Micha/homelab-infra
1
0
Fork 0
Code Issues 1 Pull Requests Actions Packages Projects Releases Wiki Activity

Add Renovate GitHub token support

Browse Source
This commit is contained in:
Micha
2026-06-23 20:42:19 +02:00
parent ad8010767d
commit 7d4d5f901a
2 changed files with 36 additions and 2 deletions
Download Patch File Download Diff File Expand all files Collapse all files
docs/RENOVATE.md
+22
View File
@@ -16,6 +16,7 @@ Bewusst kein Auto-Merge: jede PR braucht eine Operator-Sichtpruefung und einen M
- **Schedule:** alle 6 Stunden per Unraid User-Script `renovate-six-hourly` (`20 */6 * * *`) - **Schedule:** alle 6 Stunden per Unraid User-Script `renovate-six-hourly` (`20 */6 * * *`)
- **Plattform:** Gitea via `https://git.kaleschke.info/api/v1` - **Plattform:** Gitea via `https://git.kaleschke.info/api/v1`
- **Authentifizierung:** Gitea-PAT als Host-Secret-Datei - **Authentifizierung:** Gitea-PAT als Host-Secret-Datei
- **GitHub.com Release Notes:** optionaler read-only GitHub.com-PAT als Host-Secret-Datei
- **Konfiguration:** `renovate.json` im Repo-Root - **Konfiguration:** `renovate.json` im Repo-Root
## Operator-Setup (historisch, einmalig) ## Operator-Setup (historisch, einmalig)
@@ -55,6 +56,27 @@ chown root:root /mnt/user/appdata/secrets/renovate_token.txt
Token-Wert nicht in dieses Repo, nicht in Logs, nicht in Issues. Token-Wert nicht in dieses Repo, nicht in Logs, nicht in Issues.
### Schritt 3b - Optionaler GitHub.com-Token fuer Release Notes
Da Renovate gegen Gitea laeuft, hat der Bot nicht automatisch GitHub.com-Credentials. Fuer Release Notes, Changelogs und weniger GitHub-API-Rate-Limit-Rauschen kann ein separater GitHub.com-PAT hinterlegt werden.
Anforderungen:
- beliebiger GitHub.com-Account
- read-only / keine Repository-Berechtigungen noetig
- nur fuer Renovate, nicht fuer Gitea-Zugriff
Am Unraid-Host:
```bash
TOKEN='hier-den-github-com-token-einfuegen'
echo -n "$TOKEN" > /mnt/user/appdata/secrets/renovate_github_com_token.txt
chmod 600 /mnt/user/appdata/secrets/renovate_github_com_token.txt
chown root:root /mnt/user/appdata/secrets/renovate_github_com_token.txt
```
`ops/renovate/run-renovate.sh` liest die Datei optional und reicht sie als `RENOVATE_GITHUB_COM_TOKEN` an den Renovate-Container durch. Fehlt die Datei, laeuft Renovate weiter, aber das Dependency Dashboard meldet `No github.com token has been configured. Skipping release notes retrieval`.
### Schritt 4 - Erstlauf manuell ### Schritt 4 - Erstlauf manuell
```bash ```bash
ops/renovate/run-renovate.sh
+14 -2
View File
@@ -13,11 +13,14 @@ set -euo pipefail
# 3. Im Gitea-Profil des renovate-Users ein Access-Token erzeugen: # 3. Im Gitea-Profil des renovate-Users ein Access-Token erzeugen:
# Scope: `write:repository` + `read:user` # Scope: `write:repository` + `read:user`
# 4. Token in `/mnt/user/appdata/secrets/renovate_token.txt` ablegen (chmod 600) # 4. Token in `/mnt/user/appdata/secrets/renovate_token.txt` ablegen (chmod 600)
# 5. Erstlauf: `bash /mnt/user/services/homelab-infra/ops/renovate/run-renovate.sh` # 5. Optional: GitHub.com Read-only-PAT fuer Release Notes als
# 6. User-Script `renovate-six-hourly` aktivieren # `/mnt/user/appdata/secrets/renovate_github_com_token.txt` ablegen.
# 6. Erstlauf: `bash /mnt/user/services/homelab-infra/ops/renovate/run-renovate.sh`
# 7. User-Script `renovate-six-hourly` aktivieren
RENOVATE_IMAGE="${RENOVATE_IMAGE:-renovate/renovate:41}" RENOVATE_IMAGE="${RENOVATE_IMAGE:-renovate/renovate:41}"
RENOVATE_TOKEN_FILE="${RENOVATE_TOKEN_FILE:-/mnt/user/appdata/secrets/renovate_token.txt}" RENOVATE_TOKEN_FILE="${RENOVATE_TOKEN_FILE:-/mnt/user/appdata/secrets/renovate_token.txt}"
RENOVATE_GITHUB_COM_TOKEN_FILE="${RENOVATE_GITHUB_COM_TOKEN_FILE:-/mnt/user/appdata/secrets/renovate_github_com_token.txt}"
RENOVATE_LOG_DIR="${RENOVATE_LOG_DIR:-/mnt/user/services/renovate/logs}" RENOVATE_LOG_DIR="${RENOVATE_LOG_DIR:-/mnt/user/services/renovate/logs}"
RENOVATE_STATE_DIR="${RENOVATE_STATE_DIR:-/mnt/user/services/renovate/state}" RENOVATE_STATE_DIR="${RENOVATE_STATE_DIR:-/mnt/user/services/renovate/state}"
RENOVATE_CONFIG_FILE="${RENOVATE_CONFIG_FILE:-/mnt/user/services/homelab-infra/ops/renovate/bot-config.js}" RENOVATE_CONFIG_FILE="${RENOVATE_CONFIG_FILE:-/mnt/user/services/homelab-infra/ops/renovate/bot-config.js}"
@@ -63,8 +66,16 @@ RENOVATE_TOKEN=$(cat "$RENOVATE_TOKEN_FILE")
RENOVATE_CONFIG_FILE=/usr/src/app/config.js RENOVATE_CONFIG_FILE=/usr/src/app/config.js
LOG_LEVEL=${RENOVATE_LOG_LEVEL:-info} LOG_LEVEL=${RENOVATE_LOG_LEVEL:-info}
EFEOF EFEOF
if [ -r "$RENOVATE_GITHUB_COM_TOKEN_FILE" ]; then
{
printf 'RENOVATE_GITHUB_COM_TOKEN='
cat "$RENOVATE_GITHUB_COM_TOKEN_FILE"
printf '\n'
} >> "$ENV_FILE"
fi
chmod 600 "$ENV_FILE" chmod 600 "$ENV_FILE"
set +e
docker run --rm \ docker run --rm \
--name renovate-run \ --name renovate-run \
--add-host "git.kaleschke.info:$GITEA_HOST_LAN_IP" \ --add-host "git.kaleschke.info:$GITEA_HOST_LAN_IP" \
@@ -75,6 +86,7 @@ EFEOF
--env-file "$ENV_FILE" \ --env-file "$ENV_FILE" \
"$RENOVATE_IMAGE" 2>&1 "$RENOVATE_IMAGE" 2>&1
rc=$? rc=$?
set -e
shred -u "$ENV_FILE" 2>/dev/null || rm -f "$ENV_FILE" shred -u "$ENV_FILE" 2>/dev/null || rm -f "$ENV_FILE"
echo echo