diff --git a/README.md b/README.md index 3a0ad51..600dd0d 100644 --- a/README.md +++ b/README.md @@ -95,6 +95,7 @@ Compose Anything helps users quickly deploy various services by providing a set | [Redpanda](./src/redpanda) | v24.3.1 | | [Redis Cluster](./src/redis-cluster) | 8.2.1 | | [Redis](./src/redis) | 8.2.1 | +| [Renovate](./src/renovate) | 42.52.5-full | | [Restate Cluster](./src/restate-cluster) | 1.5.3 | | [Restate](./src/restate) | 1.5.3 | | [SearXNG](./src/searxng) | 2025.1.20-1ce14ef99 | diff --git a/README.zh.md b/README.zh.md index b206c4f..4559276 100644 --- a/README.zh.md +++ b/README.zh.md @@ -95,6 +95,7 @@ Compose Anything 通过提供一组高质量的 Docker Compose 配置文件, | [Redpanda](./src/redpanda) | v24.3.1 | | [Redis Cluster](./src/redis-cluster) | 8.2.1 | | [Redis](./src/redis) | 8.2.1 | +| [Renovate](./src/renovate) | 42.52.5-full | | [Restate Cluster](./src/restate-cluster) | 1.5.3 | | [Restate](./src/restate) | 1.5.3 | | [SearXNG](./src/searxng) | 2025.1.20-1ce14ef99 | diff --git a/src/renovate/.env.example b/src/renovate/.env.example new file mode 100644 index 0000000..950d9e1 --- /dev/null +++ b/src/renovate/.env.example @@ -0,0 +1,102 @@ +# Renovate Configuration + +# Image version +RENOVATE_VERSION=42.52.5-full + +# Global registry prefix (optional, e.g., your.registry.com/) +GLOBAL_REGISTRY= + +# Timezone +TZ=UTC + +# ==================== Authentication ==================== + +# Platform type: github, gitlab, gitea, bitbucket, azure, etc. +RENOVATE_PLATFORM=github + +# API endpoint (leave empty for github.com, gitlab.com, etc.) +# For self-hosted: https://gitlab.example.com/api/v4 +RENOVATE_ENDPOINT= + +# Authentication token (REQUIRED) +# GitHub: Personal Access Token or GitHub App token +# GitLab: Personal Access Token or Project Access Token +# Get token from: https://github.com/settings/tokens (for GitHub) +RENOVATE_TOKEN= + +# Alternative: GitHub.com token (if using GitHub platform) +GITHUB_COM_TOKEN= + +# ==================== Repositories ==================== + +# Repositories to process (comma-separated) +# Format: owner/repo or org/repo +# Example: myorg/repo1,myorg/repo2 +# Leave empty to process all accessible repositories +RENOVATE_REPOSITORIES= + +# ==================== Git Configuration ==================== + +# Git author for commits +RENOVATE_GIT_AUTHOR=Renovate Bot + +# ==================== Behavior ==================== + +# Onboarding: Create initial PR to add renovate.json +RENOVATE_ONBOARDING=true + +# Require config in repository +# Options: required, optional, ignored +RENOVATE_REQUIRE_CONFIG=optional + +# Dry run mode (no actual PRs/commits) +RENOVATE_DRY_RUN=false + +# ==================== Cache ==================== + +# Enable repository cache for better performance +RENOVATE_REPOSITORY_CACHE=enabled + +# Cache directory inside container +RENOVATE_CACHE_DIR=/tmp/renovate/cache + +# Base directory for cloned repos +RENOVATE_BASE_DIR=/tmp/renovate/repos + +# ==================== Logging ==================== + +# Log level: fatal, error, warn, info, debug, trace +RENOVATE_LOG_LEVEL=info + +# Log format: text, json +RENOVATE_LOG_FORMAT=json + +# ==================== Package Registry Authentication ==================== + +# Docker Hub credentials (if checking Docker images in private registries) +RENOVATE_DOCKER_USER= +RENOVATE_DOCKER_PASSWORD= + +# NPM token (if checking private NPM packages) +RENOVATE_NPM_TOKEN= + +# ==================== Advanced Configuration ==================== + +# Path to config.js file (inside container) +RENOVATE_CONFIG_FILE=/usr/src/app/config.js + +# ==================== Resources ==================== + +# CPU limits +RENOVATE_CPU_LIMIT=2.0 +RENOVATE_CPU_RESERVATION=0.5 + +# Memory limits +RENOVATE_MEMORY_LIMIT=2G +RENOVATE_MEMORY_RESERVATION=512M + +# ==================== User/Group ID ==================== + +# User and group ID for file permissions +PUID=1000 +PGID=1000 diff --git a/src/renovate/README.md b/src/renovate/README.md new file mode 100644 index 0000000..94816bf --- /dev/null +++ b/src/renovate/README.md @@ -0,0 +1,227 @@ +# Renovate - Automated Dependency Updates + +[中文文档](README.zh.md) + +Renovate is an automated dependency update tool that keeps your project dependencies up-to-date by creating pull requests when new versions are available. + +## Features + +- 🤖 Automated dependency updates across multiple platforms +- 🔄 Support for GitHub, GitLab, Gitea, Bitbucket, Azure DevOps, and more +- 📦 Multi-language support: JavaScript, Python, Go, Docker, and many more +- 🎯 Highly configurable with smart defaults +- 🔒 Security-focused with vulnerability scanning +- 📊 Detailed update summaries and changelogs +- ⚙️ Flexible scheduling and auto-merge options + +## Quick Start + +1. **Copy the example environment file:** + + ```bash + cp .env.example .env + ``` + +2. **Configure authentication:** + Edit `.env` and set: + - `RENOVATE_PLATFORM`: Your platform (e.g., `github`, `gitlab`, `gitea`) + - `RENOVATE_TOKEN`: Your authentication token (required) + - `RENOVATE_REPOSITORIES`: Repositories to process (e.g., `myorg/repo1,myorg/repo2`) + +3. **Get authentication token:** + - **GitHub**: Create a Personal Access Token at + - Required scopes: `repo`, `workflow` + - **GitLab**: Create a Personal Access Token at + - Required scopes: `api`, `write_repository` + +4. **Run Renovate:** + + ```bash + # One-time execution + docker compose run --rm renovate + + # Or set up a cron job for periodic runs + # Example: Run daily at 2 AM + 0 2 * * * cd /path/to/renovate && docker compose run --rm renovate + ``` + +## Configuration + +### Environment Variables + +Key environment variables in `.env`: + +| Variable | Description | Default | +| ----------------------- | ----------------------- | -------------- | +| `RENOVATE_VERSION` | Renovate image version | `42.52.5-full` | +| `RENOVATE_PLATFORM` | Platform type | `github` | +| `RENOVATE_TOKEN` | Authentication token | **(required)** | +| `RENOVATE_REPOSITORIES` | Repositories to process | `''` | +| `RENOVATE_ONBOARDING` | Create onboarding PR | `true` | +| `RENOVATE_DRY_RUN` | Dry run mode | `false` | +| `RENOVATE_LOG_LEVEL` | Log level | `info` | + +### Advanced Configuration + +For advanced configuration, edit `config.js`: + +```javascript +module.exports = { + platform: 'github', + repositories: ['myorg/repo1', 'myorg/repo2'], + + // Schedule (cron format) + schedule: ['before 5am on monday'], + + // Auto-merge settings + automerge: true, + automergeType: 'pr', + + // Package rules + packageRules: [ + { + matchUpdateTypes: ['minor', 'patch'], + automerge: true, + }, + ], +}; +``` + +## Usage Examples + +### Run on Specific Repositories + +```bash +# Using environment variable +RENOVATE_REPOSITORIES=myorg/repo1,myorg/repo2 docker compose run --rm renovate + +# Using config.js - edit the file first +docker compose run --rm renovate +``` + +### Dry Run Mode + +Test configuration without creating actual PRs: + +```bash +RENOVATE_DRY_RUN=full docker compose run --rm renovate +``` + +### Debug Mode + +Enable detailed logging for troubleshooting: + +```bash +RENOVATE_LOG_LEVEL=debug docker compose run --rm renovate +``` + +### Scheduled Execution + +Create a systemd timer or cron job: + +```bash +# Cron example (run daily at 2 AM) +0 2 * * * cd /path/to/renovate && docker compose run --rm renovate >> /var/log/renovate.log 2>&1 +``` + +## How It Works + +1. **Onboarding**: On first run, Renovate creates an onboarding PR with a `renovate.json` configuration file +2. **Scanning**: Renovate scans your repository for dependency files (package.json, requirements.txt, Dockerfile, etc.) +3. **Detection**: Checks for available updates across all detected dependencies +4. **PRs**: Creates pull requests for updates based on your configuration +5. **Scheduling**: Can be configured to run on a schedule (daily, weekly, etc.) + +## Repository Configuration + +After onboarding, configure Renovate behavior in your repository's `renovate.json`: + +```json +{ + "$schema": "https://docs.renovatebot.com/renovate-schema.json", + "extends": ["config:base"], + "schedule": ["after 10pm every weekday", "before 5am every weekday", "every weekend"], + "packageRules": [ + { + "matchUpdateTypes": ["minor", "patch"], + "automerge": true + } + ] +} +``` + +## Supported Platforms + +- GitHub (github.com and Enterprise Server) +- GitLab (gitlab.com and Self-Managed) +- Gitea +- Bitbucket Cloud and Server +- Azure DevOps +- And more... + +## Supported Languages & Managers + +Renovate supports 100+ package managers including: + +- **JavaScript/Node.js**: npm, yarn, pnpm +- **Python**: pip, poetry, pipenv +- **Go**: go modules +- **Java**: maven, gradle +- **PHP**: composer +- **Ruby**: bundler +- **Rust**: cargo +- **Docker**: Dockerfile, docker-compose +- And many more... + +## Security + +- Runs as non-root user (configurable via `PUID`/`PGID`) +- Minimal capabilities with security hardening +- Token-based authentication (never expose tokens in logs) +- Support for vulnerability scanning and security updates + +## Resources + +Resource limits can be adjusted in `.env`: + +- **CPU**: 2.0 cores limit, 0.5 cores reserved +- **Memory**: 2GB limit, 512MB reserved + +## Troubleshooting + +### No repositories found + +Ensure `RENOVATE_TOKEN` has proper permissions and `RENOVATE_REPOSITORIES` is set correctly. + +### Authentication errors + +Verify token scopes: + +- GitHub: `repo`, `workflow` +- GitLab: `api`, `write_repository` + +### Rate limiting + +Configure rate limits in `config.js`: + +```javascript +prConcurrentLimit: 10, +prHourlyLimit: 2, +``` + +## Documentation + +- Official Documentation: +- Configuration Options: +- GitHub Repository: + +## License + +Renovate is licensed under the AGPL-3.0 license. See the [Renovate repository](https://github.com/renovatebot/renovate) for details. + +## Notes + +- Renovate is designed to run as a scheduled job, not a continuous service +- First run will create an onboarding PR in each repository +- Consider setting up a cron job or CI/CD pipeline for regular execution +- Monitor logs to ensure updates are being processed correctly diff --git a/src/renovate/README.zh.md b/src/renovate/README.zh.md new file mode 100644 index 0000000..97b7c6e --- /dev/null +++ b/src/renovate/README.zh.md @@ -0,0 +1,227 @@ +# Renovate - 自动化依赖更新工具 + +[English](README.md) + +Renovate 是一个自动化依赖更新工具,当有新版本可用时,它会通过创建拉取请求来保持你的项目依赖最新。 + +## 特性 + +- 🤖 跨多平台的自动化依赖更新 +- 🔄 支持 GitHub、GitLab、Gitea、Bitbucket、Azure DevOps 等 +- 📦 多语言支持:JavaScript、Python、Go、Docker 等众多语言 +- 🎯 高度可配置,提供智能默认值 +- 🔒 注重安全,支持漏洞扫描 +- 📊 详细的更新摘要和变更日志 +- ⚙️ 灵活的调度和自动合并选项 + +## 快速开始 + +1. **复制示例环境文件:** + + ```bash + cp .env.example .env + ``` + +2. **配置身份验证:** + 编辑 `.env` 文件并设置: + - `RENOVATE_PLATFORM`:你的平台(例如:`github`、`gitlab`、`gitea`) + - `RENOVATE_TOKEN`:你的身份验证令牌(必需) + - `RENOVATE_REPOSITORIES`:要处理的仓库(例如:`myorg/repo1,myorg/repo2`) + +3. **获取身份验证令牌:** + - **GitHub**:在 创建个人访问令牌 + - 所需权限:`repo`、`workflow` + - **GitLab**:在 创建个人访问令牌 + - 所需权限:`api`、`write_repository` + +4. **运行 Renovate:** + + ```bash + # 一次性执行 + docker compose run --rm renovate + + # 或设置定时任务以定期运行 + # 示例:每天凌晨 2 点运行 + 0 2 * * * cd /path/to/renovate && docker compose run --rm renovate + ``` + +## 配置 + +### 环境变量 + +`.env` 中的关键环境变量: + +| 变量 | 描述 | 默认值 | +| ----------------------- | ----------------- | -------------- | +| `RENOVATE_VERSION` | Renovate 镜像版本 | `42.52.5-full` | +| `RENOVATE_PLATFORM` | 平台类型 | `github` | +| `RENOVATE_TOKEN` | 身份验证令牌 | **(必需)** | +| `RENOVATE_REPOSITORIES` | 要处理的仓库 | `''` | +| `RENOVATE_ONBOARDING` | 创建引导 PR | `true` | +| `RENOVATE_DRY_RUN` | 演练模式 | `false` | +| `RENOVATE_LOG_LEVEL` | 日志级别 | `info` | + +### 高级配置 + +对于高级配置,编辑 `config.js`: + +```javascript +module.exports = { + platform: 'github', + repositories: ['myorg/repo1', 'myorg/repo2'], + + // 调度(cron 格式) + schedule: ['before 5am on monday'], + + // 自动合并设置 + automerge: true, + automergeType: 'pr', + + // 包规则 + packageRules: [ + { + matchUpdateTypes: ['minor', 'patch'], + automerge: true, + }, + ], +}; +``` + +## 使用示例 + +### 在特定仓库上运行 + +```bash +# 使用环境变量 +RENOVATE_REPOSITORIES=myorg/repo1,myorg/repo2 docker compose run --rm renovate + +# 使用 config.js - 先编辑文件 +docker compose run --rm renovate +``` + +### 演练模式 + +在不创建实际 PR 的情况下测试配置: + +```bash +RENOVATE_DRY_RUN=full docker compose run --rm renovate +``` + +### 调试模式 + +启用详细日志以进行故障排除: + +```bash +RENOVATE_LOG_LEVEL=debug docker compose run --rm renovate +``` + +### 定期执行 + +创建 systemd 定时器或 cron 任务: + +```bash +# Cron 示例(每天凌晨 2 点运行) +0 2 * * * cd /path/to/renovate && docker compose run --rm renovate >> /var/log/renovate.log 2>&1 +``` + +## 工作原理 + +1. **引导**:首次运行时,Renovate 会创建一个包含 `renovate.json` 配置文件的引导 PR +2. **扫描**:Renovate 扫描你的仓库以查找依赖文件(package.json、requirements.txt、Dockerfile 等) +3. **检测**:检查所有检测到的依赖项的可用更新 +4. **创建 PR**:根据你的配置创建更新的拉取请求 +5. **调度**:可以配置为按计划运行(每天、每周等) + +## 仓库配置 + +引导后,在仓库的 `renovate.json` 中配置 Renovate 行为: + +```json +{ + "$schema": "https://docs.renovatebot.com/renovate-schema.json", + "extends": ["config:base"], + "schedule": ["after 10pm every weekday", "before 5am every weekday", "every weekend"], + "packageRules": [ + { + "matchUpdateTypes": ["minor", "patch"], + "automerge": true + } + ] +} +``` + +## 支持的平台 + +- GitHub(github.com 和 Enterprise Server) +- GitLab(gitlab.com 和 Self-Managed) +- Gitea +- Bitbucket Cloud 和 Server +- Azure DevOps +- 以及更多... + +## 支持的语言和管理器 + +Renovate 支持 100 多个包管理器,包括: + +- **JavaScript/Node.js**:npm、yarn、pnpm +- **Python**:pip、poetry、pipenv +- **Go**:go modules +- **Java**:maven、gradle +- **PHP**:composer +- **Ruby**:bundler +- **Rust**:cargo +- **Docker**:Dockerfile、docker-compose +- 以及更多... + +## 安全性 + +- 以非 root 用户运行(可通过 `PUID`/`PGID` 配置) +- 最小权限与安全加固 +- 基于令牌的身份验证(绝不在日志中暴露令牌) +- 支持漏洞扫描和安全更新 + +## 资源 + +资源限制可在 `.env` 中调整: + +- **CPU**:2.0 核限制,0.5 核保留 +- **内存**:2GB 限制,512MB 保留 + +## 故障排除 + +### 未找到仓库 + +确保 `RENOVATE_TOKEN` 具有适当的权限,并且 `RENOVATE_REPOSITORIES` 设置正确。 + +### 身份验证错误 + +验证令牌权限: + +- GitHub:`repo`、`workflow` +- GitLab:`api`、`write_repository` + +### 速率限制 + +在 `config.js` 中配置速率限制: + +```javascript +prConcurrentLimit: 10, +prHourlyLimit: 2, +``` + +## 文档 + +- 官方文档: +- 配置选项: +- GitHub 仓库: + +## 许可证 + +Renovate 采用 AGPL-3.0 许可证。详情请参见 [Renovate 仓库](https://github.com/renovatebot/renovate)。 + +## 注意事项 + +- Renovate 设计为作为计划任务运行,而不是持续服务 +- 首次运行将在每个仓库中创建一个引导 PR +- 考虑设置 cron 任务或 CI/CD 管道以定期执行 +- 监控日志以确保更新正在正确处理 diff --git a/src/renovate/config.js b/src/renovate/config.js new file mode 100644 index 0000000..d4ae4ef --- /dev/null +++ b/src/renovate/config.js @@ -0,0 +1,43 @@ +// Renovate configuration file +// This is a JavaScript configuration file for advanced settings +// For simple setups, you can configure everything via environment variables +// Documentation: https://docs.renovatebot.com/configuration-options/ + +module.exports = { + // Uncomment and configure as needed + + // platform: 'github', + // token: process.env.RENOVATE_TOKEN, + + // repositories: [ + // 'myorg/repo1', + // 'myorg/repo2', + // ], + + // onboarding: true, + // requireConfig: 'optional', + + // // Schedule (cron format) + // schedule: ['before 5am on monday'], + + // // Auto-merge settings + // automerge: true, + // automergeType: 'pr', + // automergeStrategy: 'squash', + + // // PR settings + // prConcurrentLimit: 10, + // prHourlyLimit: 2, + + // // Package rules + // packageRules: [ + // { + // matchUpdateTypes: ['minor', 'patch'], + // automerge: true, + // }, + // { + // matchUpdateTypes: ['major'], + // labels: ['major-update'], + // }, + // ], +}; diff --git a/src/renovate/docker-compose.yaml b/src/renovate/docker-compose.yaml new file mode 100644 index 0000000..50bef7d --- /dev/null +++ b/src/renovate/docker-compose.yaml @@ -0,0 +1,108 @@ +# Renovate - Automated Dependency Updates +# https://github.com/renovatebot/renovate + +x-defaults: &defaults + restart: unless-stopped + logging: + driver: json-file + options: + max-size: 100m + max-file: "3" + +services: + renovate: + <<: *defaults + image: ${GLOBAL_REGISTRY:-}renovate/renovate:${RENOVATE_VERSION:-42.52.5-full} + + # Renovate runs as a scheduled job, not a continuous service + # Use 'docker compose run --rm renovate' to execute manually + # Or configure with cron/scheduler for periodic runs + restart: "no" + + volumes: + # Configuration files + - ./config.js:/usr/src/app/config.js:ro + # Cache directory for better performance + - renovate_cache:/tmp/renovate/cache + # Optional: mount repository cache + - renovate_repos:/tmp/renovate/repos + + environment: + # Timezone + - TZ=${TZ:-UTC} + + # Renovate configuration + - RENOVATE_CONFIG_FILE=${RENOVATE_CONFIG_FILE:-/usr/src/app/config.js} + + # Platform (github, gitlab, gitea, bitbucket, etc.) + - RENOVATE_PLATFORM=${RENOVATE_PLATFORM:-github} + - RENOVATE_ENDPOINT=${RENOVATE_ENDPOINT:-} + + # Authentication token (required) + - RENOVATE_TOKEN=${RENOVATE_TOKEN:-} + # Or use GitHub App + - GITHUB_COM_TOKEN=${GITHUB_COM_TOKEN:-} + + # Repositories to process (comma-separated or use config.js) + - RENOVATE_REPOSITORIES=${RENOVATE_REPOSITORIES:-} + + # Git author for commits + - RENOVATE_GIT_AUTHOR=${RENOVATE_GIT_AUTHOR:-Renovate Bot } + + # Logging + - LOG_LEVEL=${RENOVATE_LOG_LEVEL:-info} + - LOG_FORMAT=${RENOVATE_LOG_FORMAT:-json} + + # Onboarding (create PR to add renovate.json) + - RENOVATE_ONBOARDING=${RENOVATE_ONBOARDING:-true} + - RENOVATE_ONBOARDING_CONFIG=${RENOVATE_ONBOARDING_CONFIG:-{"$$schema":"https://docs.renovatebot.com/renovate-schema.json"}} + + # Require config in repo + - RENOVATE_REQUIRE_CONFIG=${RENOVATE_REQUIRE_CONFIG:-optional} + + # Docker authentication (if checking Docker images) + - RENOVATE_DOCKER_USER=${RENOVATE_DOCKER_USER:-} + - RENOVATE_DOCKER_PASSWORD=${RENOVATE_DOCKER_PASSWORD:-} + + # NPM authentication (if checking NPM packages) + - RENOVATE_NPM_TOKEN=${RENOVATE_NPM_TOKEN:-} + + # Dry run mode (no actual updates) + - RENOVATE_DRY_RUN=${RENOVATE_DRY_RUN:-false} + + # Cache + - RENOVATE_REPOSITORY_CACHE=${RENOVATE_REPOSITORY_CACHE:-enabled} + - RENOVATE_CACHE_DIR=${RENOVATE_CACHE_DIR:-/tmp/renovate/cache} + + # Base directory + - RENOVATE_BASE_DIR=${RENOVATE_BASE_DIR:-/tmp/renovate/repos} + + # Healthcheck not applicable for one-shot jobs + # healthcheck: + # disable: true + + deploy: + resources: + limits: + cpus: ${RENOVATE_CPU_LIMIT:-2.0} + memory: ${RENOVATE_MEMORY_LIMIT:-2G} + reservations: + cpus: ${RENOVATE_CPU_RESERVATION:-0.5} + memory: ${RENOVATE_MEMORY_RESERVATION:-512M} + + # Security options + read_only: false # Renovate needs to write to cache and clone repos + user: "${PUID:-1000}:${PGID:-1000}" + cap_drop: + - ALL + cap_add: + - CHOWN + - SETUID + - SETGID + - DAC_OVERRIDE + security_opt: + - no-new-privileges:true + +volumes: + renovate_cache: + renovate_repos: