GitHub Action to run Renovate self-hosted.
Badge | Description | Service |
---|---|---|
Code style | Prettier | |
Commit style | Conventional Commits | |
Dependencies | Renovate | |
Build | GitHub Actions | |
Example | GitHub Actions |
Options can be passed using the inputs of this action or the corresponding environment variables. When both are passed, the input takes precedence over the environment variable. For the available environment variables see the Renovate Self-Hosted Configuration docs.
Configuration file to configure Renovate. The supported configurations files can be one of the configuration files listed in the Renovate Docs for Configuration Options or a JavaScript file that exports a configuration object. For both of these options, an example can be found in the example directory.
The configurations that can be done in this file consists of two parts, as listed below. Refer to the links to the Renovate Docs for all options.
The branchPrefix
option is important to configure and should be configured to a value other than the default to prevent interference with e.g. the Renovate GitHub App.
If you want to use this with just the single configuration file, make sure to include the following two configuration lines. This disables the requirement of a configuration file for the repository and disables onboarding.
onboarding: false,
requireConfig: false,
Generate a personal access token, with the repo:public_repo
scope for only public repositories or the repo
scope for public and private repositories, and add it to Secrets (repository settings) as RENOVATE_TOKEN
. You can also create a token without a specific scope, which gives read-only access to public repositories, for testing. This token is only used by Renovate, see the token configuration, and gives it access to the repositories. The name of the secret can be anything as long as it matches the argument given to the token
option.
Note that the GITHUB_TOKEN
secret can't be used for authenticating Renovate because it has too restrictive permissions. In particular, using the GITHUB_TOKEN
to create a new Pull Request
from more types of Github Workflows results in Pull Requests
that do not trigger your Pull Request
and Push
CI events.
If you want to use the github-actions
manager, you must setup a special token with some requirements.
This example uses a personal access token and will run every 15 minutes. The personal access token is configured as a GitHub secret named RENOVATE_TOKEN
. This example uses the example/renovate-config.js
file as configuration.
You can also see a live example of this action in my github-renovate repository, which also includes a more advanced configuration for updating GitHub Action workflows.
Remark Update the action version to the most current, see here for latest release.
name: Renovate
on:
schedule:
# The "*" (#42, asterisk) character has special semantics in YAML, so this
# string has to be quoted.
- cron: '0/15 * * * *'
jobs:
renovate:
runs-on: ubuntu-latest
steps:
- name: Checkout
uses: actions/[email protected]
- name: Self-hosted Renovate
uses: renovatebot/[email protected]
with:
configurationFile: example/renovate-config.js
token: ${{ secrets.RENOVATE_TOKEN }}
Instead of using a Personal Access Token (PAT) that is tied to a particular user you can use a GitHub App where permissions can be even better tuned. Create a new app and give it the following permissions:
Permission | Level |
---|---|
Contents |
Read & write |
Metadata |
Read-only |
Pull requests |
Read & write |
Store the app ID as a secret with name APP_ID
and generate a new private key for the app and add it as a secret to the repository as APP_PEM
in the repository where the action will run from. Note that APP_PEM
needs to be base64 encoded. You can encode your private key file like this from the terminal:
cat your_app_key.pem | base64 -w 0 && echo
Going forward we will be using the machine-learning-apps/actions-app-token action in order to exchange the GitHub App certificate for an access token that renovate can use.
The final workflow will look like this:
name: Renovate
on:
schedule:
# The "*" (#42, asterisk) character has special semantics in YAML, so this
# string has to be quoted.
- cron: '0/15 * * * *'
jobs:
renovate:
runs-on: ubuntu-latest
steps:
- name: Get token
id: get_token
uses: machine-learning-apps/actions-app-token@master
with:
APP_PEM: ${{ secrets.APP_PEM }}
APP_ID: ${{ secrets.APP_ID }}
- name: Checkout
uses: actions/[email protected]
- name: Self-hosted Renovate
uses: renovatebot/[email protected]
with:
configurationFile: example/renovate-config.js
token: 'x-access-token:${{ steps.get_token.outputs.app_token }}'
In case of issues, it's always a good idea to enable debug logging first.
To enable debug logging, add the environment variable LOG_LEVEL: 'debug'
to the action:
- name: Self-hosted Renovate
uses: renovatebot/[email protected]
with:
configurationFile: example/renovate-config.js
token: ${{ secrets.RENOVATE_TOKEN }}
env:
LOG_LEVEL: 'debug'
If you want to use the github-actions
manager in Renovate, ensure that the token
you provide contains the workflow
scope.
Otherwise, GitHub does not allow Renovate to update worklow files and therefore it will be unable to create update PRs for affected packages (like actions/checkout
or renovatebot/github-action
itself).