From f58cf13e330c93e017d104786e839e3b66c7cd7d Mon Sep 17 00:00:00 2001 From: julien Date: Tue, 5 May 2026 13:47:30 +0200 Subject: [PATCH] fix(ci): give Renovate a git identity and a github.com token (#13) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit ## Summary First successful Renovate run (after the docker-image fix in #12) extracted 116 deps cleanly but every branch update failed with `fatal: empty ident name not allowed`, then the whole repo aborted on `Lock file error - aborting`. Two root causes: - **No git identity** — the bot user had an email but no **Full Name** on its Gitea profile, so Renovate produced incomplete git authorship. - **No github.com auth** — Renovate could not look up versions of GitHub-hosted Actions (`actions/checkout`, etc.) or `containerbase/node-prebuild` (the Node binary it dynamically fetches for lockfile maintenance) — anonymous rate limit (60 req/h) hit. Fixes: 1. **`renovate.json`** — pin `gitAuthor` explicitly. The Full Name was also set on the bot's Gitea profile for UI consistency, but the override in config means we don't depend on out-of-band UI state. 2. **`.gitea/workflows/renovate.yml`** — pass `RENOVATE_GITHUB_COM_TOKEN` from the new `GITHUBCOM_TOKEN` repo secret (no underscore between GITHUB and COM — Gitea reserves the `GITHUB_*` namespace). 3. **`docs/development.md`** — onboarding procedure now covers both tokens + the Full Name step. ## Manual setup required after merge Already done in this iteration: - Bot's Full Name set in Gitea ("APF Portal Bot"). - `GITHUBCOM_TOKEN` repo secret created with a zero-scope github.com PAT. (If the PAT was leaked during setup, regenerate before merging — the workflow only references the secret name, not the value.) ## Test plan - [ ] After merge, trigger Renovate manually (Actions → Renovate → Run workflow). - [ ] No `empty ident name` warning in the logs. - [ ] No `Lock file error - aborting`; repo finishes with `INFO: Repository finished … "cloned": true`. - [ ] Renovate creates the dependency dashboard issue + the first batch of grouped PRs (Angular, Nx, NestJS, Prisma, …) signed by `apf-portal-bot`. --------- Co-authored-by: Julien Gautier Reviewed-on: https://git.unespace.com/julien/apf_portal/pulls/13 --- .gitea/workflows/renovate.yml | 9 +++++++++ docs/development.md | 13 ++++++++----- renovate.json | 1 + 3 files changed, 18 insertions(+), 5 deletions(-) diff --git a/.gitea/workflows/renovate.yml b/.gitea/workflows/renovate.yml index 6ff887b..89848a4 100644 --- a/.gitea/workflows/renovate.yml +++ b/.gitea/workflows/renovate.yml @@ -50,6 +50,7 @@ jobs: -e RENOVATE_ENDPOINT \ -e RENOVATE_AUTODISCOVER \ -e RENOVATE_REPOSITORIES \ + -e RENOVATE_GITHUB_COM_TOKEN \ -e LOG_LEVEL \ renovate/renovate:40 env: @@ -64,4 +65,12 @@ jobs: # Don't crawl the whole instance — only this repo. RENOVATE_AUTODISCOVER: 'false' RENOVATE_REPOSITORIES: ${{ github.repository }} + # Read-only authenticated GitHub.com token (zero-scope PAT) so + # Renovate can resolve versions of GitHub-hosted Actions and + # the `containerbase/node-prebuild` binaries it uses for + # lockfile maintenance, without hitting the 60 req/h + # anonymous rate limit. Stored under GITHUBCOM_TOKEN (no + # underscore) because Gitea reserves the GITHUB_* secret + # namespace for its built-in `${{ github.* }}` context. + RENOVATE_GITHUB_COM_TOKEN: ${{ secrets.GITHUBCOM_TOKEN }} LOG_LEVEL: info diff --git a/docs/development.md b/docs/development.md index 9005256..cd1da10 100644 --- a/docs/development.md +++ b/docs/development.md @@ -228,12 +228,15 @@ Behaviour is controlled by [`renovate.json`](../renovate.json) at the repo root: Renovate authenticates as a dedicated bot user. Setup is manual on Gitea — done once per Gitea instance, then the workflow runs unattended. 1. **Create a bot user.** Site Administration → Users → Create User. Suggested name: `apf-portal-bot`. Strong password, mark as **non-admin** (least privilege). -2. **Add the bot as a collaborator** on this repo with **Write** access (Settings → Collaborators). Without write, Renovate can't push branches. -3. **Generate a PAT for the bot.** Sign in as the bot, then User Settings → Applications → Generate New Token. Scopes needed: read/write `repository`, read/write `issue`, read `user`. Avoid `admin`. -4. **Store the PAT as a repo secret.** Settings → Actions → Secrets → New Secret. Name: `RENOVATE_TOKEN`. Value: the token from step 3. -5. **Sign out and forget the token locally.** It is now only retrievable via the secret store. +2. **Set the bot's Full Name** in its Gitea profile (User Settings → Profile → Full Name, e.g. `APF Portal Bot`). Without it, Renovate's git commits fail with `empty ident name not allowed`. The `gitAuthor` in `renovate.json` is the explicit override, but keeping the profile value consistent avoids confusion when reading commit history in Gitea's UI. +3. **Add the bot as a collaborator** on this repo with **Write** access (Settings → Collaborators). Without write, Renovate can't push branches. +4. **Generate a PAT for the bot** (`RENOVATE_TOKEN`). Sign in as the bot, then User Settings → Applications → Generate New Token. Scopes needed: read/write `repository`, read/write `issue`, read `user`. Avoid `admin`. +5. **Store the PAT as a repo secret.** Settings → Actions → Secrets → New Secret. Name: `RENOVATE_TOKEN`. Value: the token from step 4. +6. **Generate a zero-scope GitHub.com PAT** (`GITHUBCOM_TOKEN`). On github.com (any account, e.g. yours): Settings → Developer settings → Personal access tokens → Tokens (classic) → Generate new token (classic). **Do not tick any scope** — anonymous-equivalent rights are enough; the token only buys Renovate the higher authenticated rate limit (5 000 req/h vs 60 req/h) for resolving GitHub-hosted Action versions and `containerbase/node-prebuild` binaries used during lockfile maintenance. +7. **Store it as a repo secret named `GITHUBCOM_TOKEN`** (Gitea reserves the `GITHUB_*` secret namespace for the built-in `${{ github.* }}` context, so an underscore between `GITHUB` and `COM` is rejected). +8. **Sign out and forget both tokens locally.** They are now only retrievable via the secret store. -To **rotate** the PAT: regenerate at step 3, update the secret at step 4. The schedule keeps running unattended with the new token. +To **rotate** either token: regenerate at the matching step, update the secret. The schedule keeps running unattended. ### Triggering manually diff --git a/renovate.json b/renovate.json index 9a60c5c..3b1284f 100644 --- a/renovate.json +++ b/renovate.json @@ -1,6 +1,7 @@ { "$schema": "https://docs.renovatebot.com/renovate-schema.json", "extends": ["config:recommended"], + "gitAuthor": "APF Portal Bot ", "dependencyDashboard": true, "dependencyDashboardTitle": "Renovate Dependency Dashboard", "labels": ["dependencies"],