Skip to content
This repository was archived by the owner on Apr 21, 2025. It is now read-only.

Commit 88f9798

Browse files
DarkKirbDarkKirb
authored
Merge pull request #576 from DarkKirb/push-ysqumxwntltz
Update renovate to use github
2 parents 2cbe913 + c2d098d commit 88f9798

File tree

2 files changed

+50
-6
lines changed

2 files changed

+50
-6
lines changed

services/renovate/default.nix

Lines changed: 46 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -3,6 +3,7 @@
33
config,
44
cargo2nix,
55
system,
6+
lib,
67
...
78
}:
89
{
@@ -28,7 +29,7 @@
2829
allowCustomCrateRegistries = true;
2930
};
3031
credentials = {
31-
RENOVATE_TOKEN = config.sops.secrets."services/renovate/credentials/RENOVATE_TOKEN".path;
32+
GITHUB_PEM = config.sops.secrets."services/renovate/credentials/privkey.pem".path;
3233
GITHUB_COM_TOKEN = config.sops.secrets."services/renovate/credentials/GITHUB_COM_TOKEN".path;
3334
};
3435
runtimePackages = with pkgs; [
@@ -46,6 +47,49 @@
4647
];
4748
};
4849

49-
sops.secrets."services/renovate/credentials/RENOVATE_TOKEN".sopsFile = ./secrets.yaml;
50+
systemd.services.renovate.script = lib.mkBefore ''
51+
#!${lib.getExe pkgs.bash}
52+
set -euo pipefail
53+
client_id=Iv23li2EB7v4XJseLlto
54+
pem="$(${lib.getExe' pkgs.systemd "systemd-creds"} cat 'SECRET-GITHUB_PEM')"
55+
now=$(${lib.getExe' pkgs.coreutils "date"} +%s)
56+
iat=$((''${now} - 60)) # Issues 60 seconds in the past
57+
exp=$((''${now} + 31536000)) # Expires 10 minutes in the future
58+
b64enc() { ${lib.getExe pkgs.openssl} base64 | ${lib.getExe' pkgs.coreutils "tr"} -d '=' | ${lib.getExe' pkgs.coreutils "tr"} '/+' '_-' | ${lib.getExe' pkgs.coreutils "tr"} -d '\n'; }
59+
header_json='{
60+
"typ":"JWT",
61+
"alg":"RS256"
62+
}'
63+
# Header encode
64+
header=$( echo -n "''${header_json}" | b64enc )
65+
66+
payload_json="{
67+
\"iat\":''${iat},
68+
\"exp\":''${exp},
69+
\"iss\":\"''${client_id}\"
70+
}"
71+
# Payload encode
72+
payload=$( echo -n "''${payload_json}" | b64enc )
73+
74+
# Signature
75+
header_payload="''${header}"."''${payload}"
76+
signature=$(
77+
${lib.getExe pkgs.openssl} dgst -sha256 -sign <(echo -n "''${pem}") \
78+
<(echo -n "''${header_payload}") | b64enc
79+
)
80+
81+
# Create JWT
82+
JWT="''${header_payload}"."''${signature}"
83+
84+
RENOVATE_TOKEN=$(${lib.getExe pkgs.curl} --request POST \ ─╯
85+
--url "https://api.github.com/app/installations/61371765/access_tokens" \
86+
--header "Accept: application/vnd.github+json" \
87+
--header "Authorization: Bearer ''${JWT}" \
88+
--header "X-GitHub-Api-Version: 2022-11-28" | ${lib.getExe pkgs.jq} -r '.token')
89+
90+
export RENOVATE_TOKEN
91+
'';
92+
93+
sops.secrets."services/renovate/credentials/privkey.pem".sopsFile = ./secrets.yaml;
5094
sops.secrets."services/renovate/credentials/GITHUB_COM_TOKEN".sopsFile = ./secrets.yaml;
5195
}

services/renovate/secrets.yaml

Lines changed: 4 additions & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -1,7 +1,7 @@
11
services:
22
renovate:
33
credentials:
4-
RENOVATE_TOKEN: ENC[AES256_GCM,data:49B3upcK6g4kbo9k9Lcln8f5xs3bOXlDPpuOPaz8hJGkh4VhE0BWKA==,iv:cANZ7MLd2Sq26JVSR6YYpnIpqne2Lxt2hdGj4/yEZa0=,tag:0gUGFv4EPyVM31k1qM/bnw==,type:str]
4+
privkey.pem: ENC[AES256_GCM,data:LNJdUQ6dP4A8UAhJGlnTcKxIF2mYiaajYEToXFDf5M+/t/bDg0selZALk1A4jWgYa60Qye0oQaerqtZ/0RMGsrpusPic9dOgYQtd2PSiObhYNBzpp/Ub6u7iY+B2YK7NIiMZJ7GWJIk7cTa55OnjePZe3KIOPdrZD0uYP1KQwk6q/Atbi4JjiUjg4zQxSsD0f3++xNypwB7B9Nsdz9t5VtlFIQL6BSxSPvPb2+DrfV4p/KP4UTLwl2ZucTspIcEKFfQUqqsrFGTOOiJVWMvLa9aZuzDFyor141azBTX49lmlX5J9d7vzY+IA/7RsYV4T6mLa+zEyn+UVU7Zqx8zHVYoz5mBWzWO6YfSVozlyMwR+tUPp2z40ace+6zCWECFjVHNzg/irUFt+q9wO47Wn5O5NVgGIEyydhxnmaPrk0r6woQ6VQtpIw4YFl7HnCUx/KVh05pNb0HtPe2Nca6pq2XrKpNtgd3ScJSWf7y1ooD7xiRx/zlIAjXUdY8fhLjUnkgXGsUcmFZFSYhnQuOxGj8IE0kL2X0iIFCB3x+Kh6qzasGoYvctfr0iEx1DFnkqwPjpb//c17g51q+7wXyQD6z5pJc3pWjS3r1+IqT/qX8mFE5+lMgUV0qL4e07treR01ym2JSREbWLqPHFk8A4ToCyY/1hBoBN1ZP2bNe9+iRi+1+WRKyM1DjQpvfKl/v/GWPFmodehd3ZFT7PQAnlVtYU6qdzeShCHmvqmTdDpSFNYkLEvmy9MXAnR2AoFqCRU/XSzsLyultMVFckS2mtg4Bfm+E8MxRzf34d+bFbP/+x+tMWtJ9WSg5C6uB6x3dD+qayPdaULAZOs9rFmK3SqpoH1FxhZm2opJc56e279zIheJGJw/gAhWxHy+qXwrrueyLTc2v2EpTvgLHisvbx/Oxyl7btUHdjbZcpt5e/KNS9I2gwXhILpK+9rUym+BpUMQ+Cl+9eQridoN6dUhwixYocGwmK2n5nPwXCQNjdEoTm3AKGkkxITO51xq+DsKfPdU1jxikZQo4761xvvneLgdib4l9ShzAklM0YxedAEaT+hm2V80i9LTGD6IIZm9gRnslvhvEbYn7A+WWuwfjG85dArrcNKYZtFmddAR12rX21dlgKnC5w/kCLthfMOw3YjK50q3Q7fgH39NVpmA4q+mmzt04vGyPBXaVuoyQfe3e4sbiwcpBmg4smnea0HAeDh5ebVNbpV2zYQW3j/RphMF8ALAoYmNIyCY7esKu3CR9iRNL/XHXz2hbVfKF1AANJQLO3NBglJw0r79sDWZuaz12CkwXIN6umIrWaKBZn7FoooEle1t1keiYqo65F/86+lZ8KW/MGaT3I0Q75DO9Vp79ydzKkNnJhvFqB+KFBkAzaW6deAJqeWnqBXU3E8+wGio4uPwZ8yFXa46J2b0nf2Va8vAguT9ENIihJZLTqPDAiQziaVFnrjuA8cgYQgXlK2Ie+MvLDJ/472UHfGSJUSQO2dc7g8+njm10dBXG1zxky/BBbJtaElCVwikfr3pdrYoynqZvI73pZ4qOtiuJj6/fMKv5+YecZvUfx4UpVAhq33wIoeFgfBOK2rsuO2hPiLOSUH0BXimxNpQkYVJBmz0RY+W0s42vDxoFNAEWaZ1Ny51LY1l2zL/s9qcywPK3bIVqfdOZJN/0oIO0S1h16COE/JLeRWKx3YVOOsic6y2m9bMMBthFX08VfMrnqqcTp93GxlvoW0BhLWY1Uo+WybQjhi7R2tExKJ6clfji9fK/ky6X/MCuhcEiK/hj0w9/cne+epHDOcm2iGs/o7S9oiYtxm0IbKEbpcLBy7OcET9QbaYQAW+T62555+YF3ddQ1RuYJfiDPaGdpRxJ/VXW40SdpECSJkNnqqQLB1UK373Ca7bu8BIFV1YFHGdK0CoNd7phUgzEYu6wXJA3r0RRgi0YNxswSQI9g+mBTcsncB8H4es6/6rwgxT6Pniph2gJPJQp/yF8uB4gJmhc7uVH8AAEqABNPEooNUrG51rpMIGvMPlqqA9FB5GT0cm8St6uql35+Tt42CxM9nAjW9hq8NgcUkSk22LzOZlyCslmp4zGZvldAmoNLjvXnf1A44qO8caOrnVrduUrDiaYQIh7HlOP0Ah0CHfDXWxhIYwPge5NrDtdQ3JPx9UBU4KrgsUBTLg+HdlbQlPTw3zTJi2R3l5pEMBz/KOyUN/IRJ0r9zOj4Soq91mz6FJ8k2jQSN/Zg=,iv:ukEg0y0YIiXwsWRoZ3Nzcr4FmZLN3cawggrSdKnjK6g=,tag:zPFTMeTYCW2d5JGctpMf0A==,type:str]
55
GITHUB_COM_TOKEN: ENC[AES256_GCM,data:SY9lern2SEciXpi0BZdlMIE3dgEZirDltg1dffdfwjlT8Zu8jOpH8w==,iv:UJ9wtw2+dKxt51Z2DyuL9JO390j0E9b4y+vxt0dUWqc=,tag:CWe8CRz7IDREXUvYEEVUfg==,type:str]
66
sops:
77
kms: []
@@ -27,8 +27,8 @@ sops:
2727
eWI0TzRXYTJJOHhjOGI1T3Qwc3BaQ2cKmi3+zgui0ygValtfjJK+MnAuND2A4l2Z
2828
QbY1bzY0ijaRSrqiIDCoTyY1/f2EPutICZZdt6yTRJfZQLSLg2DMgg==
2929
-----END AGE ENCRYPTED FILE-----
30-
lastmodified: "2025-01-22T09:04:11Z"
31-
mac: ENC[AES256_GCM,data:paAH93BmAct43p3q4JBO8mNqmU00/N39/I7pdpiPI249YcKLQL46jkOECOGnjojbKkkIPz/eq9vlCVDVYct1KGGKIvIetXMAvDfcGrzs9Iyb2PBZS+N5NNSUe00Or5yccAk9v1q6mXcH/knfIO0pka2WX7dw8RedqpjkZLs6XTs=,iv:fUKa8QPQ1ZVHe+bIx+NZllrBDyXHN7rvOIjb3cphogg=,tag:5O/yUhhGWTaBuVa0CnqFrg==,type:str]
30+
lastmodified: "2025-02-20T10:49:07Z"
31+
mac: ENC[AES256_GCM,data:txekxIDjFMFdXQTW6B7V9f+EW1XOH0GE6fswAAwBf61bOhhwHq0lIlXIpS+6CKESOzzp26lbx4FGBYoJABFcP1soIbVSnWSdvxS9XpOAus0cAGHKSQicP+sJMDELQxbTUmbAu8aBI6I9bjHPPzB9sbnNLjv6s3kLM9r78gvg1NY=,iv:o8lOhT4hNPlbNvWxECmso0O6DLwNA31JoXdRAntneEo=,tag:t392u8RiyooJfSC/EI/8cA==,type:str]
3232
pgp: []
3333
unencrypted_suffix: _unencrypted
34-
version: 3.9.3
34+
version: 3.9.4

0 commit comments

Comments
 (0)