fix(ci): run Renovate via official Docker image
CI / commits (pull_request) Successful in 58s
CI / check (pull_request) Successful in 1m5s
CI / a11y (pull_request) Successful in 1m10s
CI / scan (pull_request) Failing after 3m13s
CI / perf (pull_request) Successful in 2m16s

`renovatebot/github-action@v40` failed to resolve on Gitea Actions
with `reference not found` when act_runner attempted the go-git
clone. Whether the issue is a missing major-rolling tag upstream or
a go-git tag-fetch quirk, the wrapper action is the wrong layer to
fight: it just shells out to the same `renovate/renovate` image we
can run ourselves.

Switch to a direct `docker run renovate/renovate:40` invocation:

- decouples from third-party action-tag resolution;
- pins the Renovate runtime version explicitly (reproducible);
- one fewer indirection to debug.

The job container already has access to the host Docker daemon
(per ci-runners.compose.yml mounting /var/run/docker.sock), so the
sibling `docker run` works out of the box. Renovate clones the
target repo itself using the API token, so no `actions/checkout`
or host bind-mount is needed.
This commit is contained in:
Julien Gautier
2026-05-04 18:12:07 +02:00
parent 82911f9319
commit d3fc13e467
+27 -5
View File
@@ -6,6 +6,18 @@
# repo root. This workflow only controls *when* Renovate runs and how # repo root. This workflow only controls *when* Renovate runs and how
# it authenticates against Gitea. # it authenticates against Gitea.
# #
# Implementation note — we run the official `renovate/renovate` Docker
# image directly via `docker run` rather than the `renovatebot/github-
# action` wrapper. The wrapper relies on act_runner being able to
# resolve arbitrary GitHub tags via go-git, which is brittle (we hit
# `reference not found` on `@v40`). Going straight to the image:
# * decouples from action-tag resolution issues;
# * pins the Renovate runtime version explicitly (reproducible);
# * one fewer layer of indirection to debug.
#
# Renovate clones the repo itself using RENOVATE_TOKEN — no
# `actions/checkout` step, no host bind-mount needed.
#
# Authentication: a Gitea Personal Access Token issued for the dedicated # Authentication: a Gitea Personal Access Token issued for the dedicated
# `apf-portal-bot` user, stored as the RENOVATE_TOKEN secret. The full # `apf-portal-bot` user, stored as the RENOVATE_TOKEN secret. The full
# bot-onboarding procedure lives in docs/development.md → "Dependency # bot-onboarding procedure lives in docs/development.md → "Dependency
@@ -26,12 +38,22 @@ jobs:
renovate: renovate:
runs-on: [self-hosted, on-prem] runs-on: [self-hosted, on-prem]
steps: steps:
- uses: renovatebot/github-action@v40 - name: Run Renovate
with: # Pin to the major; the bot will propose its own bumps once
token: ${{ secrets.RENOVATE_TOKEN }} # it is healthy (Renovate self-updates the workflow files it
configurationFile: renovate.json # finds in the repo it manages).
run: |
docker run --rm \
--name "renovate-${{ github.run_id }}" \
-e RENOVATE_TOKEN \
-e RENOVATE_PLATFORM \
-e RENOVATE_ENDPOINT \
-e RENOVATE_AUTODISCOVER \
-e RENOVATE_REPOSITORIES \
-e LOG_LEVEL \
renovate/renovate:40
env: env:
# Tell Renovate this is Gitea, not GitHub. RENOVATE_TOKEN: ${{ secrets.RENOVATE_TOKEN }}
RENOVATE_PLATFORM: gitea RENOVATE_PLATFORM: gitea
# Gitea API endpoint — derived from the workflow's own server # Gitea API endpoint — derived from the workflow's own server
# URL so a Gitea → GitLab migration only requires changing # URL so a Gitea → GitLab migration only requires changing