Prepare Renovate bot against Gitea (F-12) + doc sweep

renovate.json: gitea platform, autodiscover Micha/*, group rules (major separate, minor+patch+digest grouped, stateful tier-1 individual, komodo-major disabled), pin range strategy, no automerge, dependency dashboard enabled. ops/renovate/run-renovate.sh: one-shot docker run wrapper that reads the Gitea PAT from /mnt/user/appdata/secrets/renovate_token.txt, runs renovate/renovate:41, logs into /mnt/user/services/renovate/logs/. docs/RENOVATE.md: 5-step operator setup (Gitea service account, PAT, token file, first run, six-hourly user script). Explicit no-automerge stance with notfall-stop checklist. Cross-doc sweep: SECRETS_MAP entry for renovate_token.txt, REPO_MAP entry for RENOVATE.md, AUDIT_2026-05-25_TODO new Sprint 8 with F-15, F-07, F-09 rest, F-12 status, MIGRATION_LOG captures the four-block sprint in one entry. Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
2026-05-29 15:29:20 +02:00
parent e4b0db2af6
commit 30aa696e61
7 changed files with 321 additions and 0 deletions
@@ -52,6 +52,7 @@ Dieses Dokument listet sensible Daten, deren Ablageorte und die vorgesehene Einb
 | Monitoring Grafana | Admin Password | `/mnt/user/appdata/secrets/monitoring_grafana_admin_password.txt` -> Docker Secret `/run/secrets/monitoring_grafana_admin_password` -> `GF_SECURITY_ADMIN_PASSWORD__FILE` | aktiv |
 | Monitoring Grafana -> InfluxDB | Datasource Token | `/mnt/user/appdata/secrets/monitoring_grafana_influxdb_token.txt` -> Docker Secret `/run/secrets/monitoring_grafana_influxdb_token` | aktiv |
 | Home Assistant -> InfluxDB | HA InfluxDB Token | `/homeassistant/secrets.yaml` -> `influxdb3_homeassistant_token` | geplant |
+| Renovate Bot | Gitea Service-Account PAT | `/mnt/user/appdata/secrets/renovate_token.txt` -> Host-Datei (chmod 600), gelesen von `ops/renovate/run-renovate.sh` und an Renovate-Container als `RENOVATE_TOKEN` weitergegeben | aktiv nach Operator-Setup (siehe `docs/RENOVATE.md`) |

 ---