renovate-analysis.yml

name: Renovate PR Analysis

on:
  pull_request:
    types: [opened, synchronize, reopened]
  workflow_dispatch:
    inputs:
      pr_number:
        description: 'PR number to analyze (leave empty for all open Renovate PRs)'
        required: false
        type: string

env:
  OWNER: lenaxia
  REPO: talos-ops-prod

jobs:
  analyze-prs:
    # Only run for Renovate PRs or manual triggers
    if: |
      github.event_name != 'pull_request' ||
      github.event.pull_request.user.login == 'renovate[bot]'
    runs-on: ubuntu-latest
    permissions:
      id-token: write
      contents: write
      pull-requests: write
    steps:
      - name: Checkout repository
        uses: actions/checkout@v4
        with:
          persist-credentials: false

      # Skip analysis if the PR was already analyzed and hasn't been updated since
      - name: Check if already analyzed
        id: pre-check
        env:
          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
          TRIGGERING_PR: ${{ github.event.pull_request.number || inputs.pr_number || '' }}
          EVENT_NAME: ${{ github.event_name }}
        run: |
          # Only skip-check for single-PR pull_request events (not manual all-PR runs)
          if [ "$EVENT_NAME" != "pull_request" ] || [ -z "$TRIGGERING_PR" ]; then
            echo "skip=false" >> $GITHUB_OUTPUT
            exit 0
          fi

          echo "Checking if PR #$TRIGGERING_PR was already analyzed..."
          PR_DATA=$(gh pr view "$TRIGGERING_PR" --json updatedAt)
          PR_UPDATED=$(echo "$PR_DATA" | jq -r '.updatedAt')
          echo "PR last updated: $PR_UPDATED"

          EXISTING_COMMENTS=$(gh pr view "$TRIGGERING_PR" --json comments \
            --jq '.comments[] | select(.author.login == "github-actions" and (.body | startswith("## Renovate PR Analysis")))')

          if [ -z "$EXISTING_COMMENTS" ]; then
            echo "No existing analysis found. Proceeding."
            echo "skip=false" >> $GITHUB_OUTPUT
            exit 0
          fi

          echo "Found existing analysis comment(s)"
          COMMENT_DATE=$(echo "$EXISTING_COMMENTS" | jq -r '.createdAt' | tail -1)
          echo "Most recent analysis: $COMMENT_DATE"

          PR_UPDATED_TS=$(date -d "$PR_UPDATED" +%s 2>/dev/null || echo "0")
          COMMENT_DATE_TS=$(date -d "$COMMENT_DATE" +%s 2>/dev/null || echo "0")
          COMMENT_BUFFER_TS=$((COMMENT_DATE_TS + 60))

          if [ "$PR_UPDATED_TS" -le "$COMMENT_BUFFER_TS" ]; then
            echo "PR #$TRIGGERING_PR already analyzed and not updated since. Skipping."
            echo "skip=true" >> $GITHUB_OUTPUT
          else
            echo "PR #$TRIGGERING_PR updated after last analysis. Re-analyzing."
            echo "skip=false" >> $GITHUB_OUTPUT
          fi

      - name: Analyze with OpenCode
        if: steps.pre-check.outputs.skip != 'true'
        uses: anomalyco/opencode/github@v1.14.31
        env:
          OPENAI_API_KEY: ${{ secrets.OPENAI_API_KEY }}
          OPENAI_API_BASE: ${{ secrets.OPENAI_API_BASE }}
          OPENAI_MODEL: ${{ vars.OPENAI_MODEL }}
          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
        with:
          model: ${{ vars.OPENAI_PROVIDER || 'openai' }}/${{ vars.OPENAI_MODEL }}
          use_github_token: "true"
          share: "false"
          prompt: |
            You are an AI assistant that analyzes Renovatebot pull requests for talos-ops-prod, a Talos Linux Kubernetes cluster managed with Flux GitOps.

            Target PR (empty = find and analyze all open Renovate PRs): ${{ inputs.pr_number }}

            Task: Analyze Renovate PR(s) and post a detailed report as a PR comment. Do NOT merge any PRs.

            For each PR to analyze:

            1. Parse the PR title: identify the dependency, version range (old → new), update type (patch/minor/major/digest).

            2. Identify the upstream repository:
               - Helm charts: Chart.yaml repository URL or PR body links
               - Docker images: image source repository
               - GitHub Actions: the action's repository
               - Check the PR body for links

            3. Fetch release notes from upstream for the new version(s). For minor/major, fetch all versions between old and new.

            4. Analyze impact on this codebase:
               - Helm charts: check the helmrelease.yaml values we're currently using
               - GitHub Actions: check .github/workflows/ usage
               - Breaking changes? Deprecated options we use? New required parameters?

            5. Post a comment on the PR using this exact structure:
               ## Renovate PR Analysis
               ### Update Summary
               - Dependency: [name]
               - Version: [old] → [new]
               - Type: [patch/minor/major/digest]
               ### Release Changes
               [new features, bug fixes, security fixes]
               ### Breaking Changes
               [list, or "None affecting our usage"]
               ### Configuration Changes Required
               [specific changes needed to our Helm values or config, or "None"]
               ### Migration Notes
               [migration steps from upstream, or "None"]
               ### Recommendation
               [Safe to merge / Needs manual review / Requires code changes] — [reason]

            6. Act on the recommendation:
               - Safe to merge: merge with squash method (github_merge_pull_request)
               - Requires code changes: create branch config/renovate-pr-{number}-changes, make changes, open a PR, comment on the Renovate PR with the link
               - Needs manual review: post comment only, do NOT merge

            Special exclusions (always "Needs manual review", never auto-merge):
            - MinIO — deprecated open source, became open source hostile
            - Bitnami — revoked open-source license

            Skip PRs with "abandoned" in the title.