add renovatebot to run hourly in a self-hosted github action instead of using dependabot

[jessebot]

Pull Request

Description of the change

This switches us from Dependabot (can't do helm updates) to RenovateBot (can do some helm updates).

Benefits

This would generate all the same PRs that dependabot would, but it would also catch sub-chart updates, updates to the main appVerison image, and updates to the nested image versions (like for the metrics image).

Possible drawbacks

It cannot update the version in Chart.yaml for docker image updates, however, it can update the version for sub-chart updates. In the meantime, it will still generate a useful PR, to update what it can update, that can be edited by a maintainer to manually bump the version. There's an ongoing discussion about making this actually bump the version in Chart.yaml for updates to docker images and appVerison, so when that is solid, I'll port those changes here as well.

Applicable issues

• fixes Automatic PRs for updating the default image version #498

Additional information

Before this can work, we need a nextcloud member with org settings access to create a GitHub App as described here:

Example with GitHub App

Instead of using a Personal Access Token (PAT) that is tied to a particular user you can use a GitHub App where permissions can be even better tuned. Create a new app and configure the app permissions and your config.js as described in the Renovate documentation.

Generate and download a new private key for the app, adding the contents of the downloaded .pem file to Secrets (repository settings) with the name private_key and app ID as a secret with name app_id.

Checklist

• DCO has been signed off on the commit.
• Chart version bumped in Chart.yaml according to semver.
• (optional) Variables are documented in the README.md

[provokateurin]

I think it is better to use the Github App instead of Actions as it avoids potentially leaking any secrets and doesn't need any config except for the main config file. I just requested the App to be enabled on this repo, so hopefully someone with access allows it soon.

I will take a closer look at the changes of this PR soon.

[jessebot]

I think it is better to use the Github App instead of Actions as it avoids potentially leaking any secrets and doesn't need any config except for the main config file. I just requested the App to be enabled on this repo, so hopefully someone with access allows it soon.

The action does actually use a GitHub App to get the one-time token, but an org admin has to create it. The reason we can't use the default one from mend.io (the company that maintains the official renovateBot github app) is because it will not let us do custom post upgrade tasks. That is a self-hosted feature.

Also, it does not leak any secrets. That is not possible, even with debug logging on, in part because github automatically prunes known repo secrets. I have tested this and you can view a run here:
https://github.com/small-hack/matrix-chart/actions/runs/9284996423/job/25548565149

[provokateurin]

The action does actually use a GitHub App to get the one-time token, but an org admin has to create it. The reason we can't use the default one from mend.io (the company that maintains the official renovateBot github app) is because it will not let us do custom post upgrade tasks. That is a self-hosted feature.

Ok I didn't know that.

Also, it does not leak any secrets. That is not possible, even with debug logging on, in part because github automatically prunes known repo secrets

I know, but at Nextcloud we have a special problem: Many more or less trustworthy people are part of the Github organization which makes it possible for them to see the secrets in the settings. I'm not sure how problematic this token is, but this problem should be kept in mind.

[jessebot]

I know, but at Nextcloud we have a special problem: Many more or less trustworthy people are part of the Github organization which makes it possible for them to see the secrets in the settings.

I can't actually see secrets in the settings here. I think you're more powerful than me haha :) However, once a repo secret is added, it can't be seen again. You can only update it. Here's a video showing what happens if you try to update a repo level github actions secret though (in a repo where I am actually powerful):

Screen.Recording.2024-05-29.at.14.34.29.mov

And in the logs, it is obscured with ******* in its place.

[provokateurin]

Ok interesting, maybe this was fixed by Github at some point. This problem was explained to me by one of our security peeps last year, so I just trusted them 🙈

[jessebot]

Fair, I also tend to defer to infosec professionals. 😁 Btw, a peep in the U.S. is a marshmellow snack shaped like a baby chicken, so I made a security peep for you:

_{Absolutely still defer to infosec professionals. This is just a joke}

[provokateurin]

Dang that picture looks weird, but I also love it!