diff --git a/helm/renovate-bot/Chart.yaml b/helm/renovate-bot/Chart.yaml new file mode 100644 index 0000000..1f00718 --- /dev/null +++ b/helm/renovate-bot/Chart.yaml @@ -0,0 +1,5 @@ +apiVersion: v2 +name: renovate-bot +description: Renovate Bot deployment for agentguard-ci +version: 0.1.0 +appVersion: "37.0.0" diff --git a/helm/renovate-bot/templates/application.yaml b/helm/renovate-bot/templates/application.yaml new file mode 100644 index 0000000..3ce9d5c --- /dev/null +++ b/helm/renovate-bot/templates/application.yaml @@ -0,0 +1,17 @@ +apiVersion: argoproj.io/v1alpha1 +kind: Application +metadata: + name: renovate-bot +spec: + project: default + source: + repoURL: https://git.example.com/agentguard-ci.git + targetRevision: main + path: helm/renovate-bot + destination: + server: https://kubernetes.default.svc + namespace: default + syncPolicy: + automated: + prune: true + selfHeal: true diff --git a/helm/renovate-bot/templates/clusterrole.yaml b/helm/renovate-bot/templates/clusterrole.yaml new file mode 100644 index 0000000..074611a --- /dev/null +++ b/helm/renovate-bot/templates/clusterrole.yaml @@ -0,0 +1,8 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: renovate-bot +rules: + - apiGroups: [""] + resources: ["secrets", "configmaps"] + verbs: ["get", "list", "watch"] diff --git a/helm/renovate-bot/templates/clusterrolebinding.yaml b/helm/renovate-bot/templates/clusterrolebinding.yaml new file mode 100644 index 0000000..1570050 --- /dev/null +++ b/helm/renovate-bot/templates/clusterrolebinding.yaml @@ -0,0 +1,12 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: renovate-bot +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: renovate-bot +subjects: + - kind: ServiceAccount + name: renovate-bot + namespace: default diff --git a/helm/renovate-bot/templates/configmap.yaml b/helm/renovate-bot/templates/configmap.yaml new file mode 100644 index 0000000..0297b61 --- /dev/null +++ b/helm/renovate-bot/templates/configmap.yaml @@ -0,0 +1,12 @@ +apiVersion: v1 +kind: ConfigMap +metadata: + name: renovate-bot-config +data: + renovate.json: | + { + "extends": ["github>my-org/my-repo//renovate-preset"], + "onboarding": false, + "platform": "github", + "repositories": {{ toJson .Values.repositories }} + } diff --git a/helm/renovate-bot/templates/cronjob.yaml b/helm/renovate-bot/templates/cronjob.yaml new file mode 100644 index 0000000..03f7947 --- /dev/null +++ b/helm/renovate-bot/templates/cronjob.yaml @@ -0,0 +1,40 @@ +apiVersion: batch/v1 +kind: CronJob +metadata: + name: renovate-bot +spec: + schedule: {{ .Values.schedule | quote }} + jobTemplate: + spec: + template: + spec: + serviceAccountName: renovate-bot + restartPolicy: Never + containers: + - name: renovate + image: "{{ .Values.image.repository }}:{{ .Values.image.tag }}" + imagePullPolicy: {{ .Values.image.pullPolicy }} + env: + - name: RENOVATE_CONFIG_FILE + value: /etc/renovate/renovate.json + - name: RENOVATE_REPOSITORIES + value: {{ join "," .Values.repositories | quote }} + - name: GITHUB_TOKEN + valueFrom: + secretKeyRef: + name: renovate-bot + key: github-token + - name: GITLAB_TOKEN + valueFrom: + secretKeyRef: + name: renovate-bot + key: gitlab-token + args: + - renovate + volumeMounts: + - name: config + mountPath: /etc/renovate + volumes: + - name: config + configMap: + name: renovate-bot-config diff --git a/helm/renovate-bot/templates/serviceaccount.yaml b/helm/renovate-bot/templates/serviceaccount.yaml new file mode 100644 index 0000000..576d51e --- /dev/null +++ b/helm/renovate-bot/templates/serviceaccount.yaml @@ -0,0 +1,6 @@ +apiVersion: v1 +kind: ServiceAccount +metadata: + name: renovate-bot + annotations: + secrets.infisical.com/auto-reload: "true" diff --git a/helm/renovate-bot/values.yaml b/helm/renovate-bot/values.yaml new file mode 100644 index 0000000..4c72853 --- /dev/null +++ b/helm/renovate-bot/values.yaml @@ -0,0 +1,7 @@ +image: + repository: renovate/renovate + tag: 37.0.0 + pullPolicy: IfNotPresent + +schedule: "0 * * * *" +repositories: [] diff --git a/helm/templates/infisical-secret.yaml b/helm/templates/infisical-secret.yaml new file mode 100644 index 0000000..9226652 --- /dev/null +++ b/helm/templates/infisical-secret.yaml @@ -0,0 +1,37 @@ +{{- if .Values.pipeline.enabled }} +apiVersion: infisical.com/v1alpha1 +kind: InfisicalSecret +metadata: + name: amp-security-pipeline-secrets +spec: + secretName: amp-security-pipeline-secrets + target: + creationPolicy: Owner + workspaceSlug: {{ .Values.infisical.workspaceSlug | quote }} + projectSlug: {{ .Values.infisical.projectSlug | quote }} + secrets: + - secretKey: SOCKET_DEV_API_KEY + remoteRef: + key: SOCKET_DEV_API_KEY + - secretKey: PULUMI_ACCESS_TOKEN + remoteRef: + key: PULUMI_ACCESS_TOKEN + - secretKey: AWS_ACCESS_KEY_ID + remoteRef: + key: AWS_ACCESS_KEY_ID + - secretKey: AWS_SECRET_ACCESS_KEY + remoteRef: + key: AWS_SECRET_ACCESS_KEY + - secretKey: MINIO_ROOT_USER + remoteRef: + key: MINIO_ROOT_USER + - secretKey: MINIO_ROOT_PASSWORD + remoteRef: + key: MINIO_ROOT_PASSWORD + - secretKey: DEFECTDOJO_URL + remoteRef: + key: DEFECTDOJO_URL + - secretKey: DEFECTDOJO_API_TOKEN + remoteRef: + key: DEFECTDOJO_API_TOKEN +{{- end }} diff --git a/renovate-preset/README.md b/renovate-preset/README.md new file mode 100644 index 0000000..8dafba4 --- /dev/null +++ b/renovate-preset/README.md @@ -0,0 +1,22 @@ +# Renovate Preset + +This directory contains a shared Renovate preset that other repositories can extend. + +## Usage + +In another repository's `renovate.json`: + +```json +{ + "extends": ["github>my-org/my-repo//renovate-preset"] +} +``` + +Adjust `my-org/my-repo` to point at this repository. + +## Behavior + +- Auto-merges patch and minor updates. +- Groups common monorepo package families into single PRs. +- Schedules Renovate runs on weekends before 6am UTC. +- Keeps security alerts from auto-merging. diff --git a/renovate-preset/default.json b/renovate-preset/default.json new file mode 100644 index 0000000..43279a1 --- /dev/null +++ b/renovate-preset/default.json @@ -0,0 +1,48 @@ +{ + "$schema": "https://docs.renovatebot.com/renovate-schema.json", + "extends": ["config:recommended"], + "timezone": "UTC", + "schedule": ["before 6am on saturday", "before 6am on sunday"], + "automerge": true, + "automergeType": "pr", + "automergeStrategy": "squash", + "automergeSchedule": ["before 6am on saturday", "before 6am on sunday"], + "packageRules": [ + { + "matchUpdateTypes": ["patch", "minor"], + "automerge": true + }, + { + "matchPackagePatterns": ["^@babel/"], + "groupName": "babel packages" + }, + { + "matchPackagePatterns": ["^eslint"], + "groupName": "eslint packages" + }, + { + "matchPackagePatterns": ["^jest"], + "groupName": "jest packages" + }, + { + "matchPackagePatterns": ["^@types/"], + "groupName": "types packages" + }, + { + "matchPackagePatterns": ["^react", "^react-dom"], + "groupName": "react packages" + }, + { + "matchConfidence": ["high", "very-high"], + "dependencyDashboardApproval": false + }, + { + "matchConfidence": ["low", "neutral"], + "dependencyDashboardApproval": true + } + ], + "vulnerabilityAlerts": { + "labels": ["security"], + "automerge": false + } +}