Skip to content
ci

fix: let renovate regenerate uv lockfiles #421

Sign in to view logs

fix: let renovate regenerate uv lockfiles

fix: let renovate regenerate uv lockfiles #421

Workflow file for this run

.github/workflows/ci.yaml at 97a0cd5
name: ci
# Self-CI for github-action-templates.
#
# This repo is the shared source-of-truth for consumer repos across
# multiple orgs — every push to main effectively ships to production
# immediately, since:
#
# * `default.json` is the Renovate preset extended by every consumer's
# `renovate.json` via `github>jr200-labs/github-action-templates`
# * The `*.yml` workflows are reusable workflows referenced via
# `uses: jr200-labs/github-action-templates/.github/workflows/<x>.yml@master`
#
# A broken commit here breaks every consumer on their next run, with no
# rollback path other than another forward commit. This CI gate exists so
# that broken changes are caught at PR time instead of in production.
#
# Tracked in JRL-20.
on:
pull_request:
branches: [master]
push:
branches: [master]
schedule:
# Weekly. The pin-lint job below enforces that no packageRule pin
# has a review-by date in the past — without a cron, a pin whose
# date expires between PRs would stay invisible until the next
# touch. Running weekly catches expiry within a week of lapsing.
- cron: '23 7 * * 1'
workflow_dispatch:
permissions:
contents: read
jobs:
validate-renovate-preset:
# Validates default.json + renovate.json against Renovate's strict schema.
# Pinned to renovate@43 to match `renovate-version: '43'` baked into the
# `renovatebot/github-action@v46.1.8` action that the cron workflow uses
# in `renovate.yml`. If we drift from that version we risk validating
# against one schema and running against another.
runs-on: ${{ fromJSON(vars.RUNNER_PROFILES)[vars.RUNNER_PROFILE].default }}
steps:
- uses: actions/checkout@v6
- name: Setup Node
uses: actions/setup-node@v6
with:
node-version: '24.16.0'
- name: Validate Renovate config
run: |
npx --yes --package=renovate@43 -- \
renovate-config-validator --strict default.json renovate.json
validate-workflow-syntax:
# actionlint catches: YAML parse errors, invalid `if:` expressions,
# missing/duplicate inputs, wrong action ref formats, undefined step
# outputs, etc. Shellcheck integration is disabled because the
# existing `run:` blocks have a long tail of low-priority style
# findings (SC2086 etc.) that are out of scope for this gate — those
# can be cleaned up separately if/when desired.
#
# `-ignore` patterns suppress known pre-existing warnings that we
# haven't fixed yet, so the gate stays green on day one. When the
# underlying issue is fixed, the corresponding `-ignore` line should
# be removed so any future regression is caught.
runs-on: ${{ fromJSON(vars.RUNNER_PROFILES)[vars.RUNNER_PROFILE].default }}
steps:
- uses: actions/checkout@v6
- name: Install actionlint
id: get_actionlint
run: |
bash <(curl -fsSL https://raw.githubusercontent.com/rhysd/actionlint/main/scripts/download-actionlint.bash)
echo "exe=$(pwd)/actionlint" >> "$GITHUB_OUTPUT"
- name: Run actionlint
run: |
"${{ steps.get_actionlint.outputs.exe }}" \
-color \
-shellcheck= \
-ignore 'peaceiris/actions-gh-pages@v3'
validate-shared-sync:
runs-on: ${{ fromJSON(vars.RUNNER_PROFILES)[vars.RUNNER_PROFILE].default }}
steps:
- uses: actions/checkout@v6
- name: Test shared sync scripts
run: ./scripts/test-shared-sync.sh
validate-renovate-pins:
# Enforces the no-forever-pin policy on default.json packageRules.
# Every version-scoped disable (matchPackageNames + enabled: false)
# must carry a `review-by: YYYY-MM-DD` token in its description,
# and that date must be neither in the past nor more than 31 days
# out. The weekly cron on this workflow is what makes expired pins
# loud — without it a lapsed review-by could sit unnoticed until
# the next PR touched default.json.
runs-on: ${{ fromJSON(vars.RUNNER_PROFILES)[vars.RUNNER_PROFILE].default }}
steps:
- uses: actions/checkout@v6
- name: Lint Renovate pins
run: ./scripts/lint-renovate-pins.sh