admin-system: Renovate Bot pilot (CronJob + config) #1

2026-05-27T21:28:03+02:00

admin commented

2026-05-27 21:28:03 +02:00

Adds a self-hosted Renovate Bot pilot to admin-system (picked up automatically by the existing admin-tools ArgoCD app — no new Application manifest).

Scope (deliberately narrow)

Weekly CronJob — Sun 04:00 Europe/Budapest.
Only kubernetes + helm-values managers enabled.
Default-deny packageRule; only four pilot images may update:
- ghcr.io/thomiceli/opengist
- louislam/uptime-kuma
- f0rc3/gokapi
- docker.io/calcom/cal.com
minor/patch → PR with Gitea native auto-merge (platformAutomerge).
major → held for manual approval via the Dependency Dashboard checkbox.

Notes

Image pinned to renovate/renovate:43.197.0 — the plain tag is the minimal image ("formerly slim"); the -slim suffix was retired upstream after v37.440.x, so version-checker regex is ^\d+\.\d+\.\d+$.
Stateless: no Service / Ingress / PVC. Read-only root FS + 2Gi /tmp emptyDir for git clones & cache.
Uses the manually-created renovate-secrets Secret (RENOVATE_TOKEN, RENOVATE_GITHUB_COM_TOKEN) — no tokens in git.

🤖 Generated with Claude Code

Adds a self-hosted **Renovate Bot** pilot to `admin-system` (picked up automatically by the existing `admin-tools` ArgoCD app — no new Application manifest). ### Scope (deliberately narrow) - Weekly **CronJob** — Sun 04:00 `Europe/Budapest`. - Only `kubernetes` + `helm-values` managers enabled. - **Default-deny** packageRule; only four pilot images may update: - `ghcr.io/thomiceli/opengist` - `louislam/uptime-kuma` - `f0rc3/gokapi` - `docker.io/calcom/cal.com` - **minor/patch** → PR with Gitea native auto-merge (`platformAutomerge`). - **major** → held for manual approval via the Dependency Dashboard checkbox. ### Notes - Image pinned to `renovate/renovate:43.197.0` — the plain tag is the minimal image ("formerly slim"); the `-slim` suffix was retired upstream after v37.440.x, so version-checker regex is `^\d+\.\d+\.\d+$`. - Stateless: no Service / Ingress / PVC. Read-only root FS + 2Gi `/tmp` emptyDir for git clones & cache. - Uses the manually-created `renovate-secrets` Secret (`RENOVATE_TOKEN`, `RENOVATE_GITHUB_COM_TOKEN`) — no tokens in git. 🤖 Generated with [Claude Code](https://claude.com/claude-code)

admin added 1 commit 2026-05-27 21:28:04 +02:00

admin-system: add Renovate Bot pilot (CronJob + config) 05de03d1d3

Self-hosted Renovate as a weekly CronJob (Sun 04:00 Europe/Budapest)
opening dependency-update PRs against admin/homelab-manifests on Gitea.

Pilot is deliberately narrow:
- Only the kubernetes + helm-values managers are enabled.
- Default-deny packageRule; only four images may update:
  opengist, uptime-kuma, gokapi, cal.com.
- minor/patch -> PR with Gitea native auto-merge (platformAutomerge).
- major -> held for manual approval via Dependency Dashboard checkbox.

Image pinned to renovate/renovate:43.197.0 (the plain tag is the
minimal image; the -slim suffix was retired upstream after v37.440.x).
Stateless: no Service/Ingress/PVC. Read-only root FS with a 2Gi /tmp
emptyDir for git clones + cache. Secrets from existing renovate-secrets.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

admin merged commit c1211b6211 into main

2026-05-27 21:29:31 +02:00

admin deleted branch feat/renovate-bot

2026-05-27 21:29:31 +02:00

admin referenced this issue from a commit

2026-05-27 21:29:32 +02:00

Merge pull request 'admin-system: Renovate Bot pilot (CronJob + config)' (#1) from feat/renovate-bot into main

Sign in to join this conversation.

1 Participants

Notifications

Due Date

No due date set.

Dependencies

No dependencies set.

Reference: admin/homelab-manifests#1