fix(ci): run Renovate via official Docker image (#12)
## Summary
First Renovate run failed with `reference not found` on `renovatebot/github-action@v40` — act_runner's go-git clone couldn't resolve the major-rolling tag (whether the upstream tag is missing or it's a go-git tag-fetch quirk doesn't really matter — the wrapper action is the wrong layer to fight).
Switch to invoking the official `renovate/renovate:40` Docker image directly. The job container already has the host Docker socket mounted (per `ci-runners.compose.yml`), so the sibling `docker run` works out of the box. Renovate clones the target repo itself via API + token, so no `actions/checkout` or bind-mount is needed.
Net result:
- Decoupled from third-party action-tag resolution.
- Renovate runtime version explicitly pinned (reproducible).
- One fewer indirection to debug.
## Test plan
- [ ] After merge, trigger the workflow manually (Actions → Renovate → Run workflow).
- [ ] Job pulls `renovate/renovate:40` (~1 GB, one-time on this runner host) and runs without "reference not found".
- [ ] Renovate creates the onboarding PR ("Configure Renovate") visible in the repo's PR list, signed by `apf-portal-bot`.
---------
Co-authored-by: Julien Gautier <julien.gautier@apf.asso.fr>
Reviewed-on: #12
This commit was merged in pull request #12.
This commit is contained in:
@@ -6,6 +6,18 @@
|
||||
# repo root. This workflow only controls *when* Renovate runs and how
|
||||
# it authenticates against Gitea.
|
||||
#
|
||||
# Implementation note — we run the official `renovate/renovate` Docker
|
||||
# image directly via `docker run` rather than the `renovatebot/github-
|
||||
# action` wrapper. The wrapper relies on act_runner being able to
|
||||
# resolve arbitrary GitHub tags via go-git, which is brittle (we hit
|
||||
# `reference not found` on `@v40`). Going straight to the image:
|
||||
# * decouples from action-tag resolution issues;
|
||||
# * pins the Renovate runtime version explicitly (reproducible);
|
||||
# * one fewer layer of indirection to debug.
|
||||
#
|
||||
# Renovate clones the repo itself using RENOVATE_TOKEN — no
|
||||
# `actions/checkout` step, no host bind-mount needed.
|
||||
#
|
||||
# Authentication: a Gitea Personal Access Token issued for the dedicated
|
||||
# `apf-portal-bot` user, stored as the RENOVATE_TOKEN secret. The full
|
||||
# bot-onboarding procedure lives in docs/development.md → "Dependency
|
||||
@@ -26,12 +38,22 @@ jobs:
|
||||
renovate:
|
||||
runs-on: [self-hosted, on-prem]
|
||||
steps:
|
||||
- uses: renovatebot/github-action@v40
|
||||
with:
|
||||
token: ${{ secrets.RENOVATE_TOKEN }}
|
||||
configurationFile: renovate.json
|
||||
- name: Run Renovate
|
||||
# Pin to the major; the bot will propose its own bumps once
|
||||
# it is healthy (Renovate self-updates the workflow files it
|
||||
# finds in the repo it manages).
|
||||
run: |
|
||||
docker run --rm \
|
||||
--name "renovate-${{ github.run_id }}" \
|
||||
-e RENOVATE_TOKEN \
|
||||
-e RENOVATE_PLATFORM \
|
||||
-e RENOVATE_ENDPOINT \
|
||||
-e RENOVATE_AUTODISCOVER \
|
||||
-e RENOVATE_REPOSITORIES \
|
||||
-e LOG_LEVEL \
|
||||
renovate/renovate:40
|
||||
env:
|
||||
# Tell Renovate this is Gitea, not GitHub.
|
||||
RENOVATE_TOKEN: ${{ secrets.RENOVATE_TOKEN }}
|
||||
RENOVATE_PLATFORM: gitea
|
||||
# Gitea API endpoint — derived from the workflow's own server
|
||||
# URL so a Gitea → GitLab migration only requires changing
|
||||
|
||||
Reference in New Issue
Block a user