played/workflows
4
0
Fork 0
Code Issues 1 Pull Requests 1 Actions Packages Projects Releases Wiki Activity

ci(renovate): silence github.com rate limit + skip internal workflow ref

Browse Source 
Wire an optional read-only GITHUB_COM_TOKEN so Renovate can reach
api.github.com (changelogs + actions/checkout-style updates) without
rate limiting, and disable management of the internal Gitea reusable
workflow `played/workflows` (it's a @main ref, not a github.com action).

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
This commit is contained in:
Enrico Bühler
2026-05-29 01:32:01 +02:00
parent ee51f4f032
commit 11de357074
3 changed files with 12 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files
.gitea/workflows/renovate.yml
+5
View File
@@ -47,12 +47,17 @@ jobs:
# Reuse the build-time npmrc so Renovate can resolve @played/* from # Reuse the build-time npmrc so Renovate can resolve @played/* from
# the Gitea registry. # the Gitea registry.
RENOVATE_NPMRC: ${{ secrets.NPMRC }} RENOVATE_NPMRC: ${{ secrets.NPMRC }}
# Read-only github.com PAT (no scopes needed for public data). Avoids
# api.github.com rate limits and enables changelogs + updates for the
# real github.com actions used in deploy.yml (actions/checkout, etc.).
GITHUB_COM_TOKEN: ${{ secrets.RENOVATE_GITHUB_COM_TOKEN }}
LOG_LEVEL: ${{ inputs.logLevel || 'info' }} LOG_LEVEL: ${{ inputs.logLevel || 'info' }}
RENOVATE_DRY_RUN: ${{ inputs.dryRun && 'full' || '' }} RENOVATE_DRY_RUN: ${{ inputs.dryRun && 'full' || '' }}
run: | run: |
docker run --rm \ docker run --rm \
-e RENOVATE_TOKEN \ -e RENOVATE_TOKEN \
-e RENOVATE_NPMRC \ -e RENOVATE_NPMRC \
-e GITHUB_COM_TOKEN \
-e LOG_LEVEL \ -e LOG_LEVEL \
-e RENOVATE_DRY_RUN \ -e RENOVATE_DRY_RUN \
-e RENOVATE_PLATFORM=gitea \ -e RENOVATE_PLATFORM=gitea \
README.md
+1
View File
@@ -54,6 +54,7 @@ Self-hosted [Renovate](https://docs.renovatebot.com) that keeps dependencies ali
1. Create a Gitea PAT — a dedicated `renovate` bot user is cleanest — with scopes `read:user`, `write:repository`, `write:issue`. Add it as the `RENOVATE_TOKEN` Actions secret (org-level, or on this repo). 1. Create a Gitea PAT — a dedicated `renovate` bot user is cleanest — with scopes `read:user`, `write:repository`, `write:issue`. Add it as the `RENOVATE_TOKEN` Actions secret (org-level, or on this repo).
2. Make sure the existing `NPMRC` secret (registry + `@played` auth) is visible to this repo's Actions run (org-level recommended) — Renovate uses it to look up `@played/*` versions. 2. Make sure the existing `NPMRC` secret (registry + `@played` auth) is visible to this repo's Actions run (org-level recommended) — Renovate uses it to look up `@played/*` versions.
- *Optional but recommended:* add `RENOVATE_GITHUB_COM_TOKEN` — a **read-only** github.com PAT (no scopes). It stops `api.github.com` rate-limit warnings and enables changelogs + updates for the github.com actions in `deploy.yml` (`actions/checkout`, `appleboy/ssh-action`, …).
3. Push, then run the workflow once (**Run workflow**). Renovate opens a "Configure Renovate" onboarding PR in each target repo that does `extends: ["local>played/workflows:renovate-config"]`; merge them to go live. 3. Push, then run the workflow once (**Run workflow**). Renovate opens a "Configure Renovate" onboarding PR in each target repo that does `extends: ["local>played/workflows:renovate-config"]`; merge them to go live.
### Target repos ### Target repos
renovate-config.json
+6
View File
@@ -15,6 +15,12 @@
"matchUpdateTypes": ["minor", "patch"], "matchUpdateTypes": ["minor", "patch"],
"matchPackageNames": ["!/^@played//"], "matchPackageNames": ["!/^@played//"],
"groupName": "non-major dependencies" "groupName": "non-major dependencies"
},
{
"description": "Internal Gitea reusable workflow (pinned @main) — not a github.com action, don't manage it.",
"matchManagers": ["github-actions"],
"matchPackageNames": ["played/workflows"],
"enabled": false
} }
], ],
"lockFileMaintenance": { "lockFileMaintenance": {