search

nextcloud / helm

A community maintained helm chart for deploying Nextcloud on Kubernetes.
GNU Affero General Public License v3.0
295 stars 258 forks source link

add renovatebot to run hourly in a self-hosted github action instead of using dependabot #574

Open jessebot opened 1 month ago

jessebot commented 1 month ago

Pull Request

Description of the change

This switches us from Dependabot (can't do helm updates) to RenovateBot (can do some helm updates).

Benefits

This would generate all the same PRs that dependabot would, but it would also catch sub-chart updates, updates to the main appVerison image, and updates to the nested image versions (like for the metrics image).

Possible drawbacks

It cannot update the version in Chart.yaml for docker image updates, however, it can update the version for sub-chart updates. In the meantime, it will still generate a useful PR, to update what it can update, that can be edited by a maintainer to manually bump the version. There's an ongoing discussion about making this actually bump the version in Chart.yaml for updates to docker images and appVerison, so when that is solid, I'll port those changes here as well.

Applicable issues

Additional information

Before this can work, we need a nextcloud member with org settings access to create a GitHub App as described here:

Example with GitHub App

Instead of using a Personal Access Token (PAT) that is tied to a particular user you can use a GitHub App where permissions can be even better tuned. Create a new app and configure the app permissions and your config.js as described in the Renovate documentation.

Generate and download a new private key for the app, adding the contents of the downloaded .pem file to Secrets (repository settings) with the name private_key and app ID as a secret with name app_id.

Checklist

provokateurin commented 1 month ago

I think it is better to use the Github App instead of Actions as it avoids potentially leaking any secrets and doesn't need any config except for the main config file. I just requested the App to be enabled on this repo, so hopefully someone with access allows it soon.

I will take a closer look at the changes of this PR soon.

jessebot commented 1 month ago

I think it is better to use the Github App instead of Actions as it avoids potentially leaking any secrets and doesn't need any config except for the main config file. I just requested the App to be enabled on this repo, so hopefully someone with access allows it soon.

The action does actually use a GitHub App to get the one-time token, but an org admin has to create it. The reason we can't use the default one from mend.io (the company that maintains the official renovateBot github app) is because it will not let us do custom post upgrade tasks. That is a self-hosted feature.

Also, it does not leak any secrets. That is not possible, even with debug logging on, in part because github automatically prunes known repo secrets. I have tested this and you can view a run here: https://github.com/small-hack/matrix-chart/actions/runs/9284996423/job/25548565149

provokateurin commented 1 month ago

The action does actually use a GitHub App to get the one-time token, but an org admin has to create it. The reason we can't use the default one from mend.io (the company that maintains the official renovateBot github app) is because it will not let us do custom post upgrade tasks. That is a self-hosted feature.

Ok I didn't know that.

Also, it does not leak any secrets. That is not possible, even with debug logging on, in part because github automatically prunes known repo secrets

I know, but at Nextcloud we have a special problem: Many more or less trustworthy people are part of the Github organization which makes it possible for them to see the secrets in the settings. I'm not sure how problematic this token is, but this problem should be kept in mind.

jessebot commented 1 month ago

I know, but at Nextcloud we have a special problem: Many more or less trustworthy people are part of the Github organization which makes it possible for them to see the secrets in the settings.

I can't actually see secrets in the settings here. I think you're more powerful than me haha :) However, once a repo secret is added, it can't be seen again. You can only update it. Here's a video showing what happens if you try to update a repo level github actions secret though (in a repo where I am actually powerful):

https://github.com/nextcloud/helm/assets/2389292/4baba788-db0d-4020-bd53-4f6f9ccfc3b7

And in the logs, it is obscured with ******* in its place.

provokateurin commented 1 month ago

Ok interesting, maybe this was fixed by Github at some point. This problem was explained to me by one of our security peeps last year, so I just trusted them :see_no_evil:

jessebot commented 1 month ago

Fair, I also tend to defer to infosec professionals. 😁 Btw, a peep in the U.S. is a marshmellow snack shaped like a baby chicken, so I made a security peep for you:

a marshmellow peep chick with keys in its mouth

Absolutely still defer to infosec professionals. This is just a joke

provokateurin commented 1 month ago

Dang that picture looks weird, but I also love it!