From a4c51f9bf9607a0c108fc1086e3fed14f6933ec6 Mon Sep 17 00:00:00 2001 From: Stanislas Date: Wed, 10 Dec 2025 18:08:54 +0100 Subject: [PATCH] ci: add Renovate for Easy-RSA version updates (#1333) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit ## Summary - Add Renovate configuration to automatically track Easy-RSA releases - Add GitHub Action to auto-update SHA256 hash on Renovate PRs ## How it works 1. **Renovate** detects a new Easy-RSA release → creates PR updating `EASYRSA_VERSION` 2. **GitHub Action** triggers on the PR → downloads tarball → computes SHA256 → commits fix 3. PR is ready to merge with both version and hash updated --- I intentionally updated to the second-to-last version in https://github.com/angristan/openvpn-install/commit/bda450948a933224f4f779a24a44c6279e1574a1 to test if this works. --- .github/workflows/update-easyrsa-hash.yml | 71 +++++++++++++++++++++++ renovate.json | 16 +++++ 2 files changed, 87 insertions(+) create mode 100644 .github/workflows/update-easyrsa-hash.yml create mode 100644 renovate.json diff --git a/.github/workflows/update-easyrsa-hash.yml b/.github/workflows/update-easyrsa-hash.yml new file mode 100644 index 0000000..283a180 --- /dev/null +++ b/.github/workflows/update-easyrsa-hash.yml @@ -0,0 +1,71 @@ +name: Update Easy-RSA SHA256 + +# Note: This workflow commits and pushes changes to openvpn-install.sh. +# Infinite recursion is prevented because pushes made with GITHUB_TOKEN do not trigger workflows. +# See: https://docs.github.com/en/actions/using-workflows/triggering-a-workflow#preventing-workflow-runs-from-recursively-generating-new-workflow-runs + +on: + pull_request: + types: [opened, synchronize] + paths: + - "openvpn-install.sh" + +permissions: + contents: read + +jobs: + update-hash: + if: startsWith(github.head_ref, 'renovate/') + runs-on: ubuntu-latest + permissions: + contents: write + steps: + - uses: actions/checkout@v4 + with: + ref: ${{ github.head_ref }} + token: ${{ secrets.GITHUB_TOKEN }} + + - name: Extract version and update SHA256 + run: | + VERSION=$(grep -oP 'EASYRSA_VERSION="\K[^"]+' openvpn-install.sh) + if [ -z "$VERSION" ]; then + echo "Error: Failed to extract EASYRSA_VERSION" + exit 1 + fi + echo "Easy-RSA version: $VERSION" + + CURRENT_SHA=$(grep -oP 'EASYRSA_SHA256="\K[^"]+' openvpn-install.sh) + if [ -z "$CURRENT_SHA" ]; then + echo "Error: Failed to extract EASYRSA_SHA256" + exit 1 + fi + echo "Current SHA256: $CURRENT_SHA" + + TARBALL_URL="https://github.com/OpenVPN/easy-rsa/releases/download/v${VERSION}/EasyRSA-${VERSION}.tgz" + if ! curl -fsSL "$TARBALL_URL" -o /tmp/easyrsa.tgz; then + echo "Error: Failed to download Easy-RSA tarball from $TARBALL_URL" + exit 1 + fi + NEW_SHA=$(sha256sum /tmp/easyrsa.tgz | cut -d' ' -f1) + echo "New SHA256: $NEW_SHA" + + if [ "$CURRENT_SHA" != "$NEW_SHA" ]; then + sed -i "s|EASYRSA_SHA256=\"$CURRENT_SHA\"|EASYRSA_SHA256=\"$NEW_SHA\"|" openvpn-install.sh + echo "SHA256 updated" + echo "HASH_CHANGED=true" >> "$GITHUB_ENV" + else + echo "SHA256 already correct" + fi + + - name: Commit changes + if: env.HASH_CHANGED == 'true' + run: | + if ! git diff --quiet openvpn-install.sh; then + git config user.name "github-actions[bot]" + git config user.email "github-actions[bot]@users.noreply.github.com" + git add openvpn-install.sh + git commit -m "chore: update Easy-RSA SHA256 hash" + git push + else + echo "No changes to commit" + fi diff --git a/renovate.json b/renovate.json new file mode 100644 index 0000000..faa4ab7 --- /dev/null +++ b/renovate.json @@ -0,0 +1,16 @@ +{ + "$schema": "https://docs.renovatebot.com/renovate-schema.json", + "extends": ["config:recommended"], + "customManagers": [ + { + "customType": "regex", + "managerFilePatterns": ["/^openvpn-install\\.sh$/"], + "matchStrings": [ + "readonly\\s+EASYRSA_VERSION=\"(?\\d+\\.\\d+\\.\\d+)\"" + ], + "depNameTemplate": "OpenVPN/easy-rsa", + "datasourceTemplate": "github-releases", + "extractVersionTemplate": "^v(?.*)$" + } + ] +}