Renovate + Gitea Actions for Gitea
This repo runs Renovate via Gitea Actions, currently every 6 hours. Renovate autodiscovers all Gitea repositories the bot user can access and opens PRs for dependency updates.
How it works
- Gitea Actions runs a single job from
.gitea/workflows/renovate.ymlon a cron schedule and on manual dispatch. - The job uses the official
renovatebot/github-actionand reads config from renovate.json in this repo. - Renovate processes every non-mirror Gitea repo the bot token can access (push/pull, PRs enabled), opening and updating PRs. Minor and patch updates are grouped into one PR per repo; major updates use separate PRs.
Setup
1. Gitea Actions workflow & schedule
The workflow lives in .gitea/workflows/renovate.yml and currently runs every 6 hours:
on:
workflow_dispatch:
schedule:
- cron: "0 */6 * * *"
To change the schedule (e.g. daily or weekly), edit the cron expression there and push a commit.
2. Gitea Actions secrets
Configure these repository or organization secrets in Gitea:
| Secret | Required | Description |
|---|---|---|
RENOVATE_TOKEN |
Yes | Gitea Personal Access Token (PAT) for the bot account |
RENOVATE_GITHUB_COM_TOKEN |
No | Recommended. Read-only GitHub PAT so Renovate can fetch changelogs and release notes without hitting anonymous rate limits. Create at GitHub → Settings → Developer settings → Personal access tokens with scope read:packages (or no scopes for public data). If you don’t want GitHub integration, remove the RENOVATE_GITHUB_COM_TOKEN lines from .gitea/workflows/renovate.yml. |
The Gitea endpoint (RENOVATE_ENDPOINT) is set in .gitea/workflows/renovate.yml; change it there if your instance has a different URL. The workflow passes RENOVATE_GITHUB_COM_TOKEN to Renovate when the secret is set.
3. Gitea Personal Access Token (PAT)
Create a dedicated Renovate bot user in Gitea (or your IdP) so PRs and commits are attributed correctly, and give it access to all repos you want updated. Then:
- Log in to Gitea as the bot user and open Settings → Applications (or
https://your-gitea/user/settings/applications). - Under Manage Access Tokens, generate a token (e.g.
renovate-bot) with: repository (read/write), user (read), issue (read/write), organization (read), and package (read) if you use packages. - Copy the token (shown only once) and store it as the
RENOVATE_TOKENsecret for this repo (or org) in Gitea Actions. - In renovate.json, set
gitAuthorto match the bot (e.g."Renovate Bot <renovate-bot@your-domain>").
Configuration
Renovate is configured in renovate.json. It sets the platform, autodiscovery, grouping (group:allNonMajor), best-practices presets, and disables the Dependency Dashboard via the :disableDependencyDashboard preset (so it stays off even if other presets enable it). Token and endpoint are provided only via environment (secrets).
Target repos: If a repo has its own renovate.json, it is merged on top of this global config. A repo that sets its own extends (e.g. "extends": ["config:recommended"]) can effectively replace the global presets, lose grouping, or re-enable the dashboard. To keep bundled PRs and no dashboard, either omit per-repo configs or ensure they do not override extends / dashboard settings.
The workflow uses the official renovatebot/github-action, which runs the Renovate CLI with a full feature set, suitable for lock file updates (e.g. package-lock.json) and common package managers.
Narrowing scope
To limit which repos Renovate processes, add autodiscoverFilter (e.g. ["my-org/*"]) or autodiscoverNamespaces in renovate.json, or set RENOVATE_AUTODISCOVER_FILTER in the pipeline environment.