diff --git a/.gitea/workflows/renovate.yml b/.gitea/workflows/renovate.yml index 2ac261d..6ff887b 100644 --- a/.gitea/workflows/renovate.yml +++ b/.gitea/workflows/renovate.yml @@ -6,6 +6,18 @@ # repo root. This workflow only controls *when* Renovate runs and how # it authenticates against Gitea. # +# Implementation note — we run the official `renovate/renovate` Docker +# image directly via `docker run` rather than the `renovatebot/github- +# action` wrapper. The wrapper relies on act_runner being able to +# resolve arbitrary GitHub tags via go-git, which is brittle (we hit +# `reference not found` on `@v40`). Going straight to the image: +# * decouples from action-tag resolution issues; +# * pins the Renovate runtime version explicitly (reproducible); +# * one fewer layer of indirection to debug. +# +# Renovate clones the repo itself using RENOVATE_TOKEN — no +# `actions/checkout` step, no host bind-mount needed. +# # Authentication: a Gitea Personal Access Token issued for the dedicated # `apf-portal-bot` user, stored as the RENOVATE_TOKEN secret. The full # bot-onboarding procedure lives in docs/development.md → "Dependency @@ -26,12 +38,22 @@ jobs: renovate: runs-on: [self-hosted, on-prem] steps: - - uses: renovatebot/github-action@v40 - with: - token: ${{ secrets.RENOVATE_TOKEN }} - configurationFile: renovate.json + - name: Run Renovate + # Pin to the major; the bot will propose its own bumps once + # it is healthy (Renovate self-updates the workflow files it + # finds in the repo it manages). + run: | + docker run --rm \ + --name "renovate-${{ github.run_id }}" \ + -e RENOVATE_TOKEN \ + -e RENOVATE_PLATFORM \ + -e RENOVATE_ENDPOINT \ + -e RENOVATE_AUTODISCOVER \ + -e RENOVATE_REPOSITORIES \ + -e LOG_LEVEL \ + renovate/renovate:40 env: - # Tell Renovate this is Gitea, not GitHub. + RENOVATE_TOKEN: ${{ secrets.RENOVATE_TOKEN }} RENOVATE_PLATFORM: gitea # Gitea API endpoint — derived from the workflow's own server # URL so a Gitea → GitLab migration only requires changing