feat: Add Renovate configuration

[vitoyucepi]

Summary

This pull request updates the GitHub workflow pipeline by adding Renovate configuration and pinning dependencies to make things more predictable.

Details

• Added the Renovate onboarding configuration to help manage dependency versions automatically.
• Changed GitHub Actions versions to use semantic versioning when possible.
• Turned on auto-merge for non-major version updates.
• Disabled Renovate for some Docker actions and images that were causing problems.
  See issue: Use github-refs for GitHub Actions so that branches are supported in addition to tags renovatebot/renovate#28016.

Changes

Pinned several dependencies in the .github/workflows/ci.yml to specific commit versions.
The following actions have been pinned:

• actions/checkout to 11bd719
• savonet/github-actions-cpu-cores-docker to f72bcfa
• actions/setup-node to 39370e3
• crazy-max/ghaction-github-pages to fbf0a4f
• actions/upload-artifact to 65c4c4a
• peaceiris/actions-gh-pages to 4f9cc66
• ocaml/setup-ocaml to c157462
• actions/cache to 1bd1e32
• pre-commit/action to 2c7b380
• actions/download-artifact to fa0a91b
• softprops/action-gh-release to c95fe14
• docker/setup-buildx-action to 6524bf6
• docker/login-action to 9780b0c
• docker/build-push-action to b32b51a
• savonet/liquidsoap-ci docker tag to a9e3ce5
• ubuntu GitHub runs-on image to v24.04

Required changes in the repository settings

To make the updates from this pull request work properly, it's necessary to adjust a few settings in the repository:

1. Make sure the Renovate bot is activated for the repository.
   This will make the Renovate bot automatically manage dependencies.
   Go to https://github.com/apps/renovate and install it for the repository.
   Since I provided the configuration and pinned all the dependencies, it will only create a Dependency Dashboard issue to track them.
2. Enable GitHub auto-merge in the repository Settings -> General -> Allow auto-merge.
   This will allow the Renovate bot to use the platform auto-merge feature.
   The documentation is available at https://docs.renovatebot.com/key-concepts/automerge/.
3. Additionally GitHub auto-merge requires repository Settings -> Rulesets to be configured.
   In my test repository, I created a rule that will block merge until the GitHub action passed.
   If the ruleset requires a review, then Renovate also provides automatic review bots.
   Go to https://github.com/apps/renovate-approve and install it for the repository.
   The documentation is available at https://docs.renovatebot.com/key-concepts/automerge/#required-pull-request-reviews.

[vitoyucepi]

Hi @toots,
This PR merge will not make sense without the renovate bot application enabled.
I forgot to mention that you can host your own renovate bot account on GitHub and create a separate workflow to update the dependencies.

.github/workflows/renovate.yaml

name: Renovate for liquidsoap
on:
  workflow_dispatch:
    inputs:
      repoCache:
        description: 'Reset or disable the cache?'
        type: choice
        default: enabled
        options:
          - enabled
          - disabled
          - reset
      logLevel:
        description: 'Log level'
        default: 'INFO'
        type: choice
        options:
          - DEBUG
          - INFO
          - WARN
          - ERROR
          - FATAL
  schedule:
    - cron: '12 * * * *'

concurrency:
  group: ${{ github.workflow }}

env:
  cache_archive: renovate_cache.tar.gz
  cache_dir: /tmp/renovate/cache/renovate/repository
  cache_key: [email protected]_renovate-cache

jobs:
  renovate:
    name: Renovate
    runs-on: ubuntu-24.04
    steps:
      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
      
      - uses: dawidd6/action-download-artifact@80620a5d27ce0ae443b965134db88467fc607b43 # v7
        if: github.event.inputs.repoCache != 'disabled'
        continue-on-error: true
        with:
          name: ${{ env.cache_key }}
          path: cache-download
          github_token: ${{ secrets.RENOVATE_GITHUB_TOKEN }}
      
      - name: Extract renovate cache
        run: |
          set -x
          if [ ! -d cache-download ] ; then
            echo "No cache found."
            exit 0
          fi
          mkdir -p $cache_dir
          tar -xzf cache-download/$cache_archive -C $cache_dir
          sudo chown -R 12021:0 /tmp/renovate/
          ls -R $cache_dir
      
      - uses: renovatebot/github-action@f24426972367551f3391720e34317783a92fd32b # v41.0.8
        with:
          configurationFile: configs/liquidsoap.json
        env:
          RENOVATE_REPOSITORY_CACHE: ${{ github.event.inputs.repoCache || 'enabled' }}
          GITHUB_COM_TOKEN: ${{ secrets.RENOVATE_GITHUB_TOKEN }}
      
      - name: Compress renovate cache
        run: |
          ls $cache_dir
          tar -czvf $cache_archive -C $cache_dir .
      
      - uses: actions/upload-artifact@65c4c4a1ddee5b72f698fdd19549f0f0fb45cf08 # v4.6.0
        if: github.event.inputs.repoCache != 'disabled'
        with:
          name: ${{ env.cache_key }}
          path: ${{ env.cache_archive }}
          retention-days: 1

configs/liquidsoap.json

{
  "autodiscover": true,
  "autodiscoverNamespaces": [
    "savonet"
  ]
}