From 11de3570746fb77d490330d446d1364737702db6 Mon Sep 17 00:00:00 2001
From: enricobuehler <buehler@unom.io>
Date: Fri, 29 May 2026 01:32:01 +0200
Subject: [PATCH] ci(renovate): silence github.com rate limit + skip internal
 workflow ref

Wire an optional read-only GITHUB_COM_TOKEN so Renovate can reach
api.github.com (changelogs + actions/checkout-style updates) without
rate limiting, and disable management of the internal Gitea reusable
workflow `played/workflows` (it's a @main ref, not a github.com action).

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
---
 .gitea/workflows/renovate.yml | 5 +++++
 README.md                     | 1 +
 renovate-config.json          | 6 ++++++
 3 files changed, 12 insertions(+)

diff --git a/.gitea/workflows/renovate.yml b/.gitea/workflows/renovate.yml
index 18b11b6..7ebf137 100644
--- a/.gitea/workflows/renovate.yml
+++ b/.gitea/workflows/renovate.yml
@@ -47,12 +47,17 @@ jobs:
           # Reuse the build-time npmrc so Renovate can resolve @played/* from
           # the Gitea registry.
           RENOVATE_NPMRC: ${{ secrets.NPMRC }}
+          # Read-only github.com PAT (no scopes needed for public data). Avoids
+          # api.github.com rate limits and enables changelogs + updates for the
+          # real github.com actions used in deploy.yml (actions/checkout, etc.).
+          GITHUB_COM_TOKEN: ${{ secrets.RENOVATE_GITHUB_COM_TOKEN }}
           LOG_LEVEL: ${{ inputs.logLevel || 'info' }}
           RENOVATE_DRY_RUN: ${{ inputs.dryRun && 'full' || '' }}
         run: |
           docker run --rm \
             -e RENOVATE_TOKEN \
             -e RENOVATE_NPMRC \
+            -e GITHUB_COM_TOKEN \
             -e LOG_LEVEL \
             -e RENOVATE_DRY_RUN \
             -e RENOVATE_PLATFORM=gitea \
diff --git a/README.md b/README.md
index 23b4fb9..651898a 100644
--- a/README.md
+++ b/README.md
@@ -54,6 +54,7 @@ Self-hosted [Renovate](https://docs.renovatebot.com) that keeps dependencies ali
 
 1. Create a Gitea PAT — a dedicated `renovate` bot user is cleanest — with scopes `read:user`, `write:repository`, `write:issue`. Add it as the `RENOVATE_TOKEN` Actions secret (org-level, or on this repo).
 2. Make sure the existing `NPMRC` secret (registry + `@played` auth) is visible to this repo's Actions run (org-level recommended) — Renovate uses it to look up `@played/*` versions.
+   - *Optional but recommended:* add `RENOVATE_GITHUB_COM_TOKEN` — a **read-only** github.com PAT (no scopes). It stops `api.github.com` rate-limit warnings and enables changelogs + updates for the github.com actions in `deploy.yml` (`actions/checkout`, `appleboy/ssh-action`, …).
 3. Push, then run the workflow once (**Run workflow**). Renovate opens a "Configure Renovate" onboarding PR in each target repo that does `extends: ["local>played/workflows:renovate-config"]`; merge them to go live.
 
 ### Target repos
diff --git a/renovate-config.json b/renovate-config.json
index 79e4352..579b762 100644
--- a/renovate-config.json
+++ b/renovate-config.json
@@ -15,6 +15,12 @@
 			"matchUpdateTypes": ["minor", "patch"],
 			"matchPackageNames": ["!/^@played//"],
 			"groupName": "non-major dependencies"
+		},
+		{
+			"description": "Internal Gitea reusable workflow (pinned @main) — not a github.com action, don't manage it.",
+			"matchManagers": ["github-actions"],
+			"matchPackageNames": ["played/workflows"],
+			"enabled": false
 		}
 	],
 	"lockFileMaintenance": {