name: Renovate Image Tag Deployment on: workflow_dispatch: pull_request: types: [closed] branches: - main paths: - "**/docker-compose.yml" env: HC_VAULT_VERSION: "1.21.1" VAULT_ADDR: ${{ secrets.TREZ_VAULT_ADDR }} VAULT_TOKEN: ${{ secrets.VAULT_GITEA_TOKEN }} jobs: deploy: name: Renovate PR Deployment if: | github.event.pull_request.merged == true && github.event.pull_request.user.login == 'renovate-bot' runs-on: ubuntu-latest steps: - name: Checkout full repository uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1 with: fetch-depth: 0 # required so we can access main^1 - name: Save docker-compose.yml before merge (old) run: | git fetch origin main if git ls-tree -r origin/main^1 --name-only | grep -q '^docker-compose.yml$'; then git show origin/main^1:docker-compose.yml > docker-compose-old.yml else echo "services: {}" > docker-compose-old.yml fi - name: Save docker-compose.yml after merge (new) run: | git show origin/main:docker-compose.yml > docker-compose-new.yml - name: Detect services with image tag/digest changes id: detect_services run: | set -euo pipefail echo "Flattening docker-compose files..." yq eval '... comments=""' docker-compose-old.yml > docker-compose-old-flat.yml yq eval '... comments=""' docker-compose-new.yml > docker-compose-new-flat.yml echo "Getting service names..." yq eval '.services | keys | .[]' docker-compose-old-flat.yml | sort > services_old.txt yq eval '.services | keys | .[]' docker-compose-new-flat.yml | sort > services_new.txt echo "Checking for image changes..." : > service_changes.txt comm -12 services_old.txt services_new.txt | while read service; do old_image=$(yq eval-all --yaml-fix-merge-anchor-to-spec=true ".services[\"$service\"].image // \"\"" docker-compose-old-flat.yml) new_image=$(yq eval-all --yaml-fix-merge-anchor-to-spec=true ".services[\"$service\"].image // \"\"" docker-compose-new-flat.yml) if [ "$old_image" != "$new_image" ]; then echo "$service" >> service_changes.txt fi done echo "Detected services with changed images:" cat service_changes.txt || echo "None" changed_svcs=$(sort -u service_changes.txt | xargs || true) if [ -z "$changed_svcs" ]; then echo "No image tag/digest changes detected." echo "docker_svc_list<> "$GITHUB_OUTPUT" echo "" >> "$GITHUB_OUTPUT" echo "EOF" >> "$GITHUB_OUTPUT" exit 0 fi echo "Collecting direct dependencies..." deps_list="" for svc in $changed_svcs; do deps=$(yq -r ".services[\"$svc\"].depends_on | keys | .[]" docker-compose-new-flat.yml 2>/dev/null || true) if [ -n "$deps" ]; then echo "$svc depends on:" echo "$deps" deps_list="$deps_list $deps" fi done # Combine changed services and their dependencies, deduplicate all_svcs=$( (echo "$changed_svcs"; echo "$deps_list") | tr ' ' '\n' | sort -u ) echo "Final service list (including direct dependencies):" echo "$all_svcs" # Prepare multiline output for GitHub Actions echo "docker_svc_list<> "$GITHUB_OUTPUT" echo "$all_svcs" >> "$GITHUB_OUTPUT" echo "EOF" >> "$GITHUB_OUTPUT" - name: Stop if no image changes if: steps.detect_services.outputs.docker_svc_list == '' run: | echo "No image tag/digest changes detected. Exiting." exit 1 - name: Login to Docker Hub uses: docker/login-action@5e57cd118135c172c3672efd75eb46360885c0ef # v3.6.0 with: username: ${{ secrets.DOCKERHUB_USER }} password: ${{ secrets.DOCKERHUB_PASSWORD }} - name: Login to GitHub Container Registry uses: docker/login-action@5e57cd118135c172c3672efd75eb46360885c0ef # v3.6.0 with: registry: ghcr.io username: ${{ secrets.GHCR_USER }} password: ${{ secrets.GHCR_LOGIN_TOKEN }} - name: Login to Private Gitea Registry uses: docker/login-action@5e57cd118135c172c3672efd75eb46360885c0ef # v3.6.0 with: registry: git.trez.wtf username: ${{ secrets.BOT_GITEA_USER }} password: ${{ secrets.BOT_GITEA_PASSWORD }} - name: Gotify Notification (Start) uses: eikendev/gotify-action@ca0339b85ee8db9fda9c0718aaa7f95e17b3c617 # 0.0.4 with: gotify_api_base: "${{ secrets.RUNNER_GOTIFY_URL }}" gotify_app_token: "${{ secrets.RUNNER_GOTIFY_TOKEN }}" notification_title: "GITEA: [RENOVATE] Docker Compose Deployment @ Rinoa" notification_message: "Starting Docker Compose run..." - name: Generate .env from Hashicorp Vault uses: https://git.trez.wtf/Trez/hc-vault-env@main with: HC_VAULT_VERSION: ${{ env.HC_VAULT_VERSION }} HC_VAULT_ADDR: ${{ secrets.TREZ_VAULT_ADDR }} HC_VAULT_AUTH: token HC_VAULT_TOKEN: ${{ secrets.VAULT_GITEA_TOKEN }} HC_VAULT_SECRETS_PATH: rinoa-docker/env - name: Docker Compose Deployment uses: hoverkraft-tech/compose-action@3846bcd61da338e9eaaf83e7ed0234a12b099b72 # v2.4.1 env: DOCKER_HOST: tcp://dockerproxy:2375 with: services: | ${{ steps.detect_services.outputs.docker_svc_list }} up-flags: -d --remove-orphans down-flags: --dry-run services-log-level: debug - name: Docker Compose Healthcheck id: health uses: jaracogmbh/docker-compose-health-check-action@973fbdccf7c8e396b652d3501984c8e530a9fa80 # v1.0.0 with: max-retries: 30 retry-interval: 10 compose-file: "docker-compose.yml" skip-exited: "true" skip-no-healthcheck: "true" - name: Gotify Notification (Finish) uses: eikendev/gotify-action@ca0339b85ee8db9fda9c0718aaa7f95e17b3c617 # 0.0.4 with: gotify_api_base: "${{ secrets.RUNNER_GOTIFY_URL }}" gotify_app_token: "${{ secrets.RUNNER_GOTIFY_TOKEN }}" notification_title: "GITEA: [RENOVATE] Docker Compose Deployment @ Rinoa" notification_message: "Deployment completed successfully."