feat: Add renovate repository

[mnonnenmacher]

Add a repository to run Renovate as a GitHub action. Currently Renovate is run from the ort-server repository but it will be moved to this new repository as it will manage dependency updates for multiple other repositories.

[eclipse-otterdog[bot]]

This is your friendly self-service bot.

Thank you for raising a pull request to update the configuration of your GitHub organization. You can manually add reviewers to this PR to eventually enable auto-merging.

The following conditions need to fulfilled for auto-merging to be available:

• valid configuration
• approved by a project lead
• does not require any secrets
• does not update settings only accessible via the GitHub Web UI
• does not remove any resource

Otterdog commands and options

You can trigger otterdog actions by commenting on this PR: - `/otterdog team-info` checks the team / org membership for the PR author - `/otterdog validate` validates the configuration change - `/otterdog validate info` validates the configuration change, printing also validation infos - `/otterdog check-sync` checks if the base ref is in sync with live settings - `/otterdog merge` merges and applies the changes if the PR is eligible for auto-merging (only accessible for the author) - `/otterdog done` notifies the self-service bot that a required manual apply operation has been performed (only accessible for members of the admin team) - `/otterdog apply` re-apply a previously failed attempt (only accessible for members of the admin team)

[eclipse-otterdog[bot]]

This is your friendly self-service bot.

The author (mnonnenmacher) of this PR is associated with this organization in the role of MEMBER.

Additionally, mnonnenmacher is a member of the following teams:

• technology-apoapsis-committers

• technology-apoapsis-project-leads

• technology-apoapsis-security

[eclipse-otterdog[bot]]

This is your friendly self-service bot. Please find below the validation of the requested configuration changes:

Diff for 13d9640a5dc9bb8cd8debbd835c1ee8a00292cda

```diff Organization technology.apoapsis[id=eclipse-apoapsis] + add repository[name="renovate"] { + allow_auto_merge = true + allow_forking = true + allow_merge_commit = false + allow_rebase_merge = true + allow_squash_merge = false + allow_update_branch = true + archived = false + auto_init = true + code_scanning_default_setup_enabled = false + custom_properties = {} + default_branch = "main" + delete_branch_on_merge = true + dependabot_alerts_enabled = true + dependabot_security_updates_enabled = false + description = "Configuration to run Renovate as a GitHub action." + gh_pages_build_type = "disabled" + has_discussions = false + has_issues = true + has_projects = true + has_wiki = false + is_template = false + merge_commit_message = "PR_TITLE" + merge_commit_title = "MERGE_MESSAGE" + name = "renovate" + private = false + private_vulnerability_reporting_enabled = false + secret_scanning = "enabled" + secret_scanning_push_protection = "enabled" + squash_merge_commit_message = "COMMIT_MESSAGES" + squash_merge_commit_title = "COMMIT_OR_PR_TITLE" + topics = [] + } + add repo_workflow_settings[repository="renovate"] { + actions_can_approve_pull_request_reviews = true + enabled = true + } + add repo_secret[name="RENOVATE_TOKEN", repository="renovate"] { + name = "RENOVATE_TOKEN" + value = "pass:bots/technology.apoapsis/github.com/renovate-token" + } + add branch_protection_rule[pattern="main", repository="renovate"] { + allows_deletions = false + allows_force_pushes = false + blocks_creations = false + bypass_force_push_allowances = [] + bypass_pull_request_allowances = [] + dismisses_stale_reviews = true + is_admin_enforced = true + lock_allows_fetch_and_merge = false + lock_branch = false + pattern = "main" + require_last_push_approval = false + required_approving_review_count = 1 + required_status_checks = [ + "eclipse-eca-validation:eclipsefdn/eca" + ], + requires_code_owner_reviews = false + requires_commit_signatures = false + requires_conversation_resolution = false + requires_deployments = false + requires_linear_history = true + requires_pull_request = true + requires_status_checks = true + requires_strict_status_checks = false + restricts_pushes = false + restricts_review_dismissals = false + } Plan: 4 to add, 0 to change, 0 to delete. ```

Warnings

• some of requested changes require secrets, need to apply these changes manually

cc @eclipse-apoapsis/eclipsefdn-security

cc @eclipse-apoapsis/eclipsefdn-releng

[eclipse-otterdog[bot]]

This is your friendly self-service bot. The current configuration is in-sync with the live settings. :rocket:

[mnonnenmacher]

@netomi The secret configured in this PR is currently used by the ort-server repo to run Renovate. Would it work to use it in the new repo to manage dependency updates for all repos in this org or does this require creating a new token?

[eclipse-otterdog[bot]]

This is your friendly self-service bot.

The following changes have been successfully applied:

Organization technology.apoapsis[id=eclipse-apoapsis]

+  add repository[name="renovate"] {
+    allow_auto_merge                  = true
+    allow_forking                     = true
+    allow_merge_commit                = false
+    allow_rebase_merge                = true
+    allow_squash_merge                = false
+    allow_update_branch               = true
+    archived                          = false
+    auto_init                         = true
+    code_scanning_default_setup_enabled = false
+    custom_properties                 = {}
+    default_branch                    = "main"
+    delete_branch_on_merge            = true
+    dependabot_alerts_enabled         = true
+    dependabot_security_updates_enabled = false
+    description                       = "Configuration to run Renovate as a GitHub action."
+    gh_pages_build_type               = "disabled"
+    has_discussions                   = false
+    has_issues                        = true
+    has_projects                      = true
+    has_wiki                          = false
+    is_template                       = false
+    merge_commit_message              = "PR_TITLE"
+    merge_commit_title                = "MERGE_MESSAGE"
+    name                              = "renovate"
+    private                           = false
+    private_vulnerability_reporting_enabled = false
+    secret_scanning                   = "enabled"
+    secret_scanning_push_protection   = "enabled"
+    squash_merge_commit_message       = "COMMIT_MESSAGES"
+    squash_merge_commit_title         = "COMMIT_OR_PR_TITLE"
+    topics                            = []
+  }

+  add repo_workflow_settings[repository="renovate"] {
+    actions_can_approve_pull_request_reviews = true
+    enabled                           = true
+  }

+  add branch_protection_rule[pattern="main", repository="renovate"] {
+    allows_deletions                  = false
+    allows_force_pushes               = false
+    blocks_creations                  = false
+    bypass_force_push_allowances      = []
+    bypass_pull_request_allowances    = []
+    dismisses_stale_reviews           = true
+    is_admin_enforced                 = true
+    lock_allows_fetch_and_merge       = false
+    lock_branch                       = false
+    pattern                           = "main"
+    require_last_push_approval        = false
+    required_approving_review_count   = 1
+    required_status_checks            = [
+      "eclipse-eca-validation:eclipsefdn/eca"
+    ],
+    requires_code_owner_reviews       = false
+    requires_commit_signatures        = false
+    requires_conversation_resolution  = false
+    requires_deployments              = false
+    requires_linear_history           = true
+    requires_pull_request             = true
+    requires_status_checks            = true
+    requires_strict_status_checks     = false
+    restricts_pushes                  = false
+    restricts_review_dismissals       = false
+  }

  Applying changes:

  Done.

  Executed plan: 3 added, 0 changed, 0 deleted.

Note

The pull request was only partially applied as it requires some access to secrets or the Web UI, please apply the remaining changes manually and confirm with replying with /otterdog done.

cc @eclipse-apoapsis/eclipsefdn-security

cc @eclipse-apoapsis/eclipsefdn-releng

[netomi]

/otterdog done

[eclipse-otterdog[bot]]

This is your friendly self-service bot. The PR has been marked as being completed.

[netomi]

I checked the token and its a classic PAT so having access to all repos of the organization, so it should work imho.

[mnonnenmacher]

I checked the token and its a classic PAT so having access to all repos of the organization, so it should work imho.

Thanks for checking, I will try it out.