Merge pull request #11 from p5/fancy-readme

feat(renovate): add a shared configuration file

Author: cgwalters

.github/workflows/renovate.yml

@@ -1,6 +1,18 @@
 name: Renovate
 on:
   workflow_dispatch:
+    inputs:
+      log-level:
+        description: "Set the Renovate log level (default: info)"
+        required: false
+        default: info
+        type: choice
+        options:
+          - info
+          - debug
+  pull_request:
+    branches:
+      - main
   schedule:
     - cron: '3 * * * *'
 jobs:
@@ -20,6 +32,9 @@ jobs:
 
       - name: Self-hosted Renovate
         uses: renovatebot/[email protected]
+        env:
+          RENOVATE_DRY_RUN: ${{ github.event_name == 'pull_request' && 'full' }}
+          LOG_LEVEL: ${{ github.event.inputs.log-level || 'info' }}
         with:
           configurationFile: renovate-config.js
-          token: '${{ steps.token.outputs.token }}'
+          token: '${{ steps.token.outputs.token }}'

README.md

@@ -1,4 +1,88 @@
-# CI infra
+# CI Infrastructure
 
-This repository currently just has a self-hosted Renovate instance
-via <https://github.com/renovatebot/github-action>.
+This repository provides centralised configuration and automation for the [bootc-dev](https://github.com/bootc-dev) organisation. It is designed to simplify and standardise infrastructure, with Renovate as one part of the overall setup. The repository will grow to support additional infrastructure and automation purposes in the future as needed.
+
+
+## Table of Contents
+
+- [Purpose](#purpose)
+- [Renovate](#renovate)
+- [Getting Started](#getting-started)
+- [Support & Contributions](#support--contributions)
+- [License](#license)
+
+---
+
+## Purpose
+
+The main goal of this repository is to:
+
+- **Centralise configuration** for CI and automation tools across the organisation.
+- **Simplify onboarding** for new repositories and maintainers.
+- **Enable strict configuration inheritance** for consistency, with flexibility for overrides.
+- **Group and manage dependencies and automation** for easier review and maintenance.
+
+---
+
+
+## Renovate
+
+This section describes how Renovate Bot is configured and used in this repository to manage dependency updates across multiple repositories in the organisation.
+
+### How It Works
+
+1. **Autodiscovery**: Renovate is configured to automatically find all repositories the GitHub App token has access to.
+1. **Shared Configuration**: The `renovate-shared-config.json` file defines base rules, grouping strategies, and custom package rules. All repositories inherit these settings unless they opt out.
+1. **No Onboarding PRs**: Onboarding PRs are disabled, so repositories start using the shared config immediately.
+1. **Branch Naming**: All Renovate branches are prefixed for easy identification.
+1. **Platform Support**: The configuration is tailored for GitHub, with support for forked repositories and platform-specific features.
+
+#### For Repository Maintainers
+
+If your repository is part of the bootc-dev GitHub organisation:
+
+1. **Inherit the central config**: By default, your repository will use the shared configuration from this repo. No additional setup is required unless you want to override specific settings.
+1. **Customise if needed**: You can add your own `renovate.json` or similar config file in your repository to override or extend the shared settings.
+1. **Review dependency PRs**: Renovate will create PRs for dependency updates according to the shared rules, grouping, and strategies defined here.
+
+#### For Organisation Admins
+
+- **Update shared config**: To change organisation-wide Renovate behaviour, edit the configuration files in this repository. Changes will propagate to all inheriting repositories.
+- **Monitor and audit**: Use the central config to ensure compliance and best practices across all projects.
+
+### Manually Running Renovate
+
+You can manually trigger the Renovate workflow from the GitHub Actions tab:
+
+1. Go to the **Actions** tab in this repository.
+2. Select the **Renovate** workflow.
+3. Click **Run workflow**.
+4. Optionally, set the log level (`info` or `debug`) before starting.
+
+This is useful for testing configuration changes or running Renovate outside the scheduled times.
+
+#### Key Features
+
+- **Best-practices base config**: Extends Renovate's recommended settings for reliability and security.
+- **Commit sign-off**: Ensures all dependency update commits are signed off for traceability.
+- **Dependency grouping**: Groups updates for GitHub Actions, Rust, Docker, and more for easier review.
+- **Custom rules**: Includes rules for disabling certain updates (e.g., Fedora OCI images) and controlling digest pinning.
+
+---
+
+## Getting Started
+
+1. Ensure your repository is part of the organisation and Renovate is installed.
+1. Review the [Renovate documentation](https://docs.renovatebot.com/) for advanced usage and customisation options.
+
+---
+
+## Support & Contributions
+
+For questions or improvements, open an issue or pull request in this repository. Contributions to the shared configuration are welcome and help improve dependency management for all projects in the organisation.
+
+---
+
+## License
+
+MIT OR Apache-2.0

renovate-config.js

@@ -1,21 +1,29 @@
 module.exports = {
+  // Find all repositories the GitHub App token has permissions to
   autodiscover: true,
-  branchPrefix: 'test-renovate/',
+
+  // Don't create the onboarding PRs
+  //
+  // All repositories in the organisation will inherit the shared configuration
+  // (./renovate-shared-config.json) by default unless they opt-out.
+  onboarding: false,
+
+  // Centralise all Renovate configuration into this repository
+  //
+  // This allows for easier management of Renovate settings across multiple
+  // repositories.  Each individual repository can still contain their own
+  // configuration.
+  inheritConfig: true,
+  inheritConfigRepoName: '{{parentOrg}}/infra',
+  inheritConfigFileName: "renovate-shared-config.json",
+  inheritConfigStrict: true,
+
+  // Prefix all branches created by Renovate with "bootc-renovate/"
+  branchPrefix: 'bootc-renovate/',
+
+  // Configure Renovate to use GitHub-specific API calls
   platform: 'github',
+
+  // Enable dependency updates on forked repositories in the organisation
   forkProcessing: 'enabled',
-  packageRules: [
-    {
-      description: 'lockFileMaintenance',
-      matchUpdateTypes: [
-        'pin',
-        'digest',
-        'patch',
-        'minor',
-        'major',
-        'lockFileMaintenance',
-      ],
-      dependencyDashboardApproval: false,
-      minimumReleaseAge: '0 days',
-    },
-  ],
 };

renovate-shared-config.json

@@ -0,0 +1,64 @@
+{
+  "$schema": "https://docs.renovatebot.com/renovate-schema.json",
+  "extends": [
+    // Base configuration
+    "config:best-practices",
+
+    // Add "Signed-off-by" footer to commit messages
+    ":gitSignOff",
+
+    // Catch-all for grouping dependencies not caught by other groups
+    "group:all"
+  ],
+
+  // Rebase when there are merge conflicts
+  //
+  // The "conflicted" option is typically the ideal choice for most situations
+  // where you don't want to burn CI credits, while still keeping your branch
+  // in a mergeable state at all times.
+  "rebaseWhen": "conflicted",
+
+  "packageRules": [
+    // Group GitHub Actions dependencies
+    {
+      "description": "GitHub Actions dependencies",
+      "matchManagers": ["github-actions"],
+      "groupName": "GitHub Actions",
+      "enabled": true
+    },
+
+    // Group Rust dependencies
+    {
+      "description": "Rust dependencies",
+      "matchManagers": ["cargo"],
+      "groupName": "Rust",
+      "enabled": true
+    },
+
+    // Group Docker dependencies
+    {
+      "description": "Docker dependencies",
+      "matchManagers": ["dockerfile"],
+      "groupName": "Docker",
+      "enabled": true
+    },
+
+    // Disable Containerfile digest pinning
+    {
+      "description": "Containerfile digest pinning",
+      "matchManagers": ["dockerfile"],
+      "pinDigests": false
+    },
+
+    // Disable Fedora OCI updates
+    //
+    // This is due to there not being an easy way to tell Renovate which
+    // Fedora version is "stable" and which has not been released yet.
+    {
+      "description": "Disable Fedora OCI updates",
+      "matchManagers": ["dockerfile"],
+      "matchDepNames": ["quay.io/fedora/fedora"],
+      "enabled": false
+    }
+  ]
+}