From 27e477af6fb9e4bd6ed1d7662f864447d09a6659 Mon Sep 17 00:00:00 2001
From: William P <me@williamtpeebles.com>
Date: Wed, 22 Oct 2025 10:34:57 -0400
Subject: [PATCH] renovate: add ssh signing

---
 renovate/renovate-cronjob.yaml |  5 +++++
 renovate/renovate-ssh-key.yaml | 17 +++++++++++++++++
 2 files changed, 22 insertions(+)
 create mode 100644 renovate/renovate-ssh-key.yaml

diff --git a/renovate/renovate-cronjob.yaml b/renovate/renovate-cronjob.yaml
index fdf8ee8..ac1dc35 100644
--- a/renovate/renovate-cronjob.yaml
+++ b/renovate/renovate-cronjob.yaml
@@ -27,6 +27,11 @@ spec:
                     secretKeyRef:
                       key: github-com-pat
                       name: renovate-github-com-token
+                - name: RENOVATE_GIT_PRIVATE_KEY
+                  valueFrom:
+                    secretKeyRef:
+                      key: ssh-key
+                      name: renovate-ssh-key
                 - name: RENOVATE_AUTODISCOVER
                   value: 'false'
                 - name: RENOVATE_BASE_DIR
diff --git a/renovate/renovate-ssh-key.yaml b/renovate/renovate-ssh-key.yaml
new file mode 100644
index 0000000..419ccdd
--- /dev/null
+++ b/renovate/renovate-ssh-key.yaml
@@ -0,0 +1,17 @@
+apiVersion: external-secrets.io/v1
+kind: ExternalSecret
+metadata:
+  name: renovate-ssh-key
+spec:
+  refreshInterval: 1h
+  secretStoreRef:
+    name: weyma-vault
+    kind: ClusterSecretStore
+  target:
+    name: renovate-ssh-key
+    creationPolicy: Owner
+  data:
+    - secretKey: ssh-key
+      remoteRef:
+        key: renovate
+        property: ssh-key
\ No newline at end of file