From 7d4d5f901a9bec002baf963d9c3e0b51855c890f Mon Sep 17 00:00:00 2001 From: Micha Date: Tue, 23 Jun 2026 20:42:19 +0200 Subject: [PATCH] Add Renovate GitHub token support --- docs/RENOVATE.md | 22 ++++++++++++++++++++++ ops/renovate/run-renovate.sh | 16 ++++++++++++++-- 2 files changed, 36 insertions(+), 2 deletions(-) diff --git a/docs/RENOVATE.md b/docs/RENOVATE.md index 2837ca1..038dbca 100644 --- a/docs/RENOVATE.md +++ b/docs/RENOVATE.md @@ -16,6 +16,7 @@ Bewusst kein Auto-Merge: jede PR braucht eine Operator-Sichtpruefung und einen M - **Schedule:** alle 6 Stunden per Unraid User-Script `renovate-six-hourly` (`20 */6 * * *`) - **Plattform:** Gitea via `https://git.kaleschke.info/api/v1` - **Authentifizierung:** Gitea-PAT als Host-Secret-Datei +- **GitHub.com Release Notes:** optionaler read-only GitHub.com-PAT als Host-Secret-Datei - **Konfiguration:** `renovate.json` im Repo-Root ## Operator-Setup (historisch, einmalig) @@ -55,6 +56,27 @@ chown root:root /mnt/user/appdata/secrets/renovate_token.txt Token-Wert nicht in dieses Repo, nicht in Logs, nicht in Issues. +### Schritt 3b - Optionaler GitHub.com-Token fuer Release Notes + +Da Renovate gegen Gitea laeuft, hat der Bot nicht automatisch GitHub.com-Credentials. Fuer Release Notes, Changelogs und weniger GitHub-API-Rate-Limit-Rauschen kann ein separater GitHub.com-PAT hinterlegt werden. + +Anforderungen: + +- beliebiger GitHub.com-Account +- read-only / keine Repository-Berechtigungen noetig +- nur fuer Renovate, nicht fuer Gitea-Zugriff + +Am Unraid-Host: + +```bash +TOKEN='hier-den-github-com-token-einfuegen' +echo -n "$TOKEN" > /mnt/user/appdata/secrets/renovate_github_com_token.txt +chmod 600 /mnt/user/appdata/secrets/renovate_github_com_token.txt +chown root:root /mnt/user/appdata/secrets/renovate_github_com_token.txt +``` + +`ops/renovate/run-renovate.sh` liest die Datei optional und reicht sie als `RENOVATE_GITHUB_COM_TOKEN` an den Renovate-Container durch. Fehlt die Datei, laeuft Renovate weiter, aber das Dependency Dashboard meldet `No github.com token has been configured. Skipping release notes retrieval`. + ### Schritt 4 - Erstlauf manuell ```bash diff --git a/ops/renovate/run-renovate.sh b/ops/renovate/run-renovate.sh index 3989cde..be8a187 100644 --- a/ops/renovate/run-renovate.sh +++ b/ops/renovate/run-renovate.sh @@ -13,11 +13,14 @@ set -euo pipefail # 3. Im Gitea-Profil des renovate-Users ein Access-Token erzeugen: # Scope: `write:repository` + `read:user` # 4. Token in `/mnt/user/appdata/secrets/renovate_token.txt` ablegen (chmod 600) -# 5. Erstlauf: `bash /mnt/user/services/homelab-infra/ops/renovate/run-renovate.sh` -# 6. User-Script `renovate-six-hourly` aktivieren +# 5. Optional: GitHub.com Read-only-PAT fuer Release Notes als +# `/mnt/user/appdata/secrets/renovate_github_com_token.txt` ablegen. +# 6. Erstlauf: `bash /mnt/user/services/homelab-infra/ops/renovate/run-renovate.sh` +# 7. User-Script `renovate-six-hourly` aktivieren RENOVATE_IMAGE="${RENOVATE_IMAGE:-renovate/renovate:41}" RENOVATE_TOKEN_FILE="${RENOVATE_TOKEN_FILE:-/mnt/user/appdata/secrets/renovate_token.txt}" +RENOVATE_GITHUB_COM_TOKEN_FILE="${RENOVATE_GITHUB_COM_TOKEN_FILE:-/mnt/user/appdata/secrets/renovate_github_com_token.txt}" RENOVATE_LOG_DIR="${RENOVATE_LOG_DIR:-/mnt/user/services/renovate/logs}" RENOVATE_STATE_DIR="${RENOVATE_STATE_DIR:-/mnt/user/services/renovate/state}" RENOVATE_CONFIG_FILE="${RENOVATE_CONFIG_FILE:-/mnt/user/services/homelab-infra/ops/renovate/bot-config.js}" @@ -63,8 +66,16 @@ RENOVATE_TOKEN=$(cat "$RENOVATE_TOKEN_FILE") RENOVATE_CONFIG_FILE=/usr/src/app/config.js LOG_LEVEL=${RENOVATE_LOG_LEVEL:-info} EFEOF + if [ -r "$RENOVATE_GITHUB_COM_TOKEN_FILE" ]; then + { + printf 'RENOVATE_GITHUB_COM_TOKEN=' + cat "$RENOVATE_GITHUB_COM_TOKEN_FILE" + printf '\n' + } >> "$ENV_FILE" + fi chmod 600 "$ENV_FILE" + set +e docker run --rm \ --name renovate-run \ --add-host "git.kaleschke.info:$GITEA_HOST_LAN_IP" \ @@ -75,6 +86,7 @@ EFEOF --env-file "$ENV_FILE" \ "$RENOVATE_IMAGE" 2>&1 rc=$? + set -e shred -u "$ENV_FILE" 2>/dev/null || rm -f "$ENV_FILE" echo