Spec: phpboyscout/cicd v0.8 — renovate-self + Renovate preset¶
- Repository:
gitlab.com/phpboyscout/cicd - Released as:
v0.8.0(minor — one additive component + a new top-level preset file; no change to existing components). - Driver: every project in
/home/matt/workspace/phpboyscout/that runs Renovate has ~13 identical lines ofrenovate:job inline, and every project that pinsphpboyscout/cicdcomponents has the same custom-manager regex hand-copied in itsrenovate.json. Both deserve a single source of truth.
Decisions¶
D1 — Component is a thin runner with an overridable rule¶
The component pins the runner image (renovate/renovate:$image_version),
sets the standard environment (RENOVATE_PLATFORM=gitlab,
RENOVATE_ENDPOINT=$CI_API_V4_URL/, RENOVATE_AUTODISCOVER=false), and
wires RENOVATE_REPOSITORIES + RENOVATE_TOKEN from inputs. Everything
else (rules, scopes, package rules) is per-project Renovate config.
The gating if: is an input rather than hard-coded. Default matches
the current convention ($CI_PIPELINE_SOURCE == "schedule" &&
$RENOVATE_TASK == "scan") so existing pipeline schedules continue to
fire; consumers who want a different gate override the input. Component
interpolation ($[[ inputs.if ]]) leaves runtime variable references
($VAR) intact in the rendered job.
D2 — Token follows the established convention¶
token input defaults to "$RENOVATE_TOKEN" and threads through to
RENOVATE_TOKEN. On GitLab Free, project/group access tokens are
Premium-only ([[project_gitlab_free_tier]]), so consumers create a
fine-grained PAT with api + write_repository scope and set it as a
project CI/CD variable. Same shape as state_token / plan_token /
tofu-module-publish's token (v0.5 / v0.7).
D3 — Bundled preset ships only the cicd-tracking custom manager¶
A default.json5 at the cicd repo root exposes the preset at the
implicit name. Consumers extend it with:
The preset contains only a customManagers entry with the regex
that matches component: gitlab.com/phpboyscout/cicd/<name>@v<X.Y.Z>
in any .gitlab-ci.yml, points the datasource at the phpboyscout/cicd
GitLab project, and lets Renovate bump those pins automatically.
Schedule, automerge, labels, commit-message prefix, package rules — all
deliberately excluded. Those vary across Go / Rust / Terraform
consumers (Go uses :semanticCommits + immediate PRs; Terraform/infra
uses Monday batching + chore(deps): prefix); baking any of them into
the shared preset would force consumers into a one-size-fits-all
opinionation we'd quickly regret.
D4 — Testing: failure-path self-test, no real Renovate run¶
Like tofu-module-publish (v0.7), running the component for real
mutates external state (opens MRs, mutates git refs). The self-test
fixture overrides the schedule gate to when: on_success and passes a
bogus token + repositories; Renovate fails to authenticate against
GitLab, the script exits non-zero, and allow_failure.exit_codes
tolerates exactly that. Any other exit (broken image pin, bad
interpolation) fails the pipeline.
Consumers (planned post-release)¶
| Project | Current inline | After v0.8.0 |
|---|---|---|
phpboyscout/infra |
13-line renovate: job + inline custom manager |
include: [email protected] + renovate.json extends preset |
phpboyscout/terraform-aws-bootstrap |
same | same |
phpboyscout/terraform-aws-security-baseline |
same | same |
phpboyscout/terraform-aws-signing-kms |
same | same |
phpboyscout/go-tool-base |
same | same |
phpboyscout/rust-tool-base |
same | same |
phpboyscout/infra-tools, phpboyscout/cicd |
same | same |
That's eight repos shedding the boilerplate in one go. Consumer cleanup
lands as a separate chore(deps): MR per repo (see follow-up).
Follow-up¶
- Audit each consumer's
renovate.jsonand replace the inline cicd-component custom manager with the preset extends. Bonus: drop the now-staleterraform-aws-bootstrapgit:: source manager ininfra/renovate.json(we moved to the GitLab module registry in [[project_module_registry]]).