GitHub Action to run Renovate self-hosted.
| Badge | Description | Service |
|---|---|---|
 |
Code style | Prettier |
 |
Commit style | Conventional Commits |
 |
Dependencies | Renovate |
 |
Build | GitHub Actions |
Options can be passed using the inputs of this action or the corresponding environment variables. When both are passed, the input takes precedence over the environment variable. For the available environment variables see the Renovate Self-Hosted Configuration docs.
Configuration file to configure Renovate. The supported configurations files can be one of the configuration files listed in the Renovate Docs for Configuration Options or a JavaScript file that exports a configuration object. For both of these options, an example can be found in the example directory.
The configurations that can be done in this file consists of two parts, as listed below. Refer to the links to the Renovate Docs for all options.
The branchPrefix option is important to configure and should be configured to a value other than the default to prevent interference with e.g. the Renovate GitHub App.
If you want to use this with just the single configuration file, make sure to include the following two configuration lines. This disables the requirement of a configuration file for the repository and disables onboarding.
onboarding: false,
requireConfig: false,Allows to configure the regex to define which environment variables are passed to the renovate container. See Passing other environment variables section for more details.
Generate a personal access token, with the repo:public_repo scope for only public repositories or the repo scope for public and private repositories, and add it to Secrets (repository settings) as RENOVATE_TOKEN. You can also create a token without a specific scope, which gives read-only access to public repositories, for testing. This token is only used by Renovate, see the token configuration, and gives it access to the repositories. The name of the secret can be anything as long as it matches the argument given to the token option.
Note that the GITHUB_TOKEN secret can't be used for authenticating Renovate because it has too restrictive permissions. In particular, using the GITHUB_TOKEN to create a new Pull Request from more types of Github Workflows results in Pull Requests that do not trigger your Pull Request and Push CI events.
If you want to use the github-actions manager, you must setup a special token with some requirements.
The Renovate docker image name to use.
If omited or renovate-image === '' the action will use the ghcr.io/renovatebot/renovate docker image name otherwise.
If a docker image name is defined, the action will use that name to pull the image.
This sample will use myproxyhub.domain.com/renovate/renovate:slim image.
....
jobs:
renovate:
runs-on: ubuntu-latest
steps:
- name: Checkout
uses: actions/[email protected]
- name: Self-hosted Renovate
uses: renovatebot/[email protected]
with:
renovate-image: myproxyhub.domain.com/renovate/renovate
token: ${{ secrets.RENOVATE_TOKEN }}This sample will use ghcr.io/renovatebot/renovate:slim image.
....
jobs:
renovate:
runs-on: ubuntu-latest
steps:
- name: Checkout
uses: actions/[email protected]
- name: Self-hosted Renovate
uses: renovatebot/[email protected]
with:
token: ${{ secrets.RENOVATE_TOKEN }}The Renovate version to use.
If omited and useSlim !== false the action will use the slim docker tag and the latest tag otherwise.
If a version is definded, the action will add -slim suffix to the tag if useSlim !== false.
Checkout docker hub for available tag.
This sample will use ghcr.io/renovatebot/renovate:35.0.0-slim image.
....
jobs:
renovate:
runs-on: ubuntu-latest
steps:
- name: Checkout
uses: actions/[email protected]
- name: Self-hosted Renovate
uses: renovatebot/[email protected]
with:
renovate-version: 35.0.0
token: ${{ secrets.RENOVATE_TOKEN }}This sample will use ghcr.io/renovatebot/renovate:latest image.
....
jobs:
renovate:
runs-on: ubuntu-latest
steps:
- name: Checkout
uses: actions/[email protected]
- name: Self-hosted Renovate
uses: renovatebot/[email protected]
with:
useSlim: false
token: ${{ secrets.RENOVATE_TOKEN }}If set to false the action will use the full renovate image instead of the slim image.
This example uses a personal access token and will run every 15 minutes. The personal access token is configured as a GitHub secret named RENOVATE_TOKEN. This example uses the example/renovate-config.js file as configuration.
You can also see a live example of this action in my github-renovate repository, which also includes a more advanced configuration for updating GitHub Action workflows.
Remark Update the action version to the most current, see here for latest release.
name: Renovate
on:
schedule:
# The "*" (#42, asterisk) character has special semantics in YAML, so this
# string has to be quoted.
- cron: '0/15 * * * *'
jobs:
renovate:
runs-on: ubuntu-latest
steps:
- name: Checkout
uses: actions/[email protected]
- name: Self-hosted Renovate
uses: renovatebot/[email protected]
with:
configurationFile: example/renovate-config.js
token: ${{ secrets.RENOVATE_TOKEN }}If you want to use the Renovate Action on a GitHub Enterprise instance you have to add the following environment variable:
....
- name: Self-hosted Renovate
uses: renovatebot/[email protected]
with:
configurationFile: example/renovate-config.js
token: ${{ secrets.RENOVATE_TOKEN }}
env:
RENOVATE_ENDPOINT: "https://git.your-company.com/api/v3"Instead of using a Personal Access Token (PAT) that is tied to a particular user you can use a GitHub App where permissions can be even better tuned. Create a new app and configure the app permissions and your config.js as described in the Renovate documentation.
Generate and download a new private key for the app, adding the contents of the downloaded .pem file to Secrets (repository settings) with the name private_key and app ID as a secret with name app_id.
Adjust your Renovate configuration file to specify the username of your bot.
Going forward we will be using the tibdex/github-app-token action in order to exchange the GitHub App certificate for an access token that renovate can use.
The final workflow will look like this:
name: Renovate
on:
schedule:
# The "*" (#42, asterisk) character has special semantics in YAML, so this
# string has to be quoted.
- cron: '0/15 * * * *'
jobs:
renovate:
runs-on: ubuntu-latest
steps:
- name: Get token
id: get_token
uses: tibdex/github-app-token@v1
with:
private_key: ${{ secrets.private_key }}
app_id: ${{ secrets.app_id }}
- name: Checkout
uses: actions/[email protected]
- name: Self-hosted Renovate
uses: renovatebot/[email protected]
with:
configurationFile: example/renovate-config.js
token: '${{ steps.get_token.outputs.token }}'If you wish to pass through environment variables through to the Docker Run that powers this action you need to prefix the environment variable with RENOVATE_.
For example if you wish to pass through some credentials for a host rule to the config.js then you should do so like this.
-
In your workflow pass in the environment variable
.... jobs: renovate: runs-on: ubuntu-latest steps: - name: Checkout uses: actions/[email protected] - name: Self-hosted Renovate uses: renovatebot/[email protected] with: configurationFile: example/renovate-config.js token: ${{ secrets.RENOVATE_TOKEN }} env: RENOVATE_TFE_TOKEN: ${{ secrets.MY_TFE_TOKEN }}
-
In
example/renovate-config.jsinclude the hostRules blockmodule.exports = { hostRules: [ { hostType: 'terraform-module', matchHost: 'app.terraform.io', token: process.env.RENOVATE_TFE_TOKEN, }, ], };
If you want to pass other variables to the Docker container use the env-regex input to override the regular expression that is used to allow environment variables.
In your workflow pass the environment variable and whitelist it by specifying the env-regex:
....
jobs:
renovate:
runs-on: ubuntu-latest
steps:
- name: Checkout
uses: actions/[email protected]
- name: Self-hosted Renovate
uses: renovatebot/[email protected]
with:
configurationFile: example/renovate-config.js
token: ${{ secrets.RENOVATE_TOKEN }}
env-regex: "^(?:RENOVATE_\\w+|LOG_LEVEL|GITHUB_COM_TOKEN|NODE_OPTIONS|AWS_TOKEN)$"
env:
AWS_TOKEN: ${{ secrets.AWS_TOKEN }}In case of issues, it's always a good idea to enable debug logging first.
To enable debug logging, add the environment variable LOG_LEVEL: 'debug' to the action:
- name: Self-hosted Renovate
uses: renovatebot/[email protected]
with:
configurationFile: example/renovate-config.js
token: ${{ secrets.RENOVATE_TOKEN }}
env:
LOG_LEVEL: 'debug'If you want to use the github-actions manager in Renovate, ensure that the token you provide contains the workflow scope.
Otherwise, GitHub does not allow Renovate to update worklow files and therefore it will be unable to create update PRs for affected packages (like actions/checkout or renovatebot/github-action itself).
![renovate[bot] avatar](https://avatars.githubusercontent.com/in/2740?v=4 "renovate[bot]")
![github-actions[bot] avatar](https://avatars.githubusercontent.com/in/15368?v=4 "github-actions[bot]")
React
Typescript
Django
Laravel
Facebook
Microsoft
Google
Alibaba
D3
Tencent