Update .forgejo/workflows/renovate.yml

2025-01-08 10:43:46 +00:00 · 2025-01-08 10:43:46 +00:00 · 31a2b30f14
commit 31a2b30f14
parent 5b1b30c4fa
1 changed files with 17 additions and 9 deletions
--- a/.forgejo/workflows/renovate.yml
+++ b/.forgejo/workflows/renovate.yml
@ -17,7 +17,6 @@ on:

 env:
  RENOVATE_DRY_RUN: ${{ (github.event_name != 'schedule' && github.ref_name != github.event.repository.default_branch) && 'full' || '' }}
-  RENOVATE_AUTODISCOVER: 'true'

 jobs:
  renovate:
@ -26,6 +25,23 @@ jobs:
      image: renovate/renovate:39.91.2

    steps:
+      - name: "Import Secrets"
+        id: "import-secrets"
+        uses: "https://github.com/hashicorp/vault-action@v3"
+        with:
+          url: "https://vault.w9r.dev"
+          method: "approle"
+          role: "forgejo-ci"
+          roleId: "${{ secrets.ROLE_ID }}"
+          secretId: "${{ secrets.SECRET_ID }}"
+          secrets: |
+            kv/data/ci/nexus username | MAVEN_USERNAME ;
+            kv/data/ci/nexus password | MAVEN_CENTRAL_TOKEN ;
+            kv/data/ci/renovatebot gpgPrivateKey | RENOVATE_GIT_PRIVATE_KEY ;
+            kv/data/ci/renovatebot gpgPublicKey | RENOVATE_GIT_PUBLIC_KEY ;
+            kv/data/ci/renovatebot gpgPassphrase | RENOVATE_GIT_PASSPHRASE ;
+            kv/data/ci/renovatebot ciToken | RENOVATE_TOKEN ;
+            kv/data/ci/renovatebot githubToken | GITHUB_COM_TOKEN :
      - name: Load renovate repo cache
        uses: https://github.com/actions/cache@v4
        with:
@ -40,23 +56,15 @@ jobs:
      - name: Run renovate
        run: renovate
        env:
-          GITHUB_COM_TOKEN: ${{ secrets.RENOVATE_GITHUB_COM_TOKEN }}
          LOG_LEVEL: debug
          RENOVATE_BASE_DIR: ${{ github.workspace }}/.tmp
-          RENOVATE_ENDPOINT: ${{ github.server_url }}
-          RENOVATE_PLATFORM: gitea
          RENOVATE_REPOSITORY_CACHE: 'enabled'
-          RENOVATE_TOKEN: ${{ secrets.RENOVATE_TOKEN }}
          RENOVATE_GIT_AUTHOR: 'RenovateBot <renovatebot@w9r.dev>'
-          RENOVATE_GIT_PRIVATE_KEY: ${{ secrets.RENOVATE_GIT_PRIVATE_KEY }}
-
          RENOVATE_X_SQLITE_PACKAGE_CACHE: true
-
          GIT_AUTHOR_NAME: 'RenovateBot'
          GIT_AUTHOR_EMAIL: 'renovatebot@w9r.dev'
          GIT_COMMITTER_NAME: 'RenovateBot'
          GIT_COMMITTER_EMAIL: 'renovatebot@w9r.dev'
-
          OSV_OFFLINE_ROOT_DIR: ${{ github.workspace }}/.tmp/osv

      - name: Save renovate repo cache