fix(ci): give Renovate a git identity and a github.com token
CI / commits (pull_request) Successful in 2m19s
CI / scan (pull_request) Failing after 2m30s
CI / check (pull_request) Successful in 2m37s
CI / a11y (pull_request) Successful in 2m19s
CI / perf (pull_request) Successful in 4m1s

First end-to-end Renovate run (after switching to direct docker run)
extracted dependencies but failed to commit any update branches with
`fatal: empty ident name not allowed`, then aborted the repo with
`Lock file error - aborting`. Two root causes:

- The bot user had an email but no Full Name on its Gitea profile,
  so Renovate could not derive a complete git author identity. After
  enough commit failures Renovate gives up on the repository.
- Renovate also warned `GitHub token is required for some
  dependencies` and could not resolve `containerbase/node-prebuild`
  releases (the Node binary it pulls dynamically for lockfile
  maintenance) — anonymous github.com rate limit (60 req/h) was the
  bottleneck.

Fixes:

1. Pin `gitAuthor` explicitly in `renovate.json` so the identity does
   not depend on out-of-band Gitea profile state. The Full Name was
   also set on the bot profile for consistency with Gitea's UI.
2. Pass `RENOVATE_GITHUB_COM_TOKEN` from a repo secret. The secret is
   named `GITHUBCOM_TOKEN` (no underscore between GITHUB and COM)
   because Gitea reserves the `GITHUB_*` secret namespace for the
   built-in `${{ github.* }}` context. The token is a zero-scope
   PAT — anonymous-equivalent rights, only useful for the higher
   authenticated rate limit (5 000 req/h).

`docs/development.md` is updated with the new bot-onboarding steps
(Full Name, GITHUBCOM_TOKEN setup).
This commit is contained in:
Julien Gautier
2026-05-05 13:25:10 +02:00
parent 399a14e0f4
commit 181fb1d4dd
3 changed files with 18 additions and 5 deletions
+9
View File
@@ -50,6 +50,7 @@ jobs:
-e RENOVATE_ENDPOINT \
-e RENOVATE_AUTODISCOVER \
-e RENOVATE_REPOSITORIES \
-e RENOVATE_GITHUB_COM_TOKEN \
-e LOG_LEVEL \
renovate/renovate:40
env:
@@ -64,4 +65,12 @@ jobs:
# Don't crawl the whole instance — only this repo.
RENOVATE_AUTODISCOVER: 'false'
RENOVATE_REPOSITORIES: ${{ github.repository }}
# Read-only authenticated GitHub.com token (zero-scope PAT) so
# Renovate can resolve versions of GitHub-hosted Actions and
# the `containerbase/node-prebuild` binaries it uses for
# lockfile maintenance, without hitting the 60 req/h
# anonymous rate limit. Stored under GITHUBCOM_TOKEN (no
# underscore) because Gitea reserves the GITHUB_* secret
# namespace for its built-in `${{ github.* }}` context.
RENOVATE_GITHUB_COM_TOKEN: ${{ secrets.GITHUBCOM_TOKEN }}
LOG_LEVEL: info