fix(ci): give Renovate a git identity and a github.com token #13

Merged
julien merged 1 commits from fix/ci/renovate-author-and-github-token into main 2026-05-05 13:47:31 +02:00
3 changed files with 18 additions and 5 deletions
Showing only changes of commit 181fb1d4dd - Show all commits
+9
View File
@@ -50,6 +50,7 @@ jobs:
-e RENOVATE_ENDPOINT \
-e RENOVATE_AUTODISCOVER \
-e RENOVATE_REPOSITORIES \
-e RENOVATE_GITHUB_COM_TOKEN \
-e LOG_LEVEL \
renovate/renovate:40
env:
@@ -64,4 +65,12 @@ jobs:
# Don't crawl the whole instance — only this repo.
RENOVATE_AUTODISCOVER: 'false'
RENOVATE_REPOSITORIES: ${{ github.repository }}
# Read-only authenticated GitHub.com token (zero-scope PAT) so
# Renovate can resolve versions of GitHub-hosted Actions and
# the `containerbase/node-prebuild` binaries it uses for
# lockfile maintenance, without hitting the 60 req/h
# anonymous rate limit. Stored under GITHUBCOM_TOKEN (no
# underscore) because Gitea reserves the GITHUB_* secret
# namespace for its built-in `${{ github.* }}` context.
RENOVATE_GITHUB_COM_TOKEN: ${{ secrets.GITHUBCOM_TOKEN }}
LOG_LEVEL: info
+8 -5
View File
@@ -228,12 +228,15 @@ Behaviour is controlled by [`renovate.json`](../renovate.json) at the repo root:
Renovate authenticates as a dedicated bot user. Setup is manual on Gitea — done once per Gitea instance, then the workflow runs unattended.
1. **Create a bot user.** Site Administration → Users → Create User. Suggested name: `apf-portal-bot`. Strong password, mark as **non-admin** (least privilege).
2. **Add the bot as a collaborator** on this repo with **Write** access (Settings → Collaborators). Without write, Renovate can't push branches.
3. **Generate a PAT for the bot.** Sign in as the bot, then User Settings → Applications → Generate New Token. Scopes needed: read/write `repository`, read/write `issue`, read `user`. Avoid `admin`.
4. **Store the PAT as a repo secret.** Settings → Actions → Secrets → New Secret. Name: `RENOVATE_TOKEN`. Value: the token from step 3.
5. **Sign out and forget the token locally.** It is now only retrievable via the secret store.
2. **Set the bot's Full Name** in its Gitea profile (User Settings → Profile → Full Name, e.g. `APF Portal Bot`). Without it, Renovate's git commits fail with `empty ident name not allowed`. The `gitAuthor` in `renovate.json` is the explicit override, but keeping the profile value consistent avoids confusion when reading commit history in Gitea's UI.
3. **Add the bot as a collaborator** on this repo with **Write** access (Settings → Collaborators). Without write, Renovate can't push branches.
4. **Generate a PAT for the bot** (`RENOVATE_TOKEN`). Sign in as the bot, then User Settings → Applications → Generate New Token. Scopes needed: read/write `repository`, read/write `issue`, read `user`. Avoid `admin`.
5. **Store the PAT as a repo secret.** Settings → Actions → Secrets → New Secret. Name: `RENOVATE_TOKEN`. Value: the token from step 4.
6. **Generate a zero-scope GitHub.com PAT** (`GITHUBCOM_TOKEN`). On github.com (any account, e.g. yours): Settings → Developer settings → Personal access tokens → Tokens (classic) → Generate new token (classic). **Do not tick any scope** — anonymous-equivalent rights are enough; the token only buys Renovate the higher authenticated rate limit (5 000 req/h vs 60 req/h) for resolving GitHub-hosted Action versions and `containerbase/node-prebuild` binaries used during lockfile maintenance.
7. **Store it as a repo secret named `GITHUBCOM_TOKEN`** (Gitea reserves the `GITHUB_*` secret namespace for the built-in `${{ github.* }}` context, so an underscore between `GITHUB` and `COM` is rejected).
8. **Sign out and forget both tokens locally.** They are now only retrievable via the secret store.
To **rotate** the PAT: regenerate at step 3, update the secret at step 4. The schedule keeps running unattended with the new token.
To **rotate** either token: regenerate at the matching step, update the secret. The schedule keeps running unattended.
### Triggering manually
+1
View File
@@ -1,6 +1,7 @@
{
"$schema": "https://docs.renovatebot.com/renovate-schema.json",
"extends": ["config:recommended"],
"gitAuthor": "APF Portal Bot <jgautier.webdev+apf-portal-bot@gmail.com>",
"dependencyDashboard": true,
"dependencyDashboardTitle": "Renovate Dependency Dashboard",
"labels": ["dependencies"],