infra: added Renovate bot

.gitea/workflows/ci.yml

@@ -2,11 +2,10 @@ name: CI/CD Awesome Pipeline
 
 on:
   push:
-    branches: [main]
     tags:
       - 'v*.*.*'
-  pull_request:
+
-    branches: [main]
+  workflow_dispatch:
 
 env:
   REGISTRY_URL: ${{ vars.REGISTRY_URL || 'gitea.iswearihadsomethingforthis.net' }}
@@ -30,33 +29,60 @@ jobs:
     name: Build & Push to Registry
     runs-on: ubuntu-latest
     needs: test
-    if: contains(github.ref, 'refs/tags/v')
-    steps:
-      - name: Debug ref
-        run: |
-          echo "github.ref = ${{ github.ref }}"
-          echo "GITHUB_REF = $GITHUB_REF"
 
+    steps:
       - name: Checkout code
         uses: actions/checkout@v4
 
       - name: Load config from Makefile
         id: config
-        run: |
+        run: make -s _ci-dump-config >> $GITHUB_OUTPUT
-          eval "$(make _ci-image-name)"
-          echo "image_name=${IMAGE_NAME}" >> $GITHUB_OUTPUT
 
-      - name: Extract version from tag
+      - name: 🏷️ Docker Metadata (Tags & Labels)
-        id: version
+        id: meta
-        run: echo "version=${GITHUB_REF#refs/tags/v}" >> $GITHUB_OUTPUT
+        uses: docker/metadata-action@v5
+        with:
+          images: gitea.iswearihadsomethingforthis.net/francwa/${{ steps.config.outputs.image_name }}
+          tags: |
+            # Tagged (v1.2.3)
+            type=semver,pattern={{ version }}
+            # Latest
+            type=raw,value=latest,enable={{ is_default_branch }}
 
-      - name: Build production image
+      - name: Login to Gitea Registry
-        run: make build
+        uses: docker/login-action@v3
+        with:
+          registry: gitea.iswearihadsomethingforthis.net
+          username: ${{ gitea.actor }}
+          password: ${{ secrets.G1T34_TOKEN }}
 
-      - name: Tag and push to registry
+      - name: Build and push
-        run: |
+        id: docker_build
-          docker tag ${{ steps.config.outputs.image_name }}:latest ${{ env.REGISTRY_URL }}/${{ env.REGISTRY_USER }}/${{ steps.config.outputs.image_name }}:${{ steps.version.outputs.version }}
+        uses: docker/build-push-action@v5
-          docker tag ${{ steps.config.outputs.image_name }}:latest ${{ env.REGISTRY_URL }}/${{ env.REGISTRY_USER }}/${{ steps.config.outputs.image_name }}:latest
+        with:
-          echo "${{ secrets.GITEA_TOKEN }}" | docker login ${{ env.REGISTRY_URL }} -u ${{ env.REGISTRY_USER }} --password-stdin
+          context: .
-          docker push ${{ env.REGISTRY_URL }}/${{ env.REGISTRY_USER }}/${{ steps.config.outputs.image_name }}:${{ steps.version.outputs.version }}
+          file: ./brain/Dockerfile
-          docker push ${{ env.REGISTRY_URL }}/${{ env.REGISTRY_USER }}/${{ steps.config.outputs.image_name }}:latest
+          push: true
+          tags: ${{ steps.meta.outputs.tags }}
+          labels: ${{ steps.meta.outputs.labels }}
+          build-args: |
+            PYTHON_VERSION=${{ steps.config.outputs.python_version }}
+            PYTHON_VERSION_SHORT=${{ steps.config.outputs.python_version_short }}
+            RUNNER=${{ steps.config.outputs.runner }}
+
+      - name: 🛡️ Run Trivy Vulnerability Scanner
+        uses: docker://aquasec/trivy:latest
+        env:
+          TRIVY_USERNAME: ${{ gitea.actor }}
+          TRIVY_PASSWORD: ${{ secrets.G1T34_TOKEN }}
+          # Unset the fake GITHUB_TOKEN injected by Gitea
+          GITHUB_TOKEN: ""
+        with:
+          args: image --format table --output trivy-report.txt --exit-code 0 --ignore-unfixed --severity CRITICAL,HIGH gitea.iswearihadsomethingforthis.net/francwa/${{ steps.config.outputs.image_name }}:latest
+
+      - name: 📤 Upload Security Report
+        uses: actions/upload-artifact@v3
+        with:
+          name: security-report
+          path: trivy-report.txt
+          retention-days: 7

.gitea/workflows/renovate.yaml

@@ -0,0 +1,22 @@
+name: Renovate Bot
+
+on:
+  schedule:
+    # Every Monday 4AM
+    - cron: '0 4 * * 1'
+  workflow_dispatch:
+
+jobs:
+  renovate:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Run Renovate
+        uses: docker://renovate/renovate:latest
+        env:
+          RENOVATE_PLATFORM: "gitea"
+          RENOVATE_ENDPOINT: "https://gitea.iswearihadsomethingforthis.net/api/v1"
+          RENOVATE_TOKEN: "${{ secrets.G1T34_TOKEN }}"
+          RENOVATE_REPOSITORIES: '["${{ gitea.repository }}"]'
+          RENOVATE_GIT_AUTHOR: "Renovate Bot <renovate@bot.local>"
+          # Might need a free github token if lots of depencies
+          # RENOVATE_GITHUB_TOKEN: "${{ secrets.GITHUB_COM_TOKEN }}"

Makefile

@@ -3,20 +3,19 @@
 .DEFAULT_GOAL := help
 
 # --- SETTINGS ---
+CORE_DIR = brain
+IMAGE_NAME = agent_media
+# renovate: datasource=docker depName=python
 PYTHON_VERSION = 3.12.7
 PYTHON_VERSION_SHORT = $(shell echo $(PYTHON_VERSION) | cut -d. -f1,2)
 # Change to 'uv' when ready.
 RUNNER ?= poetry
+SERVICE_NAME = agent_media
 
+export IMAGE_NAME
 export PYTHON_VERSION
 export PYTHON_VERSION_SHORT
 export RUNNER
-export IMAGE_NAME
-
-# --- VARIABLES ---
-CORE_DIR     = brain
-SERVICE_NAME = agent_media
-IMAGE_NAME   = agent_media
 
 # --- ADAPTERS ---
 # UV uses "sync", Poetry uses "install". Both install DEV deps by default.
@@ -46,7 +45,7 @@ T = \033[36m
 R = \033[0m
 
 # --- TARGETS ---
-.PHONY: add build build-test check-docker check-runner clean coverage down format help init-dotenv install install-hooks lint logs major minor patch prune ps restart run shell test up update _check_branch _ci-image-name _ci-run-tests
+.PHONY: add build build-test check-docker check-runner clean coverage down format help init-dotenv install install-hooks lint logs major minor patch prune ps restart run shell test up update _check_branch _ci-dump-config _ci-run-tests _push_tag
 
 # Catch-all for args
 %:
@@ -134,7 +133,7 @@ help:
 	@echo "  $(T)update       		$(R)  Update dependencies."
 	@echo ""
 	@echo "$(G)Versioning:$(R)"
-	@echo "  $(T)major/minor/patch	$(R)  Bump version."
+	@echo "  $(T)major/minor/patch	$(R)  Bump version and push tag (triggers CI/CD)."
 
 init-dotenv:
 	@echo "$(T)🔑 Initializing .env file...$(R)"
@@ -187,14 +186,17 @@ logs: check-docker
 major: _check_branch
 	@echo "$(T)💥 Bumping major...$(R)"
 	SKIP=all $(BUMP_CMD) major
+	@$(MAKE) -s _push_tag
 
 minor: _check_branch
 	@echo "$(T)✨ Bumping minor...$(R)"
 	SKIP=all $(BUMP_CMD) minor
+	@$(MAKE) -s _push_tag
 
 patch: _check_branch
 	@echo "$(T)🚀 Bumping patch...$(R)"
 	SKIP=all $(BUMP_CMD) patch
+	@$(MAKE) -s _push_tag
 
 prune: check-docker
 	@echo "$(T)🗑️  Pruning Docker resources...$(R)"
@@ -237,8 +239,12 @@ _check_branch:
 	   echo "❌ Error: not on the main branch"; exit 1; \
 	fi
 
-_ci-image-name:
+_ci-dump-config:
-	@echo "IMAGE_NAME=$(IMAGE_NAME)"
+	@echo "image_name=$(IMAGE_NAME)"
+	@echo "python_version=$(PYTHON_VERSION)"
+	@echo "python_version_short=$(PYTHON_VERSION_SHORT)"
+	@echo "runner=$(RUNNER)"
+	@echo "service_name=$(SERVICE_NAME)"
 
 _ci-run-tests: build-test
 	@echo "$(T)🧪 Running tests in Docker...$(R)"
@@ -247,3 +253,8 @@ _ci-run-tests: build-test
 		-e TMDB_API_KEY \
 		$(IMAGE_NAME):test pytest
 	@echo "✅ Tests passed."
+
+_push_tag:
+	@echo "$(T)📦 Pushing tag...$(R)"
+	git push --tags
+	@echo "✅ Tag pushed. Check CI for build status."

brain/.bumpversion.toml

@@ -1,5 +1,5 @@
 [tool.bumpversion]
-current_version = "0.1.4"
+current_version = "0.1.6"
 parse = "(?P<major>\\d+)\\.(?P<minor>\\d+)\\.(?P<patch>\\d+)"
 serialize = ["{major}.{minor}.{patch}"]
 search = "{current_version}"

brain/Dockerfile

@@ -1,5 +1,6 @@
-# Dockerfile for Agent Media
+# syntax=docker/dockerfile:1
-# Multi-stage build for smaller image size
+# check=skip=InvalidDefaultArgInFrom
+
 ARG PYTHON_VERSION
 ARG PYTHON_VERSION_SHORT
 ARG RUNNER

brain/pyproject.toml

@@ -1,6 +1,6 @@
 [tool.poetry]
 name = "agent-media"
-version = "0.1.4"
+version = "0.1.6"
 description = "AI agent for managing a local media library"
 authors = ["Francwa <francois.hodiaumont@gmail.com>"]
 readme = "README.md"

renovate.json

@@ -0,0 +1,28 @@
+{
+  "$schema": "https://docs.renovatebot.com/renovate-schema.json",
+  "extends": [
+    "config:base",
+    ":disableRateLimiting",
+    ":semanticCommits"
+  ],
+  "labels": ["dependencies", "renovate"],
+
+  "packageRules": [
+    {
+      "matchLanguages": ["python"],
+      "matchUpdateTypes": ["minor", "patch"],
+      "groupName": "all non-major python dependencies",
+      "groupSlug": "all-minor-patch-python"
+    }
+  ],
+
+  "regexManagers": [
+    {
+      "description": "Update Docker variables in the Makefile",
+      "fileMatch": ["^Makefile$"],
+      "matchStrings": [
+        "# renovate: datasource=(?<datasource>.*?) depName=(?<depName>.*?)( versioning=(?<versioning>.*?))?\\s[A-Z_]+_VERSION [?:]?= (?<currentValue>.*)"
+      ]
+    }
+  ]
+}