feat(dev): add renovate workflow

perfectra1n · perfectra1n · commit b892bd7448ff · 2026-06-02T12:29:52.000-07:00
diff --git a/.github/workflows/renovate.yml b/.github/workflows/renovate.yml
@@ -0,0 +1,91 @@
+name: Renovate
+
+# Org-wide self-hosted Renovate for the AtvikSecurity organisation.
+#
+# A single workflow, living in the org `.github` repo, runs Renovate across
+# EVERY repo the `atvik-renovate` GitHub App is installed on (autodiscover).
+# It replaces the old per-repo Renovate workflows (e.g. the one that used to
+# live in tyrfing/.github/workflows/renovate.yml).
+#
+# Dependency policy is NOT defined here. Each repo opts in with a one-line
+# `extends` pointing at the shared preset library:
+#     { "extends": ["github>AtvikSecurity/renovate-config"] }
+# New repos get that line injected automatically via RENOVATE_ONBOARDING_CONFIG
+# below (Renovate opens an onboarding PR). See AtvikSecurity/renovate-config.
+
+on:
+  schedule:
+    # Hosted Renovate reacts to webhooks plus a ~hourly poll. A 4-hourly cron
+    # keeps a similar cadence org-wide; lower it if dependency churn is too high.
+    - cron: "0 */4 * * *"
+  workflow_dispatch:
+    inputs:
+      logLevel:
+        description: "Renovate log level"
+        type: choice
+        default: info
+        options: [debug, info, warn, error]
+      dryRun:
+        description: "Dry-run mode (no PRs / branches / issues written)"
+        type: choice
+        default: disabled
+        options: [disabled, lookup, extract, full]
+      autodiscoverFilter:
+        description: "Autodiscover filter (repo glob under the org, e.g. tyrfing or *)"
+        type: string
+        default: "*"
+  push:
+    branches: [main]
+    paths:
+      - ".github/workflows/renovate.yml"
+
+# Renovate authenticates as the `atvik-renovate` GitHub App (App ID 3703588).
+# We mint a short-lived installation token via actions/create-github-app-token
+# from the RENOVATE_APP_ID / RENOVATE_APP_PRIVATE_KEY secrets, scoped to the
+# whole org (owner: ...) so autodiscover can reach every installed repo.
+# Commits authored by an App show as "Verified" automatically.
+permissions:
+  contents: read
+
+concurrency:
+  group: renovate
+  cancel-in-progress: false
+
+jobs:
+  renovate:
+    runs-on: [duck-runner-small]
+    steps:
+      - name: Checkout
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
+        with:
+          persist-credentials: false
+
+      - name: Mint GitHub App installation token
+        id: app-token
+        uses: actions/create-github-app-token@bcd2ba49218906704ab6c1aa796996da409d3eb1 # v3
+        with:
+          app-id: ${{ secrets.RENOVATE_APP_ID }}
+          private-key: ${{ secrets.RENOVATE_APP_PRIVATE_KEY }}
+          # Scope the token to the whole org, not just this repo, so
+          # autodiscover can enumerate and write to every installed repo.
+          owner: ${{ github.repository_owner }}
+
+      - name: Run Renovate
+        uses: renovatebot/github-action@693b9ef15eec82123529a37c782242f091365961 # v46.1.14
+        env:
+          LOG_LEVEL: ${{ inputs.logLevel || 'info' }}
+          RENOVATE_PLATFORM: github
+          # Discover every repo the App is installed on, restricted to this org.
+          RENOVATE_AUTODISCOVER: "true"
+          RENOVATE_AUTODISCOVER_FILTER: ${{ github.repository_owner }}/${{ inputs.autodiscoverFilter || '*' }}
+          # New repos onboard themselves by extending the shared preset library.
+          RENOVATE_ONBOARDING_CONFIG: '{"$schema":"https://docs.renovatebot.com/renovate-schema.json","extends":["github>AtvikSecurity/renovate-config"]}'
+          # Commit as the App so signatures show as "Verified". The numeric
+          # prefix is the App's bot user ID; GitHub renders this as the App's
+          # bot account regardless of slug changes.
+          RENOVATE_GIT_AUTHOR: "atvik-renovate[bot] <284408317+atvik-renovate[bot]@users.noreply.github.com>"
+          RENOVATE_USERNAME: "atvik-renovate[bot]"
+          # Empty when "disabled" is selected; Renovate treats unset as "not a dry run".
+          RENOVATE_DRY_RUN: ${{ (inputs.dryRun != '' && inputs.dryRun != 'disabled') && inputs.dryRun || '' }}
+        with:
+          token: ${{ steps.app-token.outputs.token }}
diff --git a/renovate.json b/renovate.json
@@ -1,24 +1,4 @@
 {
   "$schema": "https://docs.renovatebot.com/renovate-schema.json",
-  "dependencyDashboard": true,
-  "prConcurrentLimit": 0,
-  "prHourlyLimit": 40,
-  "rebaseWhen": "conflicted",
-  "labels": [
-    "Kind/Dependency"
-  ],
-  "lockFileMaintenance": {
-    "enabled": true,
-    "schedule": ["before 5am on monday"]
-  },
-  "packageRules": [
-    {
-      "matchUpdateTypes": ["lockFileMaintenance"],
-      "automerge": true
-    },
-    {
-      "matchUpdateTypes": ["minor", "patch", "pin", "digest"],
-      "minimumReleaseAge": "3 days"
-    }
-  ]
+  "extends": ["github>AtvikSecurity/renovate-config"]
 }
