-
Notifications
You must be signed in to change notification settings - Fork 0
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
chore: Add Renovate section to the README
- Loading branch information
1 parent
bc1e010
commit 72e6ad3
Showing
1 changed file
with
57 additions
and
2 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
|
|
@@ -11,7 +11,7 @@ It acts as a proxy between pip and the OCI registry. | |
| Basic authentication is forwarded to the target registry. | ||
|
|
||
| For PyOCI to resolve to the correct package, the following parts are needed as part of the index-url: | ||
| - OCI registry url (without schema, HTTPS is assumed since this package is mainly intended for private registries) | ||
| - OCI registry url, https is assumed | ||
| - namespace, for most registries this is the username or organization name | ||
| - name of the python package | ||
|
|
||
|
|
@@ -26,5 +26,60 @@ pip install --extra-index-url=http://<username>:<password>@<pyoci url>/<OCI regi | |
| ``` | ||
| Example installing package `bar` from user `Foo` using `ghcr.io` as the registry: | ||
| ```commandline | ||
| pip install --extra-index-url=https://Foo:[email protected]/ghcr.io/foo/bar | ||
| pip install --extra-index-url=https://Foo:[email protected]/ghcr.io/foo/bar | ||
| ``` | ||
|
|
||
| For more examples, see the [examples](/docs/examples) | ||
|
|
||
| ## Renovate + ghcr.io | ||
| As PyOCI acts as a private pypi index, Renovate needs to be configured to use credentials for your private packages. | ||
| (https://docs.renovatebot.com/getting-started/private-packages/) | ||
| To prevent having to check-in [encrypted secrets](https://docs.renovatebot.com/getting-started/private-packages/#encrypting-secrets) | ||
| you can: | ||
| 1. Self-host renovate as a github workflow | ||
| 2. Set `package: read` permissions for the workflow | ||
| 3. Pass the `GITHUB_TOKEN` as an environment variable to Renovate | ||
| 4. Add a hostRule for the Renovate runner to apply basic auth for pyoci using the environment variable | ||
| 5. In the [package settings](https://docs.github.com/en/packages/learn-github-packages/configuring-a-packages-access-control-and-visibility#ensuring-workflow-access-to-your-package) of the private package give the repository running renovate `read` access. | ||
|
|
||
| Note that [at the time of writing](https://github.com/orgs/community/discussions/24636), GitHub App Tokens can't be granted `read:package` permissions, | ||
| this is why you'll need to use the `GITHUB_TOKEN`. | ||
|
|
||
| `.github/workflows/renovate.yaml` | ||
| ```yaml | ||
| ... | ||
| concurrency: | ||
| group: Renovate | ||
|
|
||
| # Allow the GITHUB_TOKEN to read packages | ||
| permissions: | ||
| contents: read | ||
| packages: read | ||
|
|
||
| jobs: | ||
| renovate: | ||
| ... | ||
| - name: Self-hosted Renovate | ||
| uses: renovatebot/[email protected] | ||
| with: | ||
| configurationFile: config.js | ||
| token: '${{ steps.get_token.outputs.token }}' | ||
| env: | ||
| RENOVATE_PYOCI_USER: pyocibot | ||
| RENOVATE_PYOCI_TOKEN: ${{ secrets.GITHUB_TOKEN }} | ||
| ``` | ||
| `config.js` | ||
| ```js | ||
| module.exports = { | ||
| ... | ||
| hostRules: [ | ||
| { | ||
| matchHost: "pyoci.allexveldman.nl", | ||
| hostType: "pypi", | ||
| username: process.env.RENOVATE_PYOCI_USER, | ||
| password: process.env.RENOVATE_PYOCI_TOKEN | ||
| }, | ||
| ], | ||
| }; | ||
| ``` | ||