renovate.yaml

name: Renovate

on:
  schedule:
    - cron:  '41 */6 * * *'
  workflow_dispatch:

jobs:
  renovate:
    permissions:
      contents: read        # needed to read the contents of the repository
      id-token: write       # needed to create a GitHub App token
    runs-on: ubuntu-latest
    timeout-minutes: 5
    steps:
      - name: Checkout Code
        uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7

      - name: retrieve secrets
        id: get-secrets
        uses: grafana/shared-workflows/actions/get-vault-secrets@7d18a46aafb8b875ed76a0bc98852d74b91e7f91  # v1.0.0
        with:
          common_secrets: |
            GRAFANA_RENOVATE_APP_ID=grafana-renovate-app:app-id
            GRAFANA_RENOVATE_PRIVATE_KEY=grafana-renovate-app:private-key

      - name: create GitHub app token
        id: app-token
        # Beware that the token generated here has elevated permissions wrt to
        # the ones set in the action. In particular, it will be able to write
        # to the repository (e.g. create branches) and create pull requests.
        uses: actions/create-github-app-token@v1
        with:
          app-id: ${{ env.GRAFANA_RENOVATE_APP_ID }}
          private-key: ${{ env.GRAFANA_RENOVATE_PRIVATE_KEY }}
          owner: ${{ github.repository_owner }}
      - name: Self-hosted Renovate
        uses: renovatebot/github-action@v41.0.3
        with:
          renovate-version: 39.23.0
          configurationFile: .github/renovate-app.json
          token: '${{ steps.app-token.outputs.token }}'
          docker-cmd-file: .github/renovate
        env:
          LOG_LEVEL: debug
          RENOVATE_PLATFORM: github
          RENOVATE_REPOSITORIES: ${{ github.repository }}
          RENOVATE_USERNAME: GrafanaRenovateBot