Files
apf_portal/.gitea/workflows/renovate.yml
T
Julien Gautier 181fb1d4dd
CI / commits (pull_request) Successful in 2m19s
CI / scan (pull_request) Failing after 2m30s
CI / check (pull_request) Successful in 2m37s
CI / a11y (pull_request) Successful in 2m19s
CI / perf (pull_request) Successful in 4m1s
fix(ci): give Renovate a git identity and a github.com token
First end-to-end Renovate run (after switching to direct docker run)
extracted dependencies but failed to commit any update branches with
`fatal: empty ident name not allowed`, then aborted the repo with
`Lock file error - aborting`. Two root causes:

- The bot user had an email but no Full Name on its Gitea profile,
  so Renovate could not derive a complete git author identity. After
  enough commit failures Renovate gives up on the repository.
- Renovate also warned `GitHub token is required for some
  dependencies` and could not resolve `containerbase/node-prebuild`
  releases (the Node binary it pulls dynamically for lockfile
  maintenance) — anonymous github.com rate limit (60 req/h) was the
  bottleneck.

Fixes:

1. Pin `gitAuthor` explicitly in `renovate.json` so the identity does
   not depend on out-of-band Gitea profile state. The Full Name was
   also set on the bot profile for consistency with Gitea's UI.
2. Pass `RENOVATE_GITHUB_COM_TOKEN` from a repo secret. The secret is
   named `GITHUBCOM_TOKEN` (no underscore between GITHUB and COM)
   because Gitea reserves the `GITHUB_*` secret namespace for the
   built-in `${{ github.* }}` context. The token is a zero-scope
   PAT — anonymous-equivalent rights, only useful for the higher
   authenticated rate limit (5 000 req/h).

`docs/development.md` is updated with the new bot-onboarding steps
(Full Name, GITHUBCOM_TOKEN setup).
2026-05-05 13:25:10 +02:00

77 lines
3.4 KiB
YAML

# Per ADR-0015 (CI/CD on Gitea Actions). Scheduled invocation of
# Renovate Bot, which proposes dependency updates as PRs against main.
#
# Configuration of the *bot's behaviour* (groupings, schedules, labels,
# auto-merge, vulnerability sources) lives in /renovate.json at the
# repo root. This workflow only controls *when* Renovate runs and how
# it authenticates against Gitea.
#
# Implementation note — we run the official `renovate/renovate` Docker
# image directly via `docker run` rather than the `renovatebot/github-
# action` wrapper. The wrapper relies on act_runner being able to
# resolve arbitrary GitHub tags via go-git, which is brittle (we hit
# `reference not found` on `@v40`). Going straight to the image:
# * decouples from action-tag resolution issues;
# * pins the Renovate runtime version explicitly (reproducible);
# * one fewer layer of indirection to debug.
#
# Renovate clones the repo itself using RENOVATE_TOKEN — no
# `actions/checkout` step, no host bind-mount needed.
#
# Authentication: a Gitea Personal Access Token issued for the dedicated
# `apf-portal-bot` user, stored as the RENOVATE_TOKEN secret. The full
# bot-onboarding procedure lives in docs/development.md → "Dependency
# updates (Renovate)".
name: Renovate
on:
schedule:
# Daily 03:00 UTC — outside working hours, no contention with PR CI.
# Picked specifically to sit inside Renovate's default
# `lockFileMaintenance.schedule` window of "before 4am on Monday",
# so Monday's run also triggers the weekly lockfile refresh.
- cron: '0 3 * * *'
workflow_dispatch:
jobs:
renovate:
runs-on: [self-hosted, on-prem]
steps:
- name: Run Renovate
# Pin to the major; the bot will propose its own bumps once
# it is healthy (Renovate self-updates the workflow files it
# finds in the repo it manages).
run: |
docker run --rm \
--name "renovate-${{ github.run_id }}" \
-e RENOVATE_TOKEN \
-e RENOVATE_PLATFORM \
-e RENOVATE_ENDPOINT \
-e RENOVATE_AUTODISCOVER \
-e RENOVATE_REPOSITORIES \
-e RENOVATE_GITHUB_COM_TOKEN \
-e LOG_LEVEL \
renovate/renovate:40
env:
RENOVATE_TOKEN: ${{ secrets.RENOVATE_TOKEN }}
RENOVATE_PLATFORM: gitea
# Gitea API endpoint — derived from the workflow's own server
# URL so a Gitea → GitLab migration only requires changing
# github.server_url at the platform level (matches the
# CLAUDE.md rule about not hardcoding the project name /
# forge details outside repo metadata).
RENOVATE_ENDPOINT: ${{ github.server_url }}/api/v1/
# Don't crawl the whole instance — only this repo.
RENOVATE_AUTODISCOVER: 'false'
RENOVATE_REPOSITORIES: ${{ github.repository }}
# Read-only authenticated GitHub.com token (zero-scope PAT) so
# Renovate can resolve versions of GitHub-hosted Actions and
# the `containerbase/node-prebuild` binaries it uses for
# lockfile maintenance, without hitting the 60 req/h
# anonymous rate limit. Stored under GITHUBCOM_TOKEN (no
# underscore) because Gitea reserves the GITHUB_* secret
# namespace for its built-in `${{ github.* }}` context.
RENOVATE_GITHUB_COM_TOKEN: ${{ secrets.GITHUBCOM_TOKEN }}
LOG_LEVEL: info