fix(ci): give Renovate a git identity and a github.com token #13

Merged
julien merged 1 commits from fix/ci/renovate-author-and-github-token into main 2026-05-05 13:47:31 +02:00
Owner

Summary

First successful Renovate run (after the docker-image fix in #12) extracted 116 deps cleanly but every branch update failed with fatal: empty ident name not allowed, then the whole repo aborted on Lock file error - aborting. Two root causes:

  • No git identity — the bot user had an email but no Full Name on its Gitea profile, so Renovate produced incomplete git authorship.
  • No github.com auth — Renovate could not look up versions of GitHub-hosted Actions (actions/checkout, etc.) or containerbase/node-prebuild (the Node binary it dynamically fetches for lockfile maintenance) — anonymous rate limit (60 req/h) hit.

Fixes:

  1. renovate.json — pin gitAuthor explicitly. The Full Name was also set on the bot's Gitea profile for UI consistency, but the override in config means we don't depend on out-of-band UI state.
  2. .gitea/workflows/renovate.yml — pass RENOVATE_GITHUB_COM_TOKEN from the new GITHUBCOM_TOKEN repo secret (no underscore between GITHUB and COM — Gitea reserves the GITHUB_* namespace).
  3. docs/development.md — onboarding procedure now covers both tokens + the Full Name step.

Manual setup required after merge

Already done in this iteration:

  • Bot's Full Name set in Gitea ("APF Portal Bot").
  • GITHUBCOM_TOKEN repo secret created with a zero-scope github.com PAT.

(If the PAT was leaked during setup, regenerate before merging — the workflow only references the secret name, not the value.)

Test plan

  • After merge, trigger Renovate manually (Actions → Renovate → Run workflow).
  • No empty ident name warning in the logs.
  • No Lock file error - aborting; repo finishes with INFO: Repository finished … "cloned": true.
  • Renovate creates the dependency dashboard issue + the first batch of grouped PRs (Angular, Nx, NestJS, Prisma, …) signed by apf-portal-bot.
## Summary First successful Renovate run (after the docker-image fix in #12) extracted 116 deps cleanly but every branch update failed with `fatal: empty ident name not allowed`, then the whole repo aborted on `Lock file error - aborting`. Two root causes: - **No git identity** — the bot user had an email but no **Full Name** on its Gitea profile, so Renovate produced incomplete git authorship. - **No github.com auth** — Renovate could not look up versions of GitHub-hosted Actions (`actions/checkout`, etc.) or `containerbase/node-prebuild` (the Node binary it dynamically fetches for lockfile maintenance) — anonymous rate limit (60 req/h) hit. Fixes: 1. **`renovate.json`** — pin `gitAuthor` explicitly. The Full Name was also set on the bot's Gitea profile for UI consistency, but the override in config means we don't depend on out-of-band UI state. 2. **`.gitea/workflows/renovate.yml`** — pass `RENOVATE_GITHUB_COM_TOKEN` from the new `GITHUBCOM_TOKEN` repo secret (no underscore between GITHUB and COM — Gitea reserves the `GITHUB_*` namespace). 3. **`docs/development.md`** — onboarding procedure now covers both tokens + the Full Name step. ## Manual setup required after merge Already done in this iteration: - Bot's Full Name set in Gitea ("APF Portal Bot"). - `GITHUBCOM_TOKEN` repo secret created with a zero-scope github.com PAT. (If the PAT was leaked during setup, regenerate before merging — the workflow only references the secret name, not the value.) ## Test plan - [ ] After merge, trigger Renovate manually (Actions → Renovate → Run workflow). - [ ] No `empty ident name` warning in the logs. - [ ] No `Lock file error - aborting`; repo finishes with `INFO: Repository finished … "cloned": true`. - [ ] Renovate creates the dependency dashboard issue + the first batch of grouped PRs (Angular, Nx, NestJS, Prisma, …) signed by `apf-portal-bot`.
julien added 1 commit 2026-05-05 13:46:52 +02:00
fix(ci): give Renovate a git identity and a github.com token
CI / commits (pull_request) Successful in 2m19s
CI / scan (pull_request) Failing after 2m30s
CI / check (pull_request) Successful in 2m37s
CI / a11y (pull_request) Successful in 2m19s
CI / perf (pull_request) Successful in 4m1s
181fb1d4dd
First end-to-end Renovate run (after switching to direct docker run)
extracted dependencies but failed to commit any update branches with
`fatal: empty ident name not allowed`, then aborted the repo with
`Lock file error - aborting`. Two root causes:

- The bot user had an email but no Full Name on its Gitea profile,
  so Renovate could not derive a complete git author identity. After
  enough commit failures Renovate gives up on the repository.
- Renovate also warned `GitHub token is required for some
  dependencies` and could not resolve `containerbase/node-prebuild`
  releases (the Node binary it pulls dynamically for lockfile
  maintenance) — anonymous github.com rate limit (60 req/h) was the
  bottleneck.

Fixes:

1. Pin `gitAuthor` explicitly in `renovate.json` so the identity does
   not depend on out-of-band Gitea profile state. The Full Name was
   also set on the bot profile for consistency with Gitea's UI.
2. Pass `RENOVATE_GITHUB_COM_TOKEN` from a repo secret. The secret is
   named `GITHUBCOM_TOKEN` (no underscore between GITHUB and COM)
   because Gitea reserves the `GITHUB_*` secret namespace for the
   built-in `${{ github.* }}` context. The token is a zero-scope
   PAT — anonymous-equivalent rights, only useful for the higher
   authenticated rate limit (5 000 req/h).

`docs/development.md` is updated with the new bot-onboarding steps
(Full Name, GITHUBCOM_TOKEN setup).
julien merged commit f58cf13e33 into main 2026-05-05 13:47:31 +02:00
julien deleted branch fix/ci/renovate-author-and-github-token 2026-05-05 13:47:31 +02:00
Sign in to join this conversation.
No Reviewers
No Label
1 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: julien/apf_portal#13