#
# Runs every 2 hours, but Renovate is limited to create new PR before 4am.
# See renovate.json for more settings.
# Automerge is enabled for Renovate PR's but need to be approved before.
#
name: renovate

on:
  push:
    branches:
      - renovate/** # self-test updates
    paths:
      - .forgejo/workflows/renovate.yml
  schedule:
    - cron: '0 0/2 * * *'
  workflow_dispatch:

env:
  RENOVATE_DRY_RUN: ${{ (github.event_name != 'schedule' && github.ref_name != github.event.repository.default_branch) && 'full' || '' }}
  RENOVATE_PRINT_CONFIG: 'true'

jobs:
  renovate:
    runs-on: docker
    container:
      image: renovate/renovate:39.180.2@sha256:bfa5da27354eba188bfd0fb32602b5973ac82d29ba9f0346f97911df5f522961

    steps:
      - name: "Import Secrets"
        id: "import-secrets"
        uses: "https://github.com/hashicorp/vault-action@a1b77a09293a4366e48a5067a86692ac6e94fdc0" # v3
        with:
          url: "https://vault.w9r.dev"
          method: "approle"
          role: "forgejo-ci"
          roleId: "${{ secrets.VAULT_ROLE_ID }}"
          secretId: "${{ secrets.VAULT_SECRET_ID }}"
          secrets: |
            kv/data/ci/nexus username | MAVEN_USERNAME ;
            kv/data/ci/nexus password | MAVEN_CENTRAL_TOKEN ;
            kv/data/ci/renovatebot gpgPrivateKey | RENOVATE_GPG_PRIVATE_KEY ;
            kv/data/ci/renovatebot gpgPublicKey | RENOVATE_GPG_PUBLIC_KEY ;
            kv/data/ci/renovatebot gpgPassphrase | RENOVATE_GPG_PASSPHRASE ;
            kv/data/ci/renovatebot ciToken | RENOVATE_TOKEN ;
            kv/data/ci/renovatebot githubToken | GITHUB_COM_TOKEN ;
      - name: Checkout Repo
        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4
        with:
          token: "${{ env.RENOVATE_TOKEN }}"

      - name: Load renovate repo cache
        uses: https://github.com/actions/cache@0c907a75c2c80ebcb7f088228285e798b750cf8f # v4
        with:
          path: |
            .tmp/cache/renovate/repository
            .tmp/cache/renovate/renovate-cache-sqlite
            .tmp/osv            
          key: repo-cache-${{ github.run_id }}
          restore-keys: |
            repo-cache-            
      - name: "Import Commit Signing GPG key"
        id: "import-gpg"
        uses: "https://github.com/crazy-max/ghaction-import-gpg@cb9bde2e2525e640591a934b1fd28eef1dcaf5e5" # v6
        with:
          gpg_private_key: "${{ env.RENOVATE_GPG_PRIVATE_KEY }}"
          passphrase: "${{ env.RENOVATE_GPG_PASSPHRASE }}"
          git_user_signingkey: true
          git_commit_gpgsign: true

      - name: "GPG user IDs"
        shell: "bash"
        run: |
          echo "fingerprint: ${{ steps.import-gpg.outputs.fingerprint }}"
          echo "keyid:       ${{ steps.import-gpg.outputs.keyid }}"
          echo "name:        ${{ steps.import-gpg.outputs.name }}"
          echo "email:       ${{ steps.import-gpg.outputs.email }}"

      - name: Run renovate
        run: renovate
        env:
          LOG_LEVEL: debug
          RENOVATE_BASE_DIR: ${{ github.workspace }}/.tmp
          RENOVATE_CONFIG_FILE: ${{ github.workspace }}/config.js
          RENOVATE_REPOSITORY_CACHE: 'enabled'
          RENOVATE_GIT_AUTHOR: 'RenovateBot <renovatebot@w9r.dev>'
          RENOVATE_X_SQLITE_PACKAGE_CACHE: true
          GIT_AUTHOR_NAME: 'RenovateBot'
          GIT_AUTHOR_EMAIL: 'renovatebot@w9r.dev'
          GIT_COMMITTER_NAME: 'RenovateBot'
          GIT_COMMITTER_EMAIL: 'renovatebot@w9r.dev'
          OSV_OFFLINE_ROOT_DIR: ${{ github.workspace }}/.tmp/osv

      - name: Save renovate repo cache
        if: always() && env.RENOVATE_DRY_RUN != 'full'
        uses: https://github.com/actions/cache@0c907a75c2c80ebcb7f088228285e798b750cf8f # v4
        with:
          path: |
            .tmp/cache/renovate/repository
            .tmp/cache/renovate/renovate-cache-sqlite
            .tmp/osv            
          key: repo-cache-${{ github.run_id }}