keligrubb/renovate
1
0
Fork 0
Code Issues Pull Requests Actions Packages Releases Activity
8 Commits 1 Branch 0 Tags
8c9a95f85db47978725cef78294f4659a8566f65
Go to file
Clone
Open with VS Code Open with VSCodium Open with Intellij IDEA
Download ZIP Download TAR.GZ Download BUNDLE
keligrubb 8c9a95f85d
All checks were successful
ci/woodpecker/push/ci Pipeline was successful
Details
ci/woodpecker/manual/ci Pipeline was successful
Details
ci/woodpecker/cron/ci Pipeline was successful
Details
move to recommended instead of best-practices in order to fix caret and digest requests
2026-02-22 15:40:11 -05:00
.woodpecker
fix renovate setup
2026-02-22 12:45:07 -05:00
README.md
fix renovate setup
2026-02-22 12:45:07 -05:00
renovate.json
move to recommended instead of best-practices in order to fix caret and digest requests
2026-02-22 15:40:11 -05:00

README.md

Renovate + Woodpecker CI for Gitea

This repo runs Renovate via Woodpecker CI on a schedule you define (e.g. every 12 hours). Renovate autodiscovers all repositories your Gitea bot can access and opens pull requests for dependency updates.

How it works

  • Woodpecker runs a single pipeline step on the cron event whenever the cron job triggers.
  • The step uses the official renovate/renovate Docker image and loads config from renovate.json in this repo.
  • Renovate finds every Gitea repo the bot token can access (push/pull, PRs enabled, non-mirror) and creates/updates PRs there. Minor and patch updates are grouped into one PR per repo; major updates stay in separate PRs.

Setup

1. Woodpecker cron job

Woodpecker does not define cron schedules in YAML. You must create the schedule in the UI:

  1. Open repository settings for this repo in Woodpecker.
  2. Add a cron job (e.g. name: renovate).
  3. Set the schedule. Examples:
    • Every 12 hours: 0 */12 * * * (00:00 and 12:00)
    • Daily: @daily or 0 0 * * * (midnight)
    • Weekly: @weekly or 0 0 * * 0 (Sunday 00:00)

2. Woodpecker secrets

Configure these secrets at repository or organization level:

Secret Required Description
renovate_token Yes Gitea Personal Access Token (PAT) for the bot account
renovate_github_com_token No Recommended. Read-only GitHub PAT so Renovate can fetch changelogs and release notes without hitting anonymous rate limits. Create at GitHub → Settings → Developer settings → Personal access tokens with scope read:packages (or no scopes for public data). If your Woodpecker setup fails when this secret is missing, remove the RENOVATE_GITHUB_COM_TOKEN / renovate_github_com_token lines from .woodpecker/ci.yml.

The Gitea endpoint (RENOVATE_ENDPOINT) is set in .woodpecker/ci.yml; change it there if your instance has a different URL. The pipeline passes renovate_github_com_token as RENOVATE_GITHUB_COM_TOKEN when the secret is set.

3. Gitea Personal Access Token (PAT)

Create a bot user for Renovate in Gitea (or your identity provider) so PRs and commits show as the bot; ensure it has access to all repos you want updated. Then create a PAT for that user:

  1. Log in to Gitea as the bot user.
  2. Go to SettingsApplications (or https://your-gitea/user/settings/applications).
  3. Manage Access Tokens / Generate New Token. Name it (e.g. renovate-woodpecker).
  4. Set permissions: repository (Read and write), user (Read), issue (Read and write), organization (Read). Add package (Read) if you use Gitea packages.
  5. Create the token and copy it immediately (it is shown only once).
  6. Store that value as the renovate_token secret in Woodpecker.
  7. In renovate.json, set gitAuthor to match the bot (e.g. "Renovate Bot <renovate-bot@your-domain>").

Configuration

Renovate is configured in renovate.json in this repo. That file sets platform, autodiscover, grouping (group:allNonMajor), best-practices presets, and disables the Dependency Dashboard via the :disableDependencyDashboard preset (so it stays off even when presets enable it). Token and endpoint are provided only via pipeline environment (secrets).

Target repos: If a repo has its own renovate.json, it is merged on top of this global config. A repo that sets its own extends (e.g. "extends": ["config:recommended"]) can effectively replace the global extends and lose grouping or re-enable the dashboard. To keep bundled PRs and no dashboard, either leave that repo without a renovate config file or ensure its config does not override extends / dashboard settings.

The pipeline uses the renovate/renovate:full image so lock file updates (e.g. package-lock.json) have npm and other package managers available; the default slim image installs them at runtime and can sometimes produce artifact update failures in CI.

Narrowing scope

To limit which repos Renovate processes, add autodiscoverFilter (e.g. ["my-org/*"]) or autodiscoverNamespaces in renovate.json, or set RENOVATE_AUTODISCOVER_FILTER in the pipeline environment.

Reference in New Issue View Git Blame Copy Permalink
Description
Automatic Dependency Updater
Readme 57 KiB