From 13271a9fe34361fd704ebab18da95f183201a0a6 Mon Sep 17 00:00:00 2001 From: testvalue Date: Wed, 18 Mar 2026 11:23:52 -0400 Subject: [PATCH 1/9] fix: adds postUpgradeTasks to re-render template after dep updates --- .github/renovate.json | 11 ++++++++++- .github/workflows/renovate.yaml | 2 ++ includes/renovate-template.jinja | 2 +- template/.github/renovate.json.jinja | 11 +++++++++++ template/.github/workflows/renovate.yaml | 2 ++ 5 files changed, 26 insertions(+), 2 deletions(-) diff --git a/.github/renovate.json b/.github/renovate.json index 159f21a..7c4abc2 100644 --- a/.github/renovate.json +++ b/.github/renovate.json @@ -23,7 +23,7 @@ { "customType": "regex", "description": "Update copier-flake ref in Nix flake inputs", - "managerFilePatterns": ["/template/flake\\.nix\\.jinja$/", "/includes/flake-extra-inputs\\.jinja$/"], + "managerFilePatterns": ["/includes/flake-extra-inputs\\.jinja$/"], "matchStrings": ["github:gordon-code/copier-flake/(?[a-f0-9]+).*#\\s*(?v[\\S]+)"], "depNameTemplate": "gordon-code/copier-flake", "datasourceTemplate": "github-releases" @@ -39,6 +39,15 @@ "matchUpdateTypes": ["major"], "groupName": "major dependencies", "groupSlug": "major" + }, + { + "description": "Re-render template after dependency updates", + "matchManagers": ["custom.regex"], + "postUpgradeTasks": { + "commands": ["nix develop --command just render", "git checkout -- .copier-answers.yaml"], + "fileFilters": ["**/*"], + "executionMode": "branch" + } } ] } diff --git a/.github/workflows/renovate.yaml b/.github/workflows/renovate.yaml index 071a9de..9ea6a97 100644 --- a/.github/workflows/renovate.yaml +++ b/.github/workflows/renovate.yaml @@ -23,6 +23,7 @@ jobs: timeout-minutes: 30 steps: - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 + - uses: ./.github/actions/nix-setup - uses: renovatebot/github-action@7b4b65bf31e07d4e3e51708d07700fb41bc03166 # v46.1.3 with: @@ -30,3 +31,4 @@ jobs: token: ${{ secrets.RENOVATE_TOKEN }} env: RENOVATE_REPOSITORIES: ${{ github.repository }} + RENOVATE_ALLOWED_POST_UPGRADE_COMMANDS: '["^nix develop ", "^git checkout "]' diff --git a/includes/renovate-template.jinja b/includes/renovate-template.jinja index 055a570..197099e 100644 --- a/includes/renovate-template.jinja +++ b/includes/renovate-template.jinja @@ -9,7 +9,7 @@ { "customType": "regex", "description": "Update copier-flake ref in Nix flake inputs", - "managerFilePatterns": ["/template/flake\\.nix\\.jinja$/", "/includes/flake-extra-inputs\\.jinja$/"], + "managerFilePatterns": ["/includes/flake-extra-inputs\\.jinja$/"], "matchStrings": ["github:gordon-code/copier-flake/(?[a-f0-9]+).*#\\s*(?v[\\S]+)"], "depNameTemplate": "gordon-code/copier-flake", "datasourceTemplate": "github-releases" diff --git a/template/.github/renovate.json.jinja b/template/.github/renovate.json.jinja index ecc6200..04ad573 100644 --- a/template/.github/renovate.json.jinja +++ b/template/.github/renovate.json.jinja @@ -25,6 +25,17 @@ "matchUpdateTypes": ["major"], "groupName": "major dependencies", "groupSlug": "major" + }{{ ',' if _is_template else '' }} +{% if _is_template %} + { + "description": "Re-render template after dependency updates", + "matchManagers": ["custom.regex"], + "postUpgradeTasks": { + "commands": ["nix develop --command just render", "git checkout -- .copier-answers.yaml"], + "fileFilters": ["**/*"], + "executionMode": "branch" + } } +{% endif %} ] } diff --git a/template/.github/workflows/renovate.yaml b/template/.github/workflows/renovate.yaml index 071a9de..9ea6a97 100644 --- a/template/.github/workflows/renovate.yaml +++ b/template/.github/workflows/renovate.yaml @@ -23,6 +23,7 @@ jobs: timeout-minutes: 30 steps: - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 + - uses: ./.github/actions/nix-setup - uses: renovatebot/github-action@7b4b65bf31e07d4e3e51708d07700fb41bc03166 # v46.1.3 with: @@ -30,3 +31,4 @@ jobs: token: ${{ secrets.RENOVATE_TOKEN }} env: RENOVATE_REPOSITORIES: ${{ github.repository }} + RENOVATE_ALLOWED_POST_UPGRADE_COMMANDS: '["^nix develop ", "^git checkout "]' From 8b8d791a373affa86ad1630fd57271b0c17d5b72 Mon Sep 17 00:00:00 2001 From: testvalue Date: Wed, 18 Mar 2026 11:43:26 -0400 Subject: [PATCH 2/9] fix: replaces postUpgradeTasks with render-template workflow --- .github/renovate.json | 9 ------ .github/workflows/render-template.yaml | 40 ++++++++++++++++++++++++ .github/workflows/renovate.yaml | 2 -- justfile | 1 + template/.github/renovate.json.jinja | 11 ------- template/.github/workflows/renovate.yaml | 2 -- 6 files changed, 41 insertions(+), 24 deletions(-) create mode 100644 .github/workflows/render-template.yaml diff --git a/.github/renovate.json b/.github/renovate.json index 7c4abc2..9294819 100644 --- a/.github/renovate.json +++ b/.github/renovate.json @@ -39,15 +39,6 @@ "matchUpdateTypes": ["major"], "groupName": "major dependencies", "groupSlug": "major" - }, - { - "description": "Re-render template after dependency updates", - "matchManagers": ["custom.regex"], - "postUpgradeTasks": { - "commands": ["nix develop --command just render", "git checkout -- .copier-answers.yaml"], - "fileFilters": ["**/*"], - "executionMode": "branch" - } } ] } diff --git a/.github/workflows/render-template.yaml b/.github/workflows/render-template.yaml new file mode 100644 index 0000000..c0afcd2 --- /dev/null +++ b/.github/workflows/render-template.yaml @@ -0,0 +1,40 @@ +# Template-repo only: re-renders root files after Renovate updates includes/template +name: Render Template + +on: + push: + branches: ['renovate/**'] + paths: ['includes/**', 'template/**'] + +permissions: + contents: write + +jobs: + render: + runs-on: ubuntu-latest + timeout-minutes: 15 + steps: + - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 + with: + ref: ${{ github.ref }} + + - uses: ./.github/actions/nix-setup + + - name: Set up Git + run: | + git config user.name "github-actions[bot]" + git config user.email "41898282+github-actions[bot]@users.noreply.github.com" + + - name: Re-render from template + run: nix develop -c just render + + - name: Restore copier answers + run: git restore .copier-answers.yaml + + - name: Commit and push if changed + run: | + if [ -n "$(git status --porcelain)" ]; then + git add -A + git commit -m "chore: re-renders root files from updated template" + git push + fi diff --git a/.github/workflows/renovate.yaml b/.github/workflows/renovate.yaml index 9ea6a97..071a9de 100644 --- a/.github/workflows/renovate.yaml +++ b/.github/workflows/renovate.yaml @@ -23,7 +23,6 @@ jobs: timeout-minutes: 30 steps: - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 - - uses: ./.github/actions/nix-setup - uses: renovatebot/github-action@7b4b65bf31e07d4e3e51708d07700fb41bc03166 # v46.1.3 with: @@ -31,4 +30,3 @@ jobs: token: ${{ secrets.RENOVATE_TOKEN }} env: RENOVATE_REPOSITORIES: ${{ github.repository }} - RENOVATE_ALLOWED_POST_UPGRADE_COMMANDS: '["^nix develop ", "^git checkout "]' diff --git a/justfile b/justfile index eb7c649..bd085b7 100644 --- a/justfile +++ b/justfile @@ -24,6 +24,7 @@ render: git show HEAD:lib/nix/project.nix > lib/nix/project.nix 2>/dev/null || true git show HEAD:justfile > justfile 2>/dev/null || true git show HEAD:.gitignore > .gitignore 2>/dev/null || true + git show HEAD:.github/workflows/render-template.yaml > .github/workflows/render-template.yaml 2>/dev/null || true # Run unit tests test: diff --git a/template/.github/renovate.json.jinja b/template/.github/renovate.json.jinja index 04ad573..ecc6200 100644 --- a/template/.github/renovate.json.jinja +++ b/template/.github/renovate.json.jinja @@ -25,17 +25,6 @@ "matchUpdateTypes": ["major"], "groupName": "major dependencies", "groupSlug": "major" - }{{ ',' if _is_template else '' }} -{% if _is_template %} - { - "description": "Re-render template after dependency updates", - "matchManagers": ["custom.regex"], - "postUpgradeTasks": { - "commands": ["nix develop --command just render", "git checkout -- .copier-answers.yaml"], - "fileFilters": ["**/*"], - "executionMode": "branch" - } } -{% endif %} ] } diff --git a/template/.github/workflows/renovate.yaml b/template/.github/workflows/renovate.yaml index 9ea6a97..071a9de 100644 --- a/template/.github/workflows/renovate.yaml +++ b/template/.github/workflows/renovate.yaml @@ -23,7 +23,6 @@ jobs: timeout-minutes: 30 steps: - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 - - uses: ./.github/actions/nix-setup - uses: renovatebot/github-action@7b4b65bf31e07d4e3e51708d07700fb41bc03166 # v46.1.3 with: @@ -31,4 +30,3 @@ jobs: token: ${{ secrets.RENOVATE_TOKEN }} env: RENOVATE_REPOSITORIES: ${{ github.repository }} - RENOVATE_ALLOWED_POST_UPGRADE_COMMANDS: '["^nix develop ", "^git checkout "]' From 2eebe7768d386894467c9038e5d3176ec920cb04 Mon Sep 17 00:00:00 2001 From: testvalue Date: Wed, 18 Mar 2026 11:54:26 -0400 Subject: [PATCH 3/9] fix: restores template/flake.nix.jinja to file patterns --- .github/renovate.json | 2 +- includes/renovate-template.jinja | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/renovate.json b/.github/renovate.json index 9294819..159f21a 100644 --- a/.github/renovate.json +++ b/.github/renovate.json @@ -23,7 +23,7 @@ { "customType": "regex", "description": "Update copier-flake ref in Nix flake inputs", - "managerFilePatterns": ["/includes/flake-extra-inputs\\.jinja$/"], + "managerFilePatterns": ["/template/flake\\.nix\\.jinja$/", "/includes/flake-extra-inputs\\.jinja$/"], "matchStrings": ["github:gordon-code/copier-flake/(?[a-f0-9]+).*#\\s*(?v[\\S]+)"], "depNameTemplate": "gordon-code/copier-flake", "datasourceTemplate": "github-releases" diff --git a/includes/renovate-template.jinja b/includes/renovate-template.jinja index 197099e..055a570 100644 --- a/includes/renovate-template.jinja +++ b/includes/renovate-template.jinja @@ -9,7 +9,7 @@ { "customType": "regex", "description": "Update copier-flake ref in Nix flake inputs", - "managerFilePatterns": ["/includes/flake-extra-inputs\\.jinja$/"], + "managerFilePatterns": ["/template/flake\\.nix\\.jinja$/", "/includes/flake-extra-inputs\\.jinja$/"], "matchStrings": ["github:gordon-code/copier-flake/(?[a-f0-9]+).*#\\s*(?v[\\S]+)"], "depNameTemplate": "gordon-code/copier-flake", "datasourceTemplate": "github-releases" From 63754e830a0674c4f63009c494b2a20cea60960f Mon Sep 17 00:00:00 2001 From: testvalue Date: Wed, 18 Mar 2026 12:03:21 -0400 Subject: [PATCH 4/9] fix: uses RENOVATE_TOKEN and job-level permissions --- .github/workflows/render-template.yaml | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/.github/workflows/render-template.yaml b/.github/workflows/render-template.yaml index c0afcd2..9274d7d 100644 --- a/.github/workflows/render-template.yaml +++ b/.github/workflows/render-template.yaml @@ -7,16 +7,19 @@ on: paths: ['includes/**', 'template/**'] permissions: - contents: write + contents: read jobs: render: runs-on: ubuntu-latest + permissions: + contents: write timeout-minutes: 15 steps: - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 with: ref: ${{ github.ref }} + token: ${{ secrets.RENOVATE_TOKEN }} - uses: ./.github/actions/nix-setup From aa42fb5d4fcfdf6a076ec74c9a1015aa0edef980 Mon Sep 17 00:00:00 2001 From: testvalue Date: Wed, 18 Mar 2026 12:09:47 -0400 Subject: [PATCH 5/9] fix: adds concurrency block to render-template workflow --- .github/workflows/render-template.yaml | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/.github/workflows/render-template.yaml b/.github/workflows/render-template.yaml index 9274d7d..7dfee10 100644 --- a/.github/workflows/render-template.yaml +++ b/.github/workflows/render-template.yaml @@ -6,6 +6,10 @@ on: branches: ['renovate/**'] paths: ['includes/**', 'template/**'] +concurrency: + group: ${{ github.workflow }}-${{ github.ref }} + cancel-in-progress: true + permissions: contents: read From 3098e36111430bb710cf7d66709f157cd3bb9756 Mon Sep 17 00:00:00 2001 From: testvalue Date: Wed, 18 Mar 2026 12:24:16 -0400 Subject: [PATCH 6/9] fix: adds flake lock update after render for input sync --- .github/workflows/render-template.yaml | 3 +++ 1 file changed, 3 insertions(+) diff --git a/.github/workflows/render-template.yaml b/.github/workflows/render-template.yaml index 7dfee10..58879ec 100644 --- a/.github/workflows/render-template.yaml +++ b/.github/workflows/render-template.yaml @@ -35,6 +35,9 @@ jobs: - name: Re-render from template run: nix develop -c just render + - name: Update flake lock if inputs changed + run: nix flake lock + - name: Restore copier answers run: git restore .copier-answers.yaml From dc158c6ccc5f3c4786efe4641a8e2fb04ff7b7d1 Mon Sep 17 00:00:00 2001 From: testvalue Date: Wed, 18 Mar 2026 13:07:30 -0400 Subject: [PATCH 7/9] fix: removes redundant regex manager and deduplicates Renovate detection MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit - Removes custom regex Manager 1 (workflow scanner) — the built-in github-actions manager already detects SHA-pinned actions natively - Adds packageRule to disable built-in github-actions for template/** paths, preventing duplicate detection with the template regex manager - Removes dead template/flake.nix.jinja pattern from copier-flake manager (file has raw Jinja includes, not expanded URLs) --- .github/renovate.json | 13 ++++++------- includes/renovate-template.jinja | 2 +- template/.github/renovate.json.jinja | 13 +++++++------ 3 files changed, 14 insertions(+), 14 deletions(-) diff --git a/.github/renovate.json b/.github/renovate.json index 159f21a..8416de1 100644 --- a/.github/renovate.json +++ b/.github/renovate.json @@ -7,12 +7,6 @@ "gitAuthor": "github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>", "minimumReleaseAge": "14 days", "customManagers": [ - { - "customType": "regex", - "managerFilePatterns": ["/\\.github/workflows/.*\\.yaml$/"], - "matchStrings": ["uses:\\s+(?[\\w-]+/[\\w-]+)@(?[a-f0-9]+)\\s+#\\s+(?v[\\S]+)"], - "datasourceTemplate": "github-releases" - }, { "customType": "regex", "description": "Update SHA-pinned actions in .jinja template files", @@ -23,7 +17,7 @@ { "customType": "regex", "description": "Update copier-flake ref in Nix flake inputs", - "managerFilePatterns": ["/template/flake\\.nix\\.jinja$/", "/includes/flake-extra-inputs\\.jinja$/"], + "managerFilePatterns": ["/includes/flake-extra-inputs\\.jinja$/"], "matchStrings": ["github:gordon-code/copier-flake/(?[a-f0-9]+).*#\\s*(?v[\\S]+)"], "depNameTemplate": "gordon-code/copier-flake", "datasourceTemplate": "github-releases" @@ -39,6 +33,11 @@ "matchUpdateTypes": ["major"], "groupName": "major dependencies", "groupSlug": "major" + }, + { + "matchManagers": ["github-actions"], + "matchFileNames": ["template/**"], + "enabled": false } ] } diff --git a/includes/renovate-template.jinja b/includes/renovate-template.jinja index 055a570..197099e 100644 --- a/includes/renovate-template.jinja +++ b/includes/renovate-template.jinja @@ -9,7 +9,7 @@ { "customType": "regex", "description": "Update copier-flake ref in Nix flake inputs", - "managerFilePatterns": ["/template/flake\\.nix\\.jinja$/", "/includes/flake-extra-inputs\\.jinja$/"], + "managerFilePatterns": ["/includes/flake-extra-inputs\\.jinja$/"], "matchStrings": ["github:gordon-code/copier-flake/(?[a-f0-9]+).*#\\s*(?v[\\S]+)"], "depNameTemplate": "gordon-code/copier-flake", "datasourceTemplate": "github-releases" diff --git a/template/.github/renovate.json.jinja b/template/.github/renovate.json.jinja index ecc6200..5a803f9 100644 --- a/template/.github/renovate.json.jinja +++ b/template/.github/renovate.json.jinja @@ -7,12 +7,6 @@ "gitAuthor": "github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>", "minimumReleaseAge": "14 days", "customManagers": [ - { - "customType": "regex", - "managerFilePatterns": ["/\\.github/workflows/.*\\.yaml$/"], - "matchStrings": ["uses:\\s+(?[\\w-]+/[\\w-]+)@(?[a-f0-9]+)\\s+#\\s+(?v[\\S]+)"], - "datasourceTemplate": "github-releases" - }{{ ',' if _is_template else '' }} {% include pathjoin("includes", "renovate-template.jinja") ignore missing %} ], "packageRules": [ @@ -25,6 +19,13 @@ "matchUpdateTypes": ["major"], "groupName": "major dependencies", "groupSlug": "major" + }{{ ',' if _is_template else '' }} +{% if _is_template %} + { + "matchManagers": ["github-actions"], + "matchFileNames": ["template/**"], + "enabled": false } +{% endif %} ] } From 5f522ee55217f8929cdc99dc915d6b148f12b8ea Mon Sep 17 00:00:00 2001 From: testvalue Date: Wed, 18 Mar 2026 13:41:23 -0400 Subject: [PATCH 8/9] fix: conditionalizes flake lock update, adds packageRule test --- .github/workflows/render-template.yaml | 7 +++++-- tests/test_rendering.py | 10 ++++++++++ 2 files changed, 15 insertions(+), 2 deletions(-) diff --git a/.github/workflows/render-template.yaml b/.github/workflows/render-template.yaml index 58879ec..35abb96 100644 --- a/.github/workflows/render-template.yaml +++ b/.github/workflows/render-template.yaml @@ -36,7 +36,10 @@ jobs: run: nix develop -c just render - name: Update flake lock if inputs changed - run: nix flake lock + run: | + if ! git diff --quiet flake.nix; then + nix flake lock + fi - name: Restore copier answers run: git restore .copier-answers.yaml @@ -45,6 +48,6 @@ jobs: run: | if [ -n "$(git status --porcelain)" ]; then git add -A - git commit -m "chore: re-renders root files from updated template" + git commit -m "chore: re-render root files from updated template" git push fi diff --git a/tests/test_rendering.py b/tests/test_rendering.py index 11bcb06..a6962e6 100644 --- a/tests/test_rendering.py +++ b/tests/test_rendering.py @@ -287,6 +287,16 @@ def test_renovate_has_template_config(generated_template_project): assert template_managers, "No template-specific customManagers found" +def test_renovate_template_suppresses_builtin_gha(generated_template_project): + """Template repo disables built-in github-actions manager for template paths.""" + data = parse_json(generated_template_project / ".github" / "renovate.json") + rules = data.get("packageRules", []) + gha_rule = [r for r in rules if r.get("matchManagers") == ["github-actions"]] + assert gha_rule, "No packageRule suppressing github-actions for template paths" + assert gha_rule[0].get("matchFileNames") == ["template/**"] + assert gha_rule[0].get("enabled") is False + + def test_no_consistency_job_default(generated_github_project): """Default projects have no consistency job in pr-checks.""" assert "consistency" not in (generated_github_project / ".github" / "workflows" / "pr-checks.yaml").read_text() From 0d84d0342d5fda98c3790961c43012d48f4bea15 Mon Sep 17 00:00:00 2001 From: testvalue Date: Wed, 18 Mar 2026 14:41:47 -0400 Subject: [PATCH 9/9] fix: generalizes flake input manager to detect any SHA-pinned input --- .github/renovate.json | 7 +++---- includes/renovate-template.jinja | 7 +++---- 2 files changed, 6 insertions(+), 8 deletions(-) diff --git a/.github/renovate.json b/.github/renovate.json index 8416de1..6881547 100644 --- a/.github/renovate.json +++ b/.github/renovate.json @@ -16,10 +16,9 @@ }, { "customType": "regex", - "description": "Update copier-flake ref in Nix flake inputs", - "managerFilePatterns": ["/includes/flake-extra-inputs\\.jinja$/"], - "matchStrings": ["github:gordon-code/copier-flake/(?[a-f0-9]+).*#\\s*(?v[\\S]+)"], - "depNameTemplate": "gordon-code/copier-flake", + "description": "Update SHA-pinned Nix flake inputs in template files", + "managerFilePatterns": ["/template/flake\\.nix\\.jinja$/", "/includes/flake-extra-inputs\\.jinja$/"], + "matchStrings": ["github:(?[\\w-]+/[\\w-]+)/(?[a-f0-9]+).*#\\s*(?v[\\S]+)"], "datasourceTemplate": "github-releases" } ], diff --git a/includes/renovate-template.jinja b/includes/renovate-template.jinja index 197099e..663f406 100644 --- a/includes/renovate-template.jinja +++ b/includes/renovate-template.jinja @@ -8,10 +8,9 @@ }, { "customType": "regex", - "description": "Update copier-flake ref in Nix flake inputs", - "managerFilePatterns": ["/includes/flake-extra-inputs\\.jinja$/"], - "matchStrings": ["github:gordon-code/copier-flake/(?[a-f0-9]+).*#\\s*(?v[\\S]+)"], - "depNameTemplate": "gordon-code/copier-flake", + "description": "Update SHA-pinned Nix flake inputs in template files", + "managerFilePatterns": ["/template/flake\\.nix\\.jinja$/", "/includes/flake-extra-inputs\\.jinja$/"], + "matchStrings": ["github:(?[\\w-]+/[\\w-]+)/(?[a-f0-9]+).*#\\s*(?v[\\S]+)"], "datasourceTemplate": "github-releases" } {% endif %}