fix(ci): give Renovate a git identity and a github.com token #13
Reference in New Issue
Block a user
Delete Branch "fix/ci/renovate-author-and-github-token"
Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?
Summary
First successful Renovate run (after the docker-image fix in #12) extracted 116 deps cleanly but every branch update failed with
fatal: empty ident name not allowed, then the whole repo aborted onLock file error - aborting. Two root causes:actions/checkout, etc.) orcontainerbase/node-prebuild(the Node binary it dynamically fetches for lockfile maintenance) — anonymous rate limit (60 req/h) hit.Fixes:
renovate.json— pingitAuthorexplicitly. The Full Name was also set on the bot's Gitea profile for UI consistency, but the override in config means we don't depend on out-of-band UI state..gitea/workflows/renovate.yml— passRENOVATE_GITHUB_COM_TOKENfrom the newGITHUBCOM_TOKENrepo secret (no underscore between GITHUB and COM — Gitea reserves theGITHUB_*namespace).docs/development.md— onboarding procedure now covers both tokens + the Full Name step.Manual setup required after merge
Already done in this iteration:
GITHUBCOM_TOKENrepo secret created with a zero-scope github.com PAT.(If the PAT was leaked during setup, regenerate before merging — the workflow only references the secret name, not the value.)
Test plan
empty ident namewarning in the logs.Lock file error - aborting; repo finishes withINFO: Repository finished … "cloned": true.apf-portal-bot.First end-to-end Renovate run (after switching to direct docker run) extracted dependencies but failed to commit any update branches with `fatal: empty ident name not allowed`, then aborted the repo with `Lock file error - aborting`. Two root causes: - The bot user had an email but no Full Name on its Gitea profile, so Renovate could not derive a complete git author identity. After enough commit failures Renovate gives up on the repository. - Renovate also warned `GitHub token is required for some dependencies` and could not resolve `containerbase/node-prebuild` releases (the Node binary it pulls dynamically for lockfile maintenance) — anonymous github.com rate limit (60 req/h) was the bottleneck. Fixes: 1. Pin `gitAuthor` explicitly in `renovate.json` so the identity does not depend on out-of-band Gitea profile state. The Full Name was also set on the bot profile for consistency with Gitea's UI. 2. Pass `RENOVATE_GITHUB_COM_TOKEN` from a repo secret. The secret is named `GITHUBCOM_TOKEN` (no underscore between GITHUB and COM) because Gitea reserves the `GITHUB_*` secret namespace for the built-in `${{ github.* }}` context. The token is a zero-scope PAT — anonymous-equivalent rights, only useful for the higher authenticated rate limit (5 000 req/h). `docs/development.md` is updated with the new bot-onboarding steps (Full Name, GITHUBCOM_TOKEN setup).