From ebc27b02ed272838550a2f1904c360dcf7f334a6 Mon Sep 17 00:00:00 2001
From: Mark Elliot <123787712+mark-thm@users.noreply.github.com>
Date: Wed, 17 Apr 2024 16:43:40 -0400
Subject: [PATCH] Add reviewbot and renovate automation (#8)

Add reviewbot and renovate actions to automate approvals of automation PRs and to create automation PRs, respectively. Renovate is configured only to update GitHub actions -- we wish to maintain long backwards compatibility in our MODULE.bazel by using minimum versions.
---
 .github/renovate-config.json               |  9 ++++++
 .github/renovate.json                      | 32 ++++++++++------------
 .github/reviewers.json                     | 14 ++++++++++
 .github/workflows/automation-reviewbot.yml | 14 ++++++++++
 .github/workflows/periodic-renovate.yml    | 24 ++++++++++++++++
 5 files changed, 76 insertions(+), 17 deletions(-)
 create mode 100644 .github/renovate-config.json
 create mode 100644 .github/reviewers.json
 create mode 100644 .github/workflows/automation-reviewbot.yml
 create mode 100644 .github/workflows/periodic-renovate.yml

diff --git a/.github/renovate-config.json b/.github/renovate-config.json
new file mode 100644
index 0000000..d439eab
--- /dev/null
+++ b/.github/renovate-config.json
@@ -0,0 +1,9 @@
+{
+  "branchPrefix": "renovate/",
+  "username": "renovate-thm[bot]",
+  "gitAuthor": "renovate <renovate-thm[bot]@users.noreply.github.com>",
+  "platform": "github",
+  "onboarding": false,
+  "forkProcessing": "disabled",
+  "repositories": ["theoremlp/rules_uv"]
+}
diff --git a/.github/renovate.json b/.github/renovate.json
index 4039f18..d9bdee6 100644
--- a/.github/renovate.json
+++ b/.github/renovate.json
@@ -1,18 +1,16 @@
 {
-    "$schema": "https://docs.renovatebot.com/renovate-schema.json",
-    "extends": [
-      ":dependencyDashboard",
-      ":semanticPrefixFixDepsChoreOthers",
-      "group:monorepos",
-      "group:recommended",
-      "replacements:all",
-      "workarounds:all"
-    ],
-    "packageRules": [
-      {
-        "matchFiles": ["MODULE.bazel"],
-        "enabled": false
-      }
-    ]
-  }
-  
\ No newline at end of file
+  "$schema": "https://docs.renovatebot.com/renovate-schema.json",
+  "extends": [":semanticCommitsDisabled"],
+  "enabledManagers": ["github-actions"],
+  "timezone": "America/New_York",
+  "schedule": ["every weekday after 9am before 5pm"],
+  "branchConcurrentLimit": 10,
+  "labels": ["automerge"],
+  "dependencyDashboard": true,
+  "packageRules": [
+    {
+      "matchFiles": ["MODULE.bazel"],
+      "enabled": false
+    }
+  ]
+}
diff --git a/.github/reviewers.json b/.github/reviewers.json
new file mode 100644
index 0000000..d4db7a2
--- /dev/null
+++ b/.github/reviewers.json
@@ -0,0 +1,14 @@
+{
+  "teams": {},
+  "reviewers": {},
+  "overrides": [
+    {
+      "description": "Auto-approve automated PRs",
+      "onlyModifiedByUsers": ["thm-automation[bot]", "renovate-thm[bot]"],
+      "onlyModifiedFileRegExs": [
+        "^.github/workflows/.*",
+        "^uv/private/uv.lock.json$"
+      ]
+    }
+  ]
+}
diff --git a/.github/workflows/automation-reviewbot.yml b/.github/workflows/automation-reviewbot.yml
new file mode 100644
index 0000000..a3a489b
--- /dev/null
+++ b/.github/workflows/automation-reviewbot.yml
@@ -0,0 +1,14 @@
+name: reviewbot
+on:
+  pull_request: {}
+  pull_request_review: {}
+jobs:
+  required-reviewers:
+    name: reviewbot
+    runs-on: ubuntu-latest
+    steps:
+      - name: required-reviewers
+        uses: theoremlp/required-reviews@v2
+        with:
+          github-token: ${{ secrets.REVIEW_TOKEN_PUB }}
+          post-review: true
diff --git a/.github/workflows/periodic-renovate.yml b/.github/workflows/periodic-renovate.yml
new file mode 100644
index 0000000..f6de065
--- /dev/null
+++ b/.github/workflows/periodic-renovate.yml
@@ -0,0 +1,24 @@
+name: Renovate
+on:
+  workflow_dispatch: {}
+  schedule:
+    # run every 15th minute between 9am and 5pm (4am and 12pm UTC), M-F
+    - cron: "0/15 14-22 * * 1-5"
+jobs:
+  renovate:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Get Renovate GitHub App Token
+        id: app-token
+        uses: actions/create-github-app-token@v1
+        with:
+          app-id: ${{ secrets.RENOVATE_THM_APP_ID_PUB }}
+          private-key: ${{ secrets.RENOVATE_THM_PRIVATE_KEY_PUB }}
+      - uses: actions/checkout@v4
+      - name: Run Renovate
+        uses: renovatebot/github-action@2e021d24483d81e77e0e902d0809adfbfff276fc # v40.1.10
+        with:
+          # options in this file are defined by
+          # https://docs.renovatebot.com/self-hosted-configuration/
+          configurationFile: .github/renovate-config.json
+          token: ${{ steps.app-token.outputs.token }}