextVer\"/" -e "s/component: *\(.*\)@$curVer/component: \1@$nextVer/" README.md > README.md.next mv -f README.md.next README.md # replace in template and variants diff --git a/kicker.json b/kicker.json index 1e9f9baa54b60e20f51dabd229b9b3d898c761f6..5f590da918ee797d6aaa0b22f60a113e88bef8d9 100644 --- a/kicker.json +++ b/kicker.json @@ -11,6 +11,11 @@ "description": "The Docker image used to run Renovate", "default": "registry.hub.docker.com/renovate/renovate:latest" }, + { + "name": "RENOVATE_ONBOARDING_CONFIG", + "description": "Renovate configuration to use for onboarding PRs", + "default": "{\n \"$$schema\": \"https://docs.renovatebot.com/renovate-schema.json\",\n \"extends\": [\n \"config:recommended\",\n \":dependencyDashboard\"\n ],\n \"labels\": [\n \"dependencies\"\n ],\n \"customManagers\": [\n {\n \"customType\": \"regex\",\n \"fileMatch\": [ \"\\\\.gitlab-ci\\\\.ya?ml$\" ], \n \"matchStrings\": [ \"\\\\s?_IMAGE:\\\\s['\\\"](?<registryUrls>.*?)\\\\/(?<depName>.*?):(?<currentValue>.*)['\\\"]\" ], \n \"datasourceTemplate\": \"docker\" \n },\n {\n \"customType\": \"regex\",\n \"fileMatch\": [ \"\\\\.gitlab-ci\\\\.ya?ml$\" ], \n \"matchStrings\": [ \"\\\\s?image:\\\\s['\\\"](?<registryUrls>.*?)\\\\/(?<depName>.*?):(?<currentValue>.*)['\\\"]\" ], \n \"datasourceTemplate\": \"docker\" \n }\n ] \n}" + }, { "name": "RENOVATE_TOKEN", "description": "A GitLab access token to allow Renovate crawl your projects. [See doc](https://docs.renovatebot.com/modules/platform/gitlab/#authentication)", diff --git a/lychee.toml b/lychee.toml new file mode 100644 index 0000000000000000000000000000000000000000..008ae9f71c80c080785ec0aa9328cbc8767eaca6 --- /dev/null +++ b/lychee.toml @@ -0,0 +1,5 @@ + +############################# Requests ############################ + +# User agent to send with each request. +user_agent = "Mozilla/version Gecko/version Firefox/version" diff --git a/templates/gitlab-ci-renovate.yml b/templates/gitlab-ci-renovate.yml index bd037d12b3fe2b0045cdfeb62ea156f94a1885c3..e48446fa91f6fb4bc3b3a122c71d779f93eb8ca5 100644 --- a/templates/gitlab-ci-renovate.yml +++ b/templates/gitlab-ci-renovate.yml @@ -27,6 +27,33 @@ spec: description: tags to filter applicable runners for renovate-depcheck job default: [] type: array + onboarding-config: + description: Renovate configuration to use for onboarding PRs + default: >- + { + "$$schema": "https://docs.renovatebot.com/renovate-schema.json", + "extends": [ + "config:recommended", + ":dependencyDashboard" + ], + "labels": [ + "dependencies" + ], + "customManagers": [ + { + "customType": "regex", + "fileMatch": [ "\\.gitlab-ci\\.ya?ml$" ], + "matchStrings": [ "\\s?_IMAGE:\\s['\"](?<registryUrls>.*?)\\/(?<depName>.*?):(?<currentValue>.*)['\"]" ], + "datasourceTemplate": "docker" + }, + { + "customType": "regex", + "fileMatch": [ "\\.gitlab-ci\\.ya?ml$" ], + "matchStrings": [ "\\s?image:\\s['\"](?<registryUrls>.*?)\\/(?<depName>.*?):(?<currentValue>.*)['\"]" ], + "datasourceTemplate": "docker" + } + ] + } --- workflow: rules: @@ -70,6 +97,7 @@ variables: RENOVATE_LOG_FILE: renovate-log.ndjson RENOVATE_LOG_FILE_LEVEL: debug LOG_LEVEL: info + RENOVATE_ONBOARDING_CONFIG: $[[ inputs.onboarding-config ]] .renovate-scripts: &renovate-scripts | # BEGSCRIPT @@ -219,7 +247,79 @@ variables: log_info "... done" } + # evaluate and export a secret + # - $1: secret variable name + function eval_secret() { + name=$1 + value=$(eval echo "\$${name}") + case "$value" in + @b64@*) + decoded=$(mktemp) + errors=$(mktemp) + if echo "$value" | cut -c6- | base64 -d > "${decoded}" 2> "${errors}" + then + # shellcheck disable=SC2086 + export ${name}="$(cat ${decoded})" + log_info "Successfully decoded base64 secret \\e[33;1m${name}\\e[0m" + else + fail "Failed decoding base64 secret \\e[33;1m${name}\\e[0m:\\n$(sed 's/^/... /g' "${errors}")" + fi + ;; + @hex@*) + decoded=$(mktemp) + errors=$(mktemp) + if echo "$value" | cut -c6- | sed 's/\([0-9A-F]\{2\}\)/\\\\x\1/gI' | xargs printf > "${decoded}" 2> "${errors}" + then + # shellcheck disable=SC2086 + export ${name}="$(cat ${decoded})" + log_info "Successfully decoded hexadecimal secret \\e[33;1m${name}\\e[0m" + else + fail "Failed decoding hexadecimal secret \\e[33;1m${name}\\e[0m:\\n$(sed 's/^/... /g' "${errors}")" + fi + ;; + @url@*) + url=$(echo "$value" | cut -c6-) + if command -v curl > /dev/null + then + decoded=$(mktemp) + errors=$(mktemp) + if curl -s -S -f --connect-timeout 5 -o "${decoded}" "$url" 2> "${errors}" + then + # shellcheck disable=SC2086 + export ${name}="$(cat ${decoded})" + log_info "Successfully curl'd secret \\e[33;1m${name}\\e[0m" + else + log_warn "Failed getting secret \\e[33;1m${name}\\e[0m:\\n$(sed 's/^/... /g' "${errors}")" + fi + elif command -v wget > /dev/null + then + decoded=$(mktemp) + errors=$(mktemp) + if wget -T 5 -O "${decoded}" "$url" 2> "${errors}" + then + # shellcheck disable=SC2086 + export ${name}="$(cat ${decoded})" + log_info "Successfully wget'd secret \\e[33;1m${name}\\e[0m" + else + log_warn "Failed getting secret \\e[33;1m${name}\\e[0m:\\n$(sed 's/^/... /g' "${errors}")" + fi + else + fail "Couldn't get secret \\e[33;1m${name}\\e[0m: no http client found" + fi + ;; + esac + } + + function eval_all_secrets() { + encoded_vars=$(env | grep -v '^scoped__' | awk -F '=' '/^[a-zA-Z0-9_]*=@(b64|hex|url)@/ {print $1}') + for var in $encoded_vars + do + eval_secret "$var" + done + } + unscope_variables + eval_all_secrets # ENDSCRIPT @@ -239,7 +339,7 @@ stages: image: $RENOVATE_IMAGE services: - name: "$TBC_TRACKING_IMAGE" - command: ["--service", "renovate", "1.3.0"] + command: ["--service", "renovate", "1.4.1"] variables: RENOVATE_BASE_DIR: $CI_PROJECT_DIR RENOVATE_CACHE_DIR: $CI_PROJECT_DIR/.cache/renovate