Renovate + Woodpecker CI for Gitea

This repo runs Renovate via Woodpecker CI on a schedule you define (e.g. every 12 hours). Renovate autodiscovers all repositories your Gitea bot can access and opens pull requests for dependency updates.

How it works

• Woodpecker runs a single pipeline step on the cron event whenever the cron job triggers.
• The step uses the official renovate/renovate Docker image and loads config from renovate.json in this repo.
• Renovate finds every Gitea repo the bot token can access (push/pull, PRs enabled, non-mirror) and creates/updates PRs there. Minor and patch updates are grouped into one PR per repo; major updates stay in separate PRs.

Setup

1. Woodpecker cron job

Woodpecker does not define cron schedules in YAML. You must create the schedule in the UI:

1. Open repository settings for this repo in Woodpecker.
2. Add a cron job (e.g. name: renovate).
3. Set the schedule. Examples:
   • Every 12 hours: 0 */12 * * * (00:00 and 12:00)
   • Daily: @daily or 0 0 * * * (midnight)
   • Weekly: @weekly or 0 0 * * 0 (Sunday 00:00)

2. Woodpecker secrets

Configure these secrets at repository or organization level:

Secret	Required	Description
renovate_token	Yes	Gitea Personal Access Token (PAT) for the bot account
renovate_github_com_token	No	Recommended. Read-only GitHub PAT so Renovate can fetch changelogs and release notes without hitting anonymous rate limits. Create at GitHub → Settings → Developer settings → Personal access tokens with scope read:packages (or no scopes for public data). If your Woodpecker setup fails when this secret is missing, remove the RENOVATE_GITHUB_COM_TOKEN / renovate_github_com_token lines from .woodpecker/ci.yml.

The Gitea endpoint (RENOVATE_ENDPOINT) is set in .woodpecker/ci.yml; change it there if your instance has a different URL. The pipeline passes renovate_github_com_token as RENOVATE_GITHUB_COM_TOKEN when the secret is set.

3. Gitea Personal Access Token (PAT)

Create a bot user for Renovate in Gitea (or your identity provider) so PRs and commits show as the bot; ensure it has access to all repos you want updated. Then create a PAT for that user:

1. Log in to Gitea as the bot user.
2. Go to Settings → Applications (or https://your-gitea/user/settings/applications).
3. Manage Access Tokens / Generate New Token. Name it (e.g. renovate-woodpecker).
4. Set permissions: repository (Read and write), user (Read), issue (Read and write), organization (Read). Add package (Read) if you use Gitea packages.
5. Create the token and copy it immediately (it is shown only once).
6. Store that value as the renovate_token secret in Woodpecker.
7. In renovate.json, set gitAuthor to match the bot (e.g. "Renovate Bot <renovate-bot@your-domain>").

Configuration

Renovate is configured in renovate.json in this repo. That file sets platform, autodiscover, grouping (group:allNonMajor), best-practices presets, and disables the Dependency Dashboard via the :disableDependencyDashboard preset (so it stays off even when presets enable it). Token and endpoint are provided only via pipeline environment (secrets).

Target repos: If a repo has its own renovate.json, it is merged on top of this global config. A repo that sets its own extends (e.g. "extends": ["config:recommended"]) can effectively replace the global extends and lose grouping or re-enable the dashboard. To keep bundled PRs and no dashboard, either leave that repo without a renovate config file or ensure its config does not override extends / dashboard settings.

The pipeline uses the renovate/renovate:full image so lock file updates (e.g. package-lock.json) have npm and other package managers available; the default slim image installs them at runtime and can sometimes produce artifact update failures in CI.

Narrowing scope

To limit which repos Renovate processes, add autodiscoverFilter (e.g. ["my-org/*"]) or autodiscoverNamespaces in renovate.json, or set RENOVATE_AUTODISCOVER_FILTER in the pipeline environment.