# Per ADR-0015 (CI/CD on Gitea Actions). Scheduled invocation of # Renovate Bot, which proposes dependency updates as PRs against main. # # Configuration of the *bot's behaviour* (groupings, schedules, labels, # auto-merge, vulnerability sources) lives in /renovate.json at the # repo root. This workflow only controls *when* Renovate runs and how # it authenticates against Gitea. # # Authentication: a Gitea Personal Access Token issued for the dedicated # `apf-portal-bot` user, stored as the RENOVATE_TOKEN secret. The full # bot-onboarding procedure lives in docs/development.md → "Dependency # updates (Renovate)". name: Renovate on: schedule: # Daily 03:00 UTC — outside working hours, no contention with PR CI. # Picked specifically to sit inside Renovate's default # `lockFileMaintenance.schedule` window of "before 4am on Monday", # so Monday's run also triggers the weekly lockfile refresh. - cron: '0 3 * * *' workflow_dispatch: jobs: renovate: runs-on: [self-hosted, on-prem] steps: - uses: renovatebot/github-action@v40 with: token: ${{ secrets.RENOVATE_TOKEN }} configurationFile: renovate.json env: # Tell Renovate this is Gitea, not GitHub. RENOVATE_PLATFORM: gitea # Gitea API endpoint — derived from the workflow's own server # URL so a Gitea → GitLab migration only requires changing # github.server_url at the platform level (matches the # CLAUDE.md rule about not hardcoding the project name / # forge details outside repo metadata). RENOVATE_ENDPOINT: ${{ github.server_url }}/api/v1/ # Don't crawl the whole instance — only this repo. RENOVATE_AUTODISCOVER: 'false' RENOVATE_REPOSITORIES: ${{ github.repository }} LOG_LEVEL: info