keligrubb/renovate
1
0
Fork 0
Code Issues Pull Requests Actions Packages Releases Activity

replace woodpecker ci with gitea actions

Browse Source
This commit is contained in:
Madison Grubb
2026-03-04 10:02:00 -05:00
parent 8c9a95f85d
commit d4ec6c6b71
3 changed files with 52 additions and 44 deletions
Download Patch File Download Diff File Expand all files Collapse all files

24
.gitea/workflows/renovate.yml Normal file
View File

@@ -0,0 +1,24 @@
name: Renovate
on:
workflow_dispatch:
schedule:
- cron: "0 */6 * * *"
jobs:
renovate:
runs-on: ubuntu-latest
steps:
- name: Checkout repository
uses: actions/checkout@v6
- name: Run Renovate
uses: renovatebot/github-action@v46
env:
RENOVATE_TOKEN: ${{ secrets.RENOVATE_TOKEN }}
RENOVATE_PLATFORM: gitea
RENOVATE_ENDPOINT: https://git.keligrubb.com
RENOVATE_AUTODISCOVER: "true"
RENOVATE_CONFIG_FILE: renovate.json
RENOVATE_GITHUB_COM_TOKEN: ${{ secrets.RENOVATE_GITHUB_COM_TOKEN }}

15
.woodpecker/ci.yml
View File

@@ -1,15 +0,0 @@
steps:
- name: renovate
image: renovate/renovate:full
when:
- event: cron
- event: manual
environment:
RENOVATE_TOKEN:
from_secret: renovate_token
RENOVATE_PLATFORM: gitea
RENOVATE_ENDPOINT: https://git.keligrubb.com
RENOVATE_AUTODISCOVER: "true"
RENOVATE_CONFIG_FILE: renovate.json
RENOVATE_GITHUB_COM_TOKEN:
from_secret: renovate_github_com_token

57
README.md
View File

@@ -1,56 +1,55 @@
# Renovate + Woodpecker CI for Gitea # Renovate + Gitea Actions for Gitea
This repo runs [Renovate](https://docs.renovatebot.com/) via [Woodpecker CI](https://woodpecker-ci.org/) on a schedule you define (e.g. every 12 hours). Renovate autodiscovers all repositories your Gitea bot can access and opens pull requests for dependency updates. This repo runs [Renovate](https://docs.renovatebot.com/) via **Gitea Actions**, currently every 6 hours. Renovate autodiscovers all Gitea repositories the bot user can access and opens PRs for dependency updates.
## How it works ## How it works
- **Woodpecker** runs a single pipeline step on the `cron` event whenever the cron job triggers. - **Gitea Actions** runs a single job from `.gitea/workflows/renovate.yml` on a **cron schedule** and on **manual dispatch**.
- The step uses the official `renovate/renovate` Docker image and loads config from **renovate.json** in this repo. - The job uses the official `renovatebot/github-action` and reads config from **renovate.json** in this repo.
- Renovate finds every Gitea repo the bot token can access (push/pull, PRs enabled, non-mirror) and creates/updates PRs there. Minor and patch updates are grouped into one PR per repo; major updates stay in separate PRs. - Renovate processes every non-mirror Gitea repo the bot token can access (push/pull, PRs enabled), opening and updating PRs. Minor and patch updates are grouped into one PR per repo; major updates use separate PRs.
## Setup ## Setup
### 1. Woodpecker cron job ### 1. Gitea Actions workflow & schedule
Woodpecker does not define cron schedules in YAML. You must create the schedule in the UI: The workflow lives in `.gitea/workflows/renovate.yml` and currently runs every 6 hours:
1. Open **repository settings** for this repo in Woodpecker. ```yaml
2. Add a **cron job** (e.g. name: `renovate`). on:
3. Set the schedule. Examples: workflow_dispatch:
- **Every 12 hours**: `0 */12 * * *` (00:00 and 12:00) schedule:
- **Daily**: `@daily` or `0 0 * * *` (midnight) - cron: "0 */6 * * *"
- **Weekly**: `@weekly` or `0 0 * * 0` (Sunday 00:00) ```
### 2. Woodpecker secrets To change the schedule (e.g. daily or weekly), edit the cron expression there and push a commit.
Configure these secrets at repository or organization level: ### 2. Gitea Actions secrets
Configure these **repository** or **organization** secrets in Gitea:
| Secret | Required | Description | | Secret | Required | Description |
|--------|----------|-------------| |--------|----------|-------------|
| `renovate_token` | Yes | Gitea Personal Access Token (PAT) for the bot account | | `RENOVATE_TOKEN` | Yes | Gitea Personal Access Token (PAT) for the bot account |
| `renovate_github_com_token` | No | **Recommended.** Read-only GitHub PAT so Renovate can fetch changelogs and release notes without hitting anonymous rate limits. Create at [GitHub → Settings → Developer settings → Personal access tokens](https://github.com/settings/tokens) with scope `read:packages` (or no scopes for public data). If your Woodpecker setup fails when this secret is missing, remove the `RENOVATE_GITHUB_COM_TOKEN` / `renovate_github_com_token` lines from [.woodpecker/ci.yml](.woodpecker/ci.yml). | | `RENOVATE_GITHUB_COM_TOKEN` | No | **Recommended.** Read-only GitHub PAT so Renovate can fetch changelogs and release notes without hitting anonymous rate limits. Create at [GitHub → Settings → Developer settings → Personal access tokens](https://github.com/settings/tokens) with scope `read:packages` (or no scopes for public data). If you dont want GitHub integration, remove the `RENOVATE_GITHUB_COM_TOKEN` lines from [.gitea/workflows/renovate.yml](.gitea/workflows/renovate.yml). |
The Gitea endpoint (`RENOVATE_ENDPOINT`) is set in [.woodpecker/ci.yml](.woodpecker/ci.yml); change it there if your instance has a different URL. The pipeline passes `renovate_github_com_token` as `RENOVATE_GITHUB_COM_TOKEN` when the secret is set. The Gitea endpoint (`RENOVATE_ENDPOINT`) is set in [.gitea/workflows/renovate.yml](.gitea/workflows/renovate.yml); change it there if your instance has a different URL. The workflow passes `RENOVATE_GITHUB_COM_TOKEN` to Renovate when the secret is set.
### 3. Gitea Personal Access Token (PAT) ### 3. Gitea Personal Access Token (PAT)
Create a bot user for Renovate in Gitea (or your identity provider) so PRs and commits show as the bot; ensure it has access to all repos you want updated. Then create a PAT for that user: Create a dedicated Renovate bot user in Gitea (or your IdP) so PRs and commits are attributed correctly, and give it access to all repos you want updated. Then:
1. Log in to Gitea as the bot user. 1. Log in to Gitea as the bot user and open **Settings → Applications** (or `https://your-gitea/user/settings/applications`).
2. Go to **Settings****Applications** (or `https://your-gitea/user/settings/applications`). 2. Under **Manage Access Tokens**, generate a token (e.g. `renovate-bot`) with: **repository** (read/write), **user** (read), **issue** (read/write), **organization** (read), and **package** (read) if you use packages.
3. **Manage Access Tokens** / **Generate New Token**. Name it (e.g. `renovate-woodpecker`). 3. Copy the token (shown only once) and store it as the `RENOVATE_TOKEN` secret for this repo (or org) in Gitea Actions.
4. Set permissions: **repository** (Read and write), **user** (Read), **issue** (Read and write), **organization** (Read). Add **package** (Read) if you use Gitea packages. 4. In **renovate.json**, set `gitAuthor` to match the bot (e.g. `"Renovate Bot <renovate-bot@your-domain>"`).
5. Create the token and **copy it immediately** (it is shown only once).
6. Store that value as the `renovate_token` secret in Woodpecker.
7. In **renovate.json**, set `gitAuthor` to match the bot (e.g. `"Renovate Bot <renovate-bot@your-domain>"`).
## Configuration ## Configuration
Renovate is configured in **renovate.json** in this repo. That file sets platform, autodiscover, grouping (`group:allNonMajor`), best-practices presets, and disables the Dependency Dashboard via the `:disableDependencyDashboard` preset (so it stays off even when presets enable it). Token and endpoint are provided only via pipeline environment (secrets). Renovate is configured in **renovate.json**. It sets the platform, autodiscovery, grouping (`group:allNonMajor`), best-practices presets, and disables the Dependency Dashboard via the `:disableDependencyDashboard` preset (so it stays off even if other presets enable it). Token and endpoint are provided only via environment (secrets).
**Target repos:** If a repo has its own **renovate.json**, it is merged on top of this global config. A repo that sets its own `extends` (e.g. `"extends": ["config:recommended"]`) can effectively replace the global extends and lose grouping or re-enable the dashboard. To keep bundled PRs and no dashboard, either leave that repo without a renovate config file or ensure its config does not override `extends` / dashboard settings. **Target repos:** If a repo has its own **renovate.json**, it is merged on top of this global config. A repo that sets its own `extends` (e.g. `"extends": ["config:recommended"]`) can effectively replace the global presets, lose grouping, or re-enable the dashboard. To keep bundled PRs and no dashboard, either omit per-repo configs or ensure they do not override `extends` / dashboard settings.
The pipeline uses the **renovate/renovate:full** image so lock file updates (e.g. `package-lock.json`) have npm and other package managers available; the default slim image installs them at runtime and can sometimes produce artifact update failures in CI. The workflow uses the official **renovatebot/github-action**, which runs the Renovate CLI with a full feature set, suitable for lock file updates (e.g. `package-lock.json`) and common package managers.
## Narrowing scope ## Narrowing scope