diff --git a/.github/renovate.js b/.github/renovate.js index 64c0c31b..9063f899 100644 --- a/.github/renovate.js +++ b/.github/renovate.js @@ -46,4 +46,15 @@ module.exports = { ], // Rest of the config goes here... + hostRules: [ + // Add a set of credentials for accessing docker or oci helm registries like harbor. + // These registry tokens should be read-only, they only need to be able to look up + // what versions are available. Pretty much all our repos will need this config! + { + hostType: "docker", + domainName: process.env.RENOVATE_HARBOR_REGISTRY, + username: process.env.RENOVATE_HARBOR_USER, + password: process.env.RENOVATE_HARBOR_TOKEN + }, + ] }; diff --git a/.github/workflows/internal-container.yaml b/.github/workflows/internal-container.yaml new file mode 100644 index 00000000..b603229e --- /dev/null +++ b/.github/workflows/internal-container.yaml @@ -0,0 +1,54 @@ +name: Build Internal Container + +on: + pull_request: + # Only consider PRs that change files for this asset, including ci scripts + paths: + - '.github/workflows/internal-container.yaml' + - 'containers/internal/**' + # Make sure all workflows that are "required checks" for a given + # branch protection rule have the same paths: and branches-ignore: + # filters. Otherwise, you can end up in a deadlock waiting on a + # required check that will never be executed. + push: + # Only release off of release and maintenance branches for this asset + branches: + - 'maintenance/internal-container/[0-9]+.x.x' + - 'maintenance/internal-container/[0-9]+.[0-9]+.x' + - 'main' + # Only consider pushes that change files for this asset, including ci scripts + paths: + - '.github/workflows/internal-container.yaml' + - 'containers/internal/**' + +permissions: + contents: write + pull-requests: write + actions: read + +concurrency: + group: ${{ github.workflow }}-${{ github.ref }} + # Cancel early on pull requests if new commits are added, + # Don't cancel on release pushes + cancel-in-progress: ${{ github.event_name == 'pull_request' }} + +jobs: + # Job name must be unique across repo to target + # branch protection rules "required checks" properly! + internal-container: + uses: SwanseaUniversityMedical/workflows/.github/workflows/pr-and-release-container.yaml@v2.0.1-containers + with: + job-name: internal-container + comment-pr: "true" + comment-release: "true" + registry: ${{ vars.HARBOR_REGISTRY }} + registry-user: ${{ vars.HARBOR_USER }} + registry-repo: ${{ vars.HARBOR_PROJECT }}/internal + release-tag-format: 'v${version}-internal-container' + cosign-public-key: ${{ vars.COSIGN_PUBLIC_KEY }} + build-file: containers/internal/Dockerfile + build-context: containers/internal + secrets: + cosign-private-key: ${{ secrets.COSIGN_PRIVATE_KEY }} + cosign-password: ${{ secrets.COSIGN_PASSWORD }} + registry-token: ${{ secrets.HARBOR_TOKEN }} diff --git a/.github/workflows/renovate.yaml b/.github/workflows/renovate.yaml index 763e7ea5..79ed397d 100644 --- a/.github/workflows/renovate.yaml +++ b/.github/workflows/renovate.yaml @@ -1,16 +1,11 @@ name: Renovate Bot on: + pull_request: workflow_dispatch: schedule: - cron: '0 * * * *' -permissions: - actions: write - contents: write - issues: write - pull-requests: write - concurrency: group: ${{ github.workflow }} cancel-in-progress: false @@ -22,12 +17,10 @@ jobs: group: heavy steps: - - name: clone repo - uses: actions/checkout@v4 - - - name: renovate - uses: renovatebot/github-action@v40.1.12 + - uses: SwanseaUniversityMedical/workflows/.github/actions/renovate@feat/renovate with: - configurationFile: .github/renovate.js token: ${{ secrets.RENOVATE_TOKEN }} - env-regex: "^(?:RENOVATE_\\w+|LOG_LEVEL|\\w+_PROXY)$" + env: + RENOVATE_HARBOR_REGISTRY: ${{ vars.HARBOR_REGISTRY }} + RENOVATE_HARBOR_USER: ${{ secrets.HARBOR_USER }} + RENOVATE_HARBOR_TOKEN: ${{ secrets.HARBOR_TOKEN }} diff --git a/containers/internal/Dockerfile b/containers/internal/Dockerfile new file mode 100644 index 00000000..0d530f32 --- /dev/null +++ b/containers/internal/Dockerfile @@ -0,0 +1 @@ +FROM harbor.ukserp.ac.uk/github-workflows-test/controller:7.1.0