3.9 KiB
Renovate + Gitea Actions for Gitea
This repo runs Renovate via Gitea Actions, currently every hour. Renovate autodiscovers all Gitea repositories the bot user can access and opens PRs for dependency updates.
How it works
- Gitea Actions runs a single job from
.gitea/workflows/renovate.ymlon a cron schedule and on manual dispatch. - The job uses the official
renovatebot/github-actionand reads config from renovate.json in this repo. - Renovate processes every non-mirror Gitea repo the bot token can access (push/pull, PRs enabled), opening and updating PRs. Minor and patch updates are grouped into one PR per repo; major updates use separate PRs.
Setup
1. Gitea Actions workflow & schedule
The workflow lives in .gitea/workflows/renovate.yml and currently runs every 6 hours:
on:
workflow_dispatch:
schedule:
- cron: "0 */6 * * *"
To change the schedule (e.g. daily or weekly), edit the cron expression there and push a commit.
2. Gitea Actions secrets
Configure these repository or organization secrets in Gitea:
| Secret | Required | Description |
|---|---|---|
RENOVATE_TOKEN |
Yes | Gitea Personal Access Token (PAT) for the bot account |
RENOVATE_GITHUB_COM_TOKEN |
No | Recommended. Read-only GitHub PAT so Renovate can fetch changelogs and release notes without hitting anonymous rate limits. Create at GitHub → Settings → Developer settings → Personal access tokens with scope read:packages (or no scopes for public data). If you don’t want GitHub integration, remove the RENOVATE_GITHUB_COM_TOKEN lines from .gitea/workflows/renovate.yml. |
The Gitea endpoint (RENOVATE_ENDPOINT) is set in .gitea/workflows/renovate.yml; change it there if your instance has a different URL. The workflow passes RENOVATE_GITHUB_COM_TOKEN to Renovate when the secret is set.
3. Gitea Personal Access Token (PAT)
Create a dedicated Renovate bot user in Gitea (or your IdP) so PRs and commits are attributed correctly, and give it access to all repos you want updated. Then:
- Log in to Gitea as the bot user and open Settings → Applications (or
https://your-gitea/user/settings/applications). - Under Manage Access Tokens, generate a token (e.g.
renovate-bot) with: repository (read/write), user (read), issue (read/write), organization (read), and package (read) if you use packages. - Copy the token (shown only once) and store it as the
RENOVATE_TOKENsecret for this repo (or org) in Gitea Actions. - In renovate.json, set
gitAuthorto match the bot (e.g."Renovate Bot <renovate-bot@your-domain>").
Configuration
Renovate is configured in renovate.json. It sets the platform, autodiscovery, grouping (group:allNonMajor), best-practices presets, and disables the Dependency Dashboard via the :disableDependencyDashboard preset (so it stays off even if other presets enable it). Token and endpoint are provided only via environment (secrets).
Target repos: If a repo has its own renovate.json, it is merged on top of this global config. A repo that sets its own extends (e.g. "extends": ["config:recommended"]) can effectively replace the global presets, lose grouping, or re-enable the dashboard. To keep bundled PRs and no dashboard, either omit per-repo configs or ensure they do not override extends / dashboard settings.
The workflow uses the official renovatebot/github-action, which runs the Renovate CLI with a full feature set, suitable for lock file updates (e.g. package-lock.json) and common package managers.
Narrowing scope
To limit which repos Renovate processes, add autodiscoverFilter (e.g. ["my-org/*"]) or autodiscoverNamespaces in renovate.json, or set RENOVATE_AUTODISCOVER_FILTER in the pipeline environment.