-
Notifications
You must be signed in to change notification settings - Fork 2.2k
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Merge branch 'main' into feat/27485-bitbucket-task-autocomplete
- Loading branch information
Showing
25 changed files
with
678 additions
and
261 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -1 +1 @@ | ||
FROM ghcr.io/containerbase/devcontainer:11.11.6 | ||
FROM ghcr.io/containerbase/devcontainer:11.11.8 |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
|
@@ -307,7 +307,7 @@ Renovate will get the credentials with the [`google-auth-library`](https://www.n | |
service_account: ${{ env.SERVICE_ACCOUNT }} | ||
|
||
- name: renovate | ||
uses: renovatebot/[email protected].6 | ||
uses: renovatebot/[email protected].7 | ||
env: | ||
RENOVATE_HOST_RULES: | | ||
[ | ||
|
@@ -427,33 +427,67 @@ If you have dependencies on Google Container Registry (and Artifact Registry) yo | |
|
||
##### Using short-lived access token / Gitlab CI / Google Cloud | ||
|
||
Assume you are running GitLab CI in the Google Cloud, and you are storing your Docker images in the Google Container Registry (GCR). | ||
For this example, assume that you want to: | ||
|
||
Access to the GCR uses Bearer token based authentication. | ||
This token can be obtained by running `gcloud auth print-access-token`, which requires the Google Cloud SDK to be installed. | ||
- Run the GitLab CI in the Google Cloud | ||
- Store your Docker images in the Google Container Registry (GCR) | ||
|
||
The token expires after 60 minutes so you cannot store it in a variable for subsequent builds (like you can with `RENOVATE_TOKEN`). | ||
###### Accessing the Google Container Registry | ||
|
||
When running Renovate in this context the Google access token must be retrieved and injected into the `hostRules` configuration just before Renovate is started. | ||
Accessing the GCR uses Bearer token based authentication. | ||
|
||
_This documentation gives **a few hints** on **a possible way** to achieve this end result._ | ||
First, install the Google Cloud SDK. | ||
Then get the token by running: `gcloud auth print-access-token`. | ||
|
||
The basic approach is that you create a custom image and then run Renovate as one of the stages of your project. | ||
To make this run independent of any user you should use a [`Project Access Token`](https://docs.gitlab.com/ee/user/project/settings/project_access_tokens.html) (with Scopes: `api`, `read_api` and `write_repository`) for the project and use this as the `RENOVATE_TOKEN` variable for GitLab CI. | ||
See also the [renovate-runner repository on GitLab](https://gitlab.com/renovate-bot/renovate-runner) where `.gitlab-ci.yml` configuration examples can be found. | ||
###### Short-lived GCR Bearer tokens | ||
|
||
To get access to the token a custom Renovate Docker image is needed that includes the Google Cloud SDK. | ||
The Dockerfile to create such an image can look like this: | ||
The GCR Bearer token expires after 60 minutes. | ||
This means you can _not_ re-use the token in a later build. | ||
|
||
Instead, _before_ Renovate starts in the GCR context, you must: | ||
|
||
1. Fetch the Google access token | ||
1. Inject the token into the `hostRules` configuration | ||
|
||
The following text explains one way to fetch the token, and inject it into Renovate. | ||
|
||
###### Basic approach | ||
|
||
The basic approach is: | ||
|
||
1. Create a custom image: fetch the GCR token, and inject the token into Renovate's `config.js` file | ||
1. Then run Renovate as one of the stages of your project | ||
|
||
###### Independent runs | ||
|
||
To make the run independent of any user, use a [`Project Access Token`](https://docs.gitlab.com/ee/user/project/settings/project_access_tokens.html). | ||
Give the Project Access Token these scopes: | ||
|
||
- `api` | ||
- `read_api` | ||
- `write_repository` | ||
|
||
Then use the Project Access Token as the `RENOVATE_TOKEN` variable for GitLab CI. | ||
For more (`gitlab-ci.yml`) configuration examples, see the [`renovate-runner` repository on GitLab](https://gitlab.com/renovate-bot/renovate-runner). | ||
|
||
###### Create a custom image | ||
|
||
To access the token, you need a custom Renovate Docker image. | ||
Make sure to install the Google Cloud SDK into the custom image, as you need the `gcloud auth print-access-token` command later. | ||
|
||
For example: | ||
|
||
```Dockerfile | ||
FROM renovate/renovate:38.39.6 | ||
FROM renovate/renovate:38.52.3 | ||
# Include the "Docker tip" which you can find here https://cloud.google.com/sdk/docs/install | ||
# under "Installation" for "Debian/Ubuntu" | ||
RUN ... | ||
``` | ||
|
||
For Renovate to access the Google Container Registry (GCR) it needs the current Google Access Token. | ||
The configuration fragment to do that looks something like this: | ||
###### Accessing the Google Container Registry (GCR) | ||
|
||
Renovate needs the current Google Access Token to access the Google Container Registry (GCR). | ||
Here's an example of how to set that up: | ||
|
||
```js | ||
hostRules: [ | ||
|
@@ -464,7 +498,12 @@ hostRules: [ | |
]; | ||
``` | ||
|
||
One way to provide the short-lived Google Access Token to Renovate is by generating these settings into a `config.js` file from within the `.gitlab-ci.yml` right before starting Renovate: | ||
One way to give Renovate the short-lived Google Access Token is to: | ||
|
||
1. Write a script that generates a `config.js` file, with the token, in your `gitlab-ci.yml` file | ||
1. Run the `config.js` creation scrip just before you start Renovate | ||
|
||
For example: | ||
|
||
```yaml | ||
script: | ||
|
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Oops, something went wrong.