renovate/README.md

# Renovate + Gitea Actions for Gitea

This repo runs [Renovate](https://docs.renovatebot.com/) via **Gitea Actions**, currently every 6 hours. Renovate autodiscovers all Gitea repositories the bot user can access and opens PRs for dependency updates.

## How it works

- **Gitea Actions** runs a single job from `.gitea/workflows/renovate.yml` on a **cron schedule** and on **manual dispatch**.
- The job uses the official `renovatebot/github-action` and reads config from **renovate.json** in this repo.
- Renovate processes every non-mirror Gitea repo the bot token can access (push/pull, PRs enabled), opening and updating PRs. Minor and patch updates are grouped into one PR per repo; major updates use separate PRs.

## Setup

### 1. Gitea Actions workflow & schedule

The workflow lives in `.gitea/workflows/renovate.yml` and currently runs every 6 hours:

```yaml
on:
  workflow_dispatch:
  schedule:
    - cron: "0 */6 * * *"
```

To change the schedule (e.g. daily or weekly), edit the cron expression there and push a commit.

### 2. Gitea Actions secrets

Configure these **repository** or **organization** secrets in Gitea:

| Secret | Required | Description |
|--------|----------|-------------|
| `RENOVATE_TOKEN` | Yes | Gitea Personal Access Token (PAT) for the bot account |
| `RENOVATE_GITHUB_COM_TOKEN` | No | **Recommended.** Read-only GitHub PAT so Renovate can fetch changelogs and release notes without hitting anonymous rate limits. Create at [GitHub → Settings → Developer settings → Personal access tokens](https://github.com/settings/tokens) with scope `read:packages` (or no scopes for public data). If you don’t want GitHub integration, remove the `RENOVATE_GITHUB_COM_TOKEN` lines from [.gitea/workflows/renovate.yml](.gitea/workflows/renovate.yml). |

The Gitea endpoint (`RENOVATE_ENDPOINT`) is set in [.gitea/workflows/renovate.yml](.gitea/workflows/renovate.yml); change it there if your instance has a different URL. The workflow passes `RENOVATE_GITHUB_COM_TOKEN` to Renovate when the secret is set.

### 3. Gitea Personal Access Token (PAT)

Create a dedicated Renovate bot user in Gitea (or your IdP) so PRs and commits are attributed correctly, and give it access to all repos you want updated. Then:

1. Log in to Gitea as the bot user and open **Settings → Applications** (or `https://your-gitea/user/settings/applications`).
2. Under **Manage Access Tokens**, generate a token (e.g. `renovate-bot`) with: **repository** (read/write), **user** (read), **issue** (read/write), **organization** (read), and **package** (read) if you use packages.
3. Copy the token (shown only once) and store it as the `RENOVATE_TOKEN` secret for this repo (or org) in Gitea Actions.
4. In **renovate.json**, set `gitAuthor` to match the bot (e.g. `"Renovate Bot <renovate-bot@your-domain>"`).

## Configuration

Renovate is configured in **renovate.json**. It sets the platform, autodiscovery, grouping (`group:allNonMajor`), best-practices presets, and disables the Dependency Dashboard via the `:disableDependencyDashboard` preset (so it stays off even if other presets enable it). Token and endpoint are provided only via environment (secrets).

**Target repos:** If a repo has its own **renovate.json**, it is merged on top of this global config. A repo that sets its own `extends` (e.g. `"extends": ["config:recommended"]`) can effectively replace the global presets, lose grouping, or re-enable the dashboard. To keep bundled PRs and no dashboard, either omit per-repo configs or ensure they do not override `extends` / dashboard settings.

The workflow uses the official **renovatebot/github-action**, which runs the Renovate CLI with a full feature set, suitable for lock file updates (e.g. `package-lock.json`) and common package managers.

## Narrowing scope

To limit which repos Renovate processes, add `autodiscoverFilter` (e.g. `["my-org/*"]`) or `autodiscoverNamespaces` in **renovate.json**, or set `RENOVATE_AUTODISCOVER_FILTER` in the pipeline environment.