From 31a2b30f14836db80a1efebdfe3406efde3a9e68 Mon Sep 17 00:00:00 2001
From: oliver <oliver@weyhmueller.de>
Date: Wed, 8 Jan 2025 10:43:46 +0000
Subject: [PATCH] Update .forgejo/workflows/renovate.yml

---
 .forgejo/workflows/renovate.yml | 26 +++++++++++++++++---------
 1 file changed, 17 insertions(+), 9 deletions(-)

diff --git a/.forgejo/workflows/renovate.yml b/.forgejo/workflows/renovate.yml
index 59fa2da..3e49f8c 100644
--- a/.forgejo/workflows/renovate.yml
+++ b/.forgejo/workflows/renovate.yml
@@ -17,7 +17,6 @@ on:
 
 env:
   RENOVATE_DRY_RUN: ${{ (github.event_name != 'schedule' && github.ref_name != github.event.repository.default_branch) && 'full' || '' }}
-  RENOVATE_AUTODISCOVER: 'true'
 
 jobs:
   renovate:
@@ -26,6 +25,23 @@ jobs:
       image: renovate/renovate:39.91.2
 
     steps:
+      - name: "Import Secrets"
+        id: "import-secrets"
+        uses: "https://github.com/hashicorp/vault-action@v3"
+        with:
+          url: "https://vault.w9r.dev"
+          method: "approle"
+          role: "forgejo-ci"
+          roleId: "${{ secrets.ROLE_ID }}"
+          secretId: "${{ secrets.SECRET_ID }}"
+          secrets: |
+            kv/data/ci/nexus username | MAVEN_USERNAME ;
+            kv/data/ci/nexus password | MAVEN_CENTRAL_TOKEN ;
+            kv/data/ci/renovatebot gpgPrivateKey | RENOVATE_GIT_PRIVATE_KEY ;
+            kv/data/ci/renovatebot gpgPublicKey | RENOVATE_GIT_PUBLIC_KEY ;
+            kv/data/ci/renovatebot gpgPassphrase | RENOVATE_GIT_PASSPHRASE ;
+            kv/data/ci/renovatebot ciToken | RENOVATE_TOKEN ;
+            kv/data/ci/renovatebot githubToken | GITHUB_COM_TOKEN :
       - name: Load renovate repo cache
         uses: https://github.com/actions/cache@v4
         with:
@@ -40,23 +56,15 @@ jobs:
       - name: Run renovate
         run: renovate
         env:
-          GITHUB_COM_TOKEN: ${{ secrets.RENOVATE_GITHUB_COM_TOKEN }}
           LOG_LEVEL: debug
           RENOVATE_BASE_DIR: ${{ github.workspace }}/.tmp
-          RENOVATE_ENDPOINT: ${{ github.server_url }}
-          RENOVATE_PLATFORM: gitea
           RENOVATE_REPOSITORY_CACHE: 'enabled'
-          RENOVATE_TOKEN: ${{ secrets.RENOVATE_TOKEN }}
           RENOVATE_GIT_AUTHOR: 'RenovateBot <renovatebot@w9r.dev>'
-          RENOVATE_GIT_PRIVATE_KEY: ${{ secrets.RENOVATE_GIT_PRIVATE_KEY }}
-
           RENOVATE_X_SQLITE_PACKAGE_CACHE: true
-
           GIT_AUTHOR_NAME: 'RenovateBot'
           GIT_AUTHOR_EMAIL: 'renovatebot@w9r.dev'
           GIT_COMMITTER_NAME: 'RenovateBot'
           GIT_COMMITTER_EMAIL: 'renovatebot@w9r.dev'
-
           OSV_OFFLINE_ROOT_DIR: ${{ github.workspace }}/.tmp/osv
 
       - name: Save renovate repo cache