ada/agentguard-ci
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

renovate bot

Browse Source
This commit is contained in:
Elizabeth W
2026-04-19 22:55:44 -06:00
parent d8ee53395a
commit 7587c285e7
11 changed files with 214 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files
helm/renovate-bot/Chart.yaml
+5
View File
@@ -0,0 +1,5 @@
apiVersion: v2
name: renovate-bot
description: Renovate Bot deployment for agentguard-ci
version: 0.1.0
appVersion: "37.0.0"
helm/renovate-bot/templates/application.yaml
+17
View File
@@ -0,0 +1,17 @@
apiVersion: argoproj.io/v1alpha1
kind: Application
metadata:
name: renovate-bot
spec:
project: default
source:
repoURL: https://git.example.com/agentguard-ci.git
targetRevision: main
path: helm/renovate-bot
destination:
server: https://kubernetes.default.svc
namespace: default
syncPolicy:
automated:
prune: true
selfHeal: true
helm/renovate-bot/templates/clusterrole.yaml
+8
View File
@@ -0,0 +1,8 @@
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: renovate-bot
rules:
- apiGroups: [""]
resources: ["secrets", "configmaps"]
verbs: ["get", "list", "watch"]
helm/renovate-bot/templates/clusterrolebinding.yaml
+12
View File
@@ -0,0 +1,12 @@
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: renovate-bot
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: renovate-bot
subjects:
- kind: ServiceAccount
name: renovate-bot
namespace: default
helm/renovate-bot/templates/configmap.yaml
+12
View File
@@ -0,0 +1,12 @@
apiVersion: v1
kind: ConfigMap
metadata:
name: renovate-bot-config
data:
renovate.json: |
{
"extends": ["github>my-org/my-repo//renovate-preset"],
"onboarding": false,
"platform": "github",
"repositories": {{ toJson .Values.repositories }}
}
helm/renovate-bot/templates/cronjob.yaml
+40
View File
@@ -0,0 +1,40 @@
apiVersion: batch/v1
kind: CronJob
metadata:
name: renovate-bot
spec:
schedule: {{ .Values.schedule | quote }}
jobTemplate:
spec:
template:
spec:
serviceAccountName: renovate-bot
restartPolicy: Never
containers:
- name: renovate
image: "{{ .Values.image.repository }}:{{ .Values.image.tag }}"
imagePullPolicy: {{ .Values.image.pullPolicy }}
env:
- name: RENOVATE_CONFIG_FILE
value: /etc/renovate/renovate.json
- name: RENOVATE_REPOSITORIES
value: {{ join "," .Values.repositories | quote }}
- name: GITHUB_TOKEN
valueFrom:
secretKeyRef:
name: renovate-bot
key: github-token
- name: GITLAB_TOKEN
valueFrom:
secretKeyRef:
name: renovate-bot
key: gitlab-token
args:
- renovate
volumeMounts:
- name: config
mountPath: /etc/renovate
volumes:
- name: config
configMap:
name: renovate-bot-config
helm/renovate-bot/templates/serviceaccount.yaml
+6
View File
@@ -0,0 +1,6 @@
apiVersion: v1
kind: ServiceAccount
metadata:
name: renovate-bot
annotations:
secrets.infisical.com/auto-reload: "true"
helm/renovate-bot/values.yaml
+7
View File
@@ -0,0 +1,7 @@
image:
repository: renovate/renovate
tag: 37.0.0
pullPolicy: IfNotPresent
schedule: "0 * * * *"
repositories: []
helm/templates/infisical-secret.yaml
+37
View File
@@ -0,0 +1,37 @@
{{- if .Values.pipeline.enabled }}
apiVersion: infisical.com/v1alpha1
kind: InfisicalSecret
metadata:
name: amp-security-pipeline-secrets
spec:
secretName: amp-security-pipeline-secrets
target:
creationPolicy: Owner
workspaceSlug: {{ .Values.infisical.workspaceSlug | quote }}
projectSlug: {{ .Values.infisical.projectSlug | quote }}
secrets:
- secretKey: SOCKET_DEV_API_KEY
remoteRef:
key: SOCKET_DEV_API_KEY
- secretKey: PULUMI_ACCESS_TOKEN
remoteRef:
key: PULUMI_ACCESS_TOKEN
- secretKey: AWS_ACCESS_KEY_ID
remoteRef:
key: AWS_ACCESS_KEY_ID
- secretKey: AWS_SECRET_ACCESS_KEY
remoteRef:
key: AWS_SECRET_ACCESS_KEY
- secretKey: MINIO_ROOT_USER
remoteRef:
key: MINIO_ROOT_USER
- secretKey: MINIO_ROOT_PASSWORD
remoteRef:
key: MINIO_ROOT_PASSWORD
- secretKey: DEFECTDOJO_URL
remoteRef:
key: DEFECTDOJO_URL
- secretKey: DEFECTDOJO_API_TOKEN
remoteRef:
key: DEFECTDOJO_API_TOKEN
{{- end }}
renovate-preset/README.md
+22
View File
@@ -0,0 +1,22 @@
# Renovate Preset
This directory contains a shared Renovate preset that other repositories can extend.
## Usage
In another repository's `renovate.json`:
```json
{
"extends": ["github>my-org/my-repo//renovate-preset"]
}
```
Adjust `my-org/my-repo` to point at this repository.
## Behavior
- Auto-merges patch and minor updates.
- Groups common monorepo package families into single PRs.
- Schedules Renovate runs on weekends before 6am UTC.
- Keeps security alerts from auto-merging.
renovate-preset/default.json
+48
View File
@@ -0,0 +1,48 @@
{
"$schema": "https://docs.renovatebot.com/renovate-schema.json",
"extends": ["config:recommended"],
"timezone": "UTC",
"schedule": ["before 6am on saturday", "before 6am on sunday"],
"automerge": true,
"automergeType": "pr",
"automergeStrategy": "squash",
"automergeSchedule": ["before 6am on saturday", "before 6am on sunday"],
"packageRules": [
{
"matchUpdateTypes": ["patch", "minor"],
"automerge": true
},
{
"matchPackagePatterns": ["^@babel/"],
"groupName": "babel packages"
},
{
"matchPackagePatterns": ["^eslint"],
"groupName": "eslint packages"
},
{
"matchPackagePatterns": ["^jest"],
"groupName": "jest packages"
},
{
"matchPackagePatterns": ["^@types/"],
"groupName": "types packages"
},
{
"matchPackagePatterns": ["^react", "^react-dom"],
"groupName": "react packages"
},
{
"matchConfidence": ["high", "very-high"],
"dependencyDashboardApproval": false
},
{
"matchConfidence": ["low", "neutral"],
"dependencyDashboardApproval": true
}
],
"vulnerabilityAlerts": {
"labels": ["security"],
"automerge": false
}
}