ci: Add Renovate for automated dependency management

Configures Renovate bot to create PRs for outdated dependencies. Runs daily at 5am UTC with manual trigger via workflow_dispatch. Configuration: - Ignores custom forks (jemalloc, telemetry packages) - Groups: GHA minor/patch, Rust toolchain, lockfile, Rust patches - Limits: 3 concurrent PRs, 2 PRs per hour - Supports: Cargo, GitHub Actions, Nix
2025-09-03 16:50:56 +00:00 · 2025-08-17 14:17:18 +01:00 · 2025-08-17 14:17:18 +01:00 · f54e59a068
commit f54e59a068
parent 54acd07555
2 changed files with 105 additions and 3 deletions
--- a/.forgejo/workflows/renovate.yml
+++ b/.forgejo/workflows/renovate.yml
@ -0,0 +1,64 @@
+name: Maintenance / Renovate
+
+on:
+  schedule:
+    # Run at 5am UTC daily to avoid late-night dev
+    - cron: '0 5 * * *'
+
+  workflow_dispatch:
+    inputs:
+      dryRun:
+        description: 'Dry run mode'
+        required: false
+        default: 'false'
+        type: choice
+        options:
+          - 'true'
+          - 'false'
+      logLevel:
+        description: 'Log level'
+        required: false
+        default: 'info'
+        type: choice
+        options:
+          - 'debug'
+          - 'info'
+          - 'warn'
+          - 'error'
+
+  push:
+    branches:
+      - main
+    paths:
+      # Re-run when config changes
+      - '.forgejo/workflows/renovate.yml'
+      - 'renovate.json'
+
+jobs:
+  renovate:
+    name: Renovate
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+
+      - name: Run Renovate
+        uses: renovatebot/github-action@v40.1.0
+        with:
+          token: ${{ secrets.RENOVATE_TOKEN }}
+          configurationFile: renovate.json
+        env:
+          # Platform configuration - Forgejo uses Gitea-compatible API
+          RENOVATE_PLATFORM: gitea
+          RENOVATE_ENDPOINT: ${{ github.server_url }}/api/v1
+          RENOVATE_TOKEN: ${{ secrets.RENOVATE_TOKEN }}
+
+          # Target repository
+          RENOVATE_REPOSITORIES: '["${{ github.repository }}"]'
+
+          # Runtime behaviour
+          RENOVATE_DRY_RUN: ${{ inputs.dryRun || 'false' }}
+          LOG_LEVEL: ${{ inputs.logLevel || 'info' }}
+
+          # Git author for commits - configured via repository variables
+          RENOVATE_GIT_AUTHOR: '${{ vars.RENOVATE_AUTHOR }}'
--- a/renovate.json
+++ b/renovate.json
@ -17,10 +17,48 @@
    "github_actions"
  ],
  "ignoreDeps": [
-    "tikv-jemllocator",
+    "tikv-jemallocator",
    "tikv-jemalloc-sys",
    "tikv-jemalloc-ctl",
-    "opentelemetry-rust",
+    "opentelemetry",
+    "opentelemetry_sdk",
+    "opentelemetry-jaeger",
    "tracing-opentelemetry"
-  ]
+  ],
+  "github-actions": {
+    "enabled": true,
+    "fileMatch": [
+      "(^|/)\\.forgejo/workflows/[^/]+\\.ya?ml$",
+      "(^|/)\\.forgejo/actions/[^/]+/action\\.ya?ml$",
+      "(^|/)\\.github/workflows/[^/]+\\.ya?ml$",
+      "(^|/)\\.github/actions/[^/]+/action\\.ya?ml$"
+    ]
+  },
+  "packageRules": [
+    {
+      "description": "Batch minor and patch GitHub Actions updates",
+      "matchManagers": ["github-actions"],
+      "matchUpdateTypes": ["minor", "patch"],
+      "groupName": "github-actions-non-major"
+    },
+    {
+      "description": "Group Rust toolchain updates into a single PR",
+      "matchManagers": ["regex"],
+      "matchPackageNames": ["rust", "rustc", "cargo"],
+      "groupName": "rust-toolchain"
+    },
+    {
+      "description": "Group lockfile updates into a single PR",
+      "matchUpdateTypes": ["lockFileMaintenance"],
+      "groupName": "lockfile-maintenance"
+    },
+    {
+      "description": "Batch patch-level Rust dependency updates",
+      "matchManagers": ["cargo"],
+      "matchUpdateTypes": ["patch"],
+      "groupName": "rust-patch-updates"
+    }
+  ],
+  "prConcurrentLimit": 3,
+  "prHourlyLimit": 2
 }