# Renovate - Automated Dependency Updates
# https://github.com/renovatebot/renovate

x-defaults: &defaults
  restart: unless-stopped
  logging:
    driver: json-file
    options:
      max-size: 100m
      max-file: "3"

services:
  renovate:
    <<: *defaults
    image: ${GLOBAL_REGISTRY:-}renovate/renovate:${RENOVATE_VERSION:-42.85.4-full}

    # Renovate runs as a scheduled job, not a continuous service
    # Use 'docker compose run --rm renovate' to execute manually
    # Or configure with cron/scheduler for periodic runs
    restart: "no"

    volumes:
      # Configuration files
      - ./config.js:/usr/src/app/config.js:ro

    environment:
      # Timezone
      - TZ=${TZ:-UTC}

      # Renovate configuration
      - RENOVATE_CONFIG_FILE=${RENOVATE_CONFIG_FILE:-/usr/src/app/config.js}

      # Platform (github, gitlab, gitea, bitbucket, etc.)
      - RENOVATE_PLATFORM=${RENOVATE_PLATFORM:-github}
      - RENOVATE_ENDPOINT=${RENOVATE_ENDPOINT:-}

      # Authentication token (required)
      - RENOVATE_TOKEN=${RENOVATE_TOKEN:-}
      # Or use GitHub App
      - GITHUB_COM_TOKEN=${GITHUB_COM_TOKEN:-}

      # Repositories to process (comma-separated or use config.js)
      - RENOVATE_REPOSITORIES=${RENOVATE_REPOSITORIES:-}

      # Git author for commits
      - RENOVATE_GIT_AUTHOR=${RENOVATE_GIT_AUTHOR:-Renovate Bot <bot@renovateapp.com>}

      # Logging
      - LOG_LEVEL=${RENOVATE_LOG_LEVEL:-info}
      - LOG_FORMAT=${RENOVATE_LOG_FORMAT:-json}

      # Onboarding (create PR to add renovate.json)
      - RENOVATE_ONBOARDING=${RENOVATE_ONBOARDING:-true}
      - RENOVATE_ONBOARDING_CONFIG=${RENOVATE_ONBOARDING_CONFIG:-{"$$schema":"https://docs.renovatebot.com/renovate-schema.json"}}

      # Require config in repo
      - RENOVATE_REQUIRE_CONFIG=${RENOVATE_REQUIRE_CONFIG:-optional}

      # Docker authentication (if checking Docker images)
      - RENOVATE_DOCKER_USER=${RENOVATE_DOCKER_USER:-}
      - RENOVATE_DOCKER_PASSWORD=${RENOVATE_DOCKER_PASSWORD:-}

      # NPM authentication (if checking NPM packages)
      - RENOVATE_NPM_TOKEN=${RENOVATE_NPM_TOKEN:-}

      # Dry run mode (no actual updates)
      - RENOVATE_DRY_RUN=${RENOVATE_DRY_RUN:-false}

      # Cache
      - RENOVATE_REPOSITORY_CACHE=${RENOVATE_REPOSITORY_CACHE:-enabled}
      - RENOVATE_CACHE_DIR=${RENOVATE_CACHE_DIR:-/tmp/renovate/cache}

      # Base directory
      - RENOVATE_BASE_DIR=${RENOVATE_BASE_DIR:-/tmp/renovate/repos}

    # Healthcheck not applicable for one-shot jobs
    # healthcheck:
    #   disable: true

    deploy:
      resources:
        limits:
          cpus: ${RENOVATE_CPU_LIMIT:-2.0}
          memory: ${RENOVATE_MEMORY_LIMIT:-2G}
        reservations:
          cpus: ${RENOVATE_CPU_RESERVATION:-0.5}
          memory: ${RENOVATE_MEMORY_RESERVATION:-512M}

    # Security options
    read_only: false  # Renovate needs to write to cache and clone repos
    user: "${PUID:-1000}:${PGID:-1000}"
    cap_drop:
      - ALL
    cap_add:
      - CHOWN
      - SETUID
      - SETGID
      - DAC_OVERRIDE
    security_opt:
      - no-new-privileges:true