github-action
github-action copied to clipboard
renovatebot
GitHub Action Renovate
GitHub Action to run Renovate self-hosted.
Table of contents
- Badges
-
Options
-
configurationFile -
token
-
- Example
-
Troubleshooting
- Debug Logging
-
Special token requirements when using the
github-actionsmanager
Badges
| Badge | Description | Service |
|---|---|---|
 |
Code style | Prettier |
 |
Commit style | Conventional Commits |
 |
Dependencies | Renovate |
 |
Build | GitHub Actions |
 |
Example | GitHub Actions |
Options
Options can be passed using the inputs of this action or the corresponding environment variables. When both are passed, the input takes precedence over the environment variable. For the available environment variables see the Renovate Self-Hosted Configuration docs.
configurationFile
Configuration file to configure Renovate. The supported configurations files can be one of the configuration files listed in the Renovate Docs for Configuration Options or a JavaScript file that exports a configuration object. For both of these options, an example can be found in the example directory.
The configurations that can be done in this file consists of two parts, as listed below. Refer to the links to the Renovate Docs for all options.
The branchPrefix option is important to configure and should be configured to a value other than the default to prevent interference with e.g. the Renovate GitHub App.
If you want to use this with just the single configuration file, make sure to include the following two configuration lines. This disables the requirement of a configuration file for the repository and disables onboarding.
onboarding: false,
requireConfig: false,
token
Generate a personal access token, with the repo:public_repo scope for only public repositories or the repo scope for public and private repositories, and add it to Secrets (repository settings) as RENOVATE_TOKEN. You can also create a token without a specific scope, which gives read-only access to public repositories, for testing. This token is only used by Renovate, see the token configuration, and gives it access to the repositories. The name of the secret can be anything as long as it matches the argument given to the token option.
Note that the GITHUB_TOKEN secret can't be used for authenticating Renovate.
If you want to use the github-actions manager, you must setup a special token with some requirements.
Example
This example uses a personal access token and will run every 15 minutes. The personal access token is configured as a GitHub secret named RENOVATE_TOKEN. This example uses the example/renovate-config.js file as configuration.
You can also see a live example of this action in my github-renovate repository, which also includes a more advanced configuration for updating GitHub Action workflows.
Remark Update the action version to the most current, see here for latest release.
name: Renovate
on:
schedule:
# The "*" (#42, asterisk) character has special semantics in YAML, so this
# string has to be quoted.
- cron: '0/15 * * * *'
jobs:
renovate:
runs-on: ubuntu-latest
steps:
- name: Checkout
uses: actions/[email protected]
- name: Self-hosted Renovate
uses: renovatebot/[email protected]
with:
configurationFile: example/renovate-config.js
token: ${{ secrets.RENOVATE_TOKEN }}
Example with GitHub App
Instead of using a Personal Access Token (PAT) that is tied to a particular user you can use a GitHub App where permissions can be even better tuned. Create a new app and give it the following permissions:
| Permission | Level |
|---|---|
Contents |
Read & write |
Metadata |
Read-only |
Pull requests |
Read & write |
Store the app ID as a secret with name APP_ID and generate a new private key for the app and add it as a secret to the repository as APP_PEM in the repository where the action will run from. Note that APP_PEM needs to be base64 encoded. You can encode your private key file like this from the terminal:
cat your_app_key.pem | base64 -w 0 && echo
Going forward we will be using the machine-learning-apps/actions-app-token action in order to exchange the GitHub App certificate for an access token that renovate can use.
The final workflow will look like this:
name: Renovate
on:
schedule:
# The "*" (#42, asterisk) character has special semantics in YAML, so this
# string has to be quoted.
- cron: '0/15 * * * *'
jobs:
renovate:
runs-on: ubuntu-latest
steps:
- name: Get token
id: get_token
uses: machine-learning-apps/actions-app-token@master
with:
APP_PEM: ${{ secrets.APP_PEM }}
APP_ID: ${{ secrets.APP_ID }}
- name: Checkout
uses: actions/[email protected]
- name: Self-hosted Renovate
uses: renovatebot/[email protected]
with:
configurationFile: example/renovate-config.js
token: 'x-access-token:${{ steps.get_token.outputs.app_token }}'
Troubleshooting
Debug logging
In case of issues, it's always a good idea to enable debug logging first.
To enable debug logging, add the environment variable LOG_LEVEL: 'debug' to the action:
- name: Self-hosted Renovate
uses: renovatebot/[email protected]
with:
configurationFile: example/renovate-config.js
token: ${{ secrets.RENOVATE_TOKEN }}
env:
LOG_LEVEL: 'debug'
Special token requirements when using the github-actions manager
If you want to use the github-actions manager in Renovate, ensure that the token you provide contains the workflow scope.
Otherwise, GitHub does not allow Renovate to update worklow files and therefore it will be unable to create update PRs for affected packages (like actions/checkout or renovatebot/github-action itself).
renovatebot