fix(ci): give Renovate a git identity and a github.com token
First end-to-end Renovate run (after switching to direct docker run)
extracted dependencies but failed to commit any update branches with
`fatal: empty ident name not allowed`, then aborted the repo with
`Lock file error - aborting`. Two root causes:
- The bot user had an email but no Full Name on its Gitea profile,
so Renovate could not derive a complete git author identity. After
enough commit failures Renovate gives up on the repository.
- Renovate also warned `GitHub token is required for some
dependencies` and could not resolve `containerbase/node-prebuild`
releases (the Node binary it pulls dynamically for lockfile
maintenance) — anonymous github.com rate limit (60 req/h) was the
bottleneck.
Fixes:
1. Pin `gitAuthor` explicitly in `renovate.json` so the identity does
not depend on out-of-band Gitea profile state. The Full Name was
also set on the bot profile for consistency with Gitea's UI.
2. Pass `RENOVATE_GITHUB_COM_TOKEN` from a repo secret. The secret is
named `GITHUBCOM_TOKEN` (no underscore between GITHUB and COM)
because Gitea reserves the `GITHUB_*` secret namespace for the
built-in `${{ github.* }}` context. The token is a zero-scope
PAT — anonymous-equivalent rights, only useful for the higher
authenticated rate limit (5 000 req/h).
`docs/development.md` is updated with the new bot-onboarding steps
(Full Name, GITHUBCOM_TOKEN setup).
This commit is contained in:
+8
-5
@@ -228,12 +228,15 @@ Behaviour is controlled by [`renovate.json`](../renovate.json) at the repo root:
|
||||
Renovate authenticates as a dedicated bot user. Setup is manual on Gitea — done once per Gitea instance, then the workflow runs unattended.
|
||||
|
||||
1. **Create a bot user.** Site Administration → Users → Create User. Suggested name: `apf-portal-bot`. Strong password, mark as **non-admin** (least privilege).
|
||||
2. **Add the bot as a collaborator** on this repo with **Write** access (Settings → Collaborators). Without write, Renovate can't push branches.
|
||||
3. **Generate a PAT for the bot.** Sign in as the bot, then User Settings → Applications → Generate New Token. Scopes needed: read/write `repository`, read/write `issue`, read `user`. Avoid `admin`.
|
||||
4. **Store the PAT as a repo secret.** Settings → Actions → Secrets → New Secret. Name: `RENOVATE_TOKEN`. Value: the token from step 3.
|
||||
5. **Sign out and forget the token locally.** It is now only retrievable via the secret store.
|
||||
2. **Set the bot's Full Name** in its Gitea profile (User Settings → Profile → Full Name, e.g. `APF Portal Bot`). Without it, Renovate's git commits fail with `empty ident name not allowed`. The `gitAuthor` in `renovate.json` is the explicit override, but keeping the profile value consistent avoids confusion when reading commit history in Gitea's UI.
|
||||
3. **Add the bot as a collaborator** on this repo with **Write** access (Settings → Collaborators). Without write, Renovate can't push branches.
|
||||
4. **Generate a PAT for the bot** (`RENOVATE_TOKEN`). Sign in as the bot, then User Settings → Applications → Generate New Token. Scopes needed: read/write `repository`, read/write `issue`, read `user`. Avoid `admin`.
|
||||
5. **Store the PAT as a repo secret.** Settings → Actions → Secrets → New Secret. Name: `RENOVATE_TOKEN`. Value: the token from step 4.
|
||||
6. **Generate a zero-scope GitHub.com PAT** (`GITHUBCOM_TOKEN`). On github.com (any account, e.g. yours): Settings → Developer settings → Personal access tokens → Tokens (classic) → Generate new token (classic). **Do not tick any scope** — anonymous-equivalent rights are enough; the token only buys Renovate the higher authenticated rate limit (5 000 req/h vs 60 req/h) for resolving GitHub-hosted Action versions and `containerbase/node-prebuild` binaries used during lockfile maintenance.
|
||||
7. **Store it as a repo secret named `GITHUBCOM_TOKEN`** (Gitea reserves the `GITHUB_*` secret namespace for the built-in `${{ github.* }}` context, so an underscore between `GITHUB` and `COM` is rejected).
|
||||
8. **Sign out and forget both tokens locally.** They are now only retrievable via the secret store.
|
||||
|
||||
To **rotate** the PAT: regenerate at step 3, update the secret at step 4. The schedule keeps running unattended with the new token.
|
||||
To **rotate** either token: regenerate at the matching step, update the secret. The schedule keeps running unattended.
|
||||
|
||||
### Triggering manually
|
||||
|
||||
|
||||
Reference in New Issue
Block a user