renovatebot / github-action Goto Github PK
View Code? Open in Web Editor NEWLicense: Other
License: Other
Hello guys.
I'm trying to configure Renovate GH Action with GH App token, but I'm getting the "Authentication failure"
:
DEBUG: Found valid git version: 2.36.0
DEBUG: Using default github endpoint: https://api.github.com/
DEBUG: GitHub failure: Resource not accessible by integration
"err": {
"name": "HTTPError",
"code": "ERR_NON_2XX_3XX_RESPONSE",
"timings": {
"start": 1652761788363,
"socket": 1652761788365,
"lookup": 1652761788385,
"connect": 1652761788418,
"secureConnect": 1652761788454,
"upload": 1652761788454,
"x-frame-options": "deny",
"x-content-type-options": "nosniff",
"x-xss-protection": "0",
"referrer-policy": "origin-when-cross-origin, strict-origin-when-cross-origin",
"content-security-policy": "default-src 'none'",
"vary": "Accept-Encoding, Accept, X-Requested-With",
"content-encoding": "gzip",
"x-github-request-id": "07C0:1215:12ABBB:3E1C26:628324BC",
"connection": "close"
},
"httpVersion": "1.1"
}
}
DEBUG: Error authenticating with GitHub
"err": {
"message": "integration-unauthorized",
"stack": "Error: integration-unauthorized\n at handleGotError (/usr/src/app/node_modules/renovate/lib/util/http/github.ts:115:12)\n at GithubHttp.request (/usr/src/app/node_modules/renovate/lib/util/http/github.ts:336:13)\n at processTicksAndRejections (node:internal/process/task_queues:96:5)\n at GithubHttp.requestJson (/usr/src/app/node_modules/renovate/lib/util/http/index.ts:221:17)\n at getUserDetails (/usr/src/app/node_modules/renovate/lib/modules/platform/github/user.ts:13:7)\n at Proxy.initPlatform (/usr/src/app/node_modules/renovate/lib/modules/platform/github/index.ts:138:36)\n at initPlatform (/usr/src/app/node_modules/renovate/lib/modules/platform/index.ts:47:24)\n at globalInitialize (/usr/src/app/node_modules/renovate/lib/workers/global/initialize.ts:58:12)\n at Object.start (/usr/src/app/node_modules/renovate/lib/workers/global/index.ts:117:14)\n at /usr/src/app/node_modules/renovate/lib/renovate.ts:16:22"
}
FATAL: Authentication failure
DEBUG: Renovate exiting
INFO: Renovate is exiting with a non-zero code due to the following logged errors
"loggerErrors": [
{
"name": "renovate",
"level": 60,
"logContext": "a_X5GDj50KffxveKqItnC",
"msg": "Authentication failure"
}
]
I created the new GH App with permissions described here, I let the GH App to operate on my repository, but I'm not able to find out the root cause of error.
My GH App permissions:
This is my renovate workload:
name: Renovate
on:
workflow_dispatch:
inputs:
dryRun:
type: choice
description: "Dry-Run"
default: "false"
options:
- true
- false
required: false
logLevel:
type: choice
description: "Log-Level"
default: "debug"
options:
- info
- debug
- trace
required: false
push:
branches:
- main
paths:
- ".github/renovate.json5"
# schedule:
# - cron: "0 * * * *"
env:
LOG_LEVEL: info
RENOVATE_DRY_RUN: false
RENOVATE_REPOSITORIES: ${{ github.repository }}
RENOVATE_CONFIG_FILE: .github/renovate.json5
jobs:
renovate:
runs-on: ubuntu-latest
steps:
- name: Checkout
uses: actions/checkout@v3
- name: Generate Token
uses: tibdex/github-app-token@v1
id: generate-token
with:
app_id: ${{ secrets.MY_RENOVATE_GITHUB_APP_ID }}
private_key: "${{ secrets.MY_RENOVATE_GITHUB_PRIVATE_KEY }}"
- name: Override default config from dispatch variables
run: |
echo "RENOVATE_DRY_RUN=${{ github.event.inputs.dryRun || env.RENOVATE_DRY_RUN }}" | tee -a "${GITHUB_ENV}"
echo "LOG_LEVEL=${{ github.event.inputs.logLevel || env.LOG_LEVEL }}" | tee -a "${GITHUB_ENV}"
echo "RENOVATE_BASE_BRANCHES=${GITHUB_REF##*/}" | tee -a "${GITHUB_ENV}"
- name: Self-hosted Renovate
uses: renovatebot/[email protected]
with:
configurationFile: "${{ env.RENOVATE_CONFIG_FILE }}"
token: "x-access-token:${{ steps.generate-token.outputs.token }}"
Here is a link to the whole log / repository:
https://github.com/ruzickap/test123/runs/6464380508?check_suite_focus=true
Any ideas are welcome...
Thank you...
@rarkins Could you create a personal access token (perhaps of the renovatebot user, or a different bot user) without any specific rights. That PAT should be added as a GitHub secret named RENOVATE_TOKEN
. That would fix the example (or more accurately the self-test).
Self-hosted
Latest
GitHub Enterprise Server
3.2.6
Hello,
We are running Renovate self-hosted in our GHES instance but discovered a strange bug - when Renovate App is added to only 1 organization, the renovate bot works fine, but when added to one more, the first one starts giving no push permission messages and the second one works fine and creates PRs. Hope you can take a look!
Best Regards,
Kristiyan
2022-01-25T14:51:57.5665505Z WARN: Error updating branch (repository=C2E/bas-copy-2, branch=renovate/com.h2database-h2-1.x)
2022-01-25T14:51:57.5666311Z "err": {
2022-01-25T14:51:57.5666757Z "task": {
2022-01-25T14:51:57.5667211Z "commands": [
2022-01-25T14:51:57.5667659Z "push",
2022-01-25T14:51:57.5668109Z "origin",
2022-01-25T14:51:57.5669103Z "renovate/com.h2database-h2-1.x:renovate/com.h2database-h2-1.x",
2022-01-25T14:51:57.5670040Z "--force-with-lease",
2022-01-25T14:51:57.5670793Z "-u",
2022-01-25T14:51:57.5671374Z "--no-verify",
2022-01-25T14:51:57.5671952Z "--verbose",
2022-01-25T14:51:57.5672514Z "--porcelain"
2022-01-25T14:51:57.5672980Z ],
2022-01-25T14:51:57.5673515Z "format": "utf-8",
2022-01-25T14:51:57.5674003Z "parser": "[function]"
2022-01-25T14:51:57.5674476Z },
2022-01-25T14:51:57.5676312Z "message": "Pushing to https://private.domain.com/C2E/bas-copy-2.git\nremote: Permission to C2E/bas-copy-2.git denied to renovate-bot[bot].\nfatal: unable to access 'https://private.domain.com/C2E/bas-copy-2.git/': The requested URL returned error: 403\n",
2022-01-25T14:51:57.5683106Z "stack": "Error: Pushing to https://private.domain.com/C2E/bas-copy-2.git\nremote: Permission to C2E/bas-copy-2.git denied to renovate-bot[bot].\nfatal: unable to access 'https://private.domain.com/C2E/bas-copy-2.git/': The requested URL returned error: 403\n\n at Object.action (/usr/src/app/node_modules/simple-git/src/lib/plugins/error-detection.plugin.ts:38:28)\n at PluginStore.exec (/usr/src/app/node_modules/simple-git/src/lib/plugins/plugin-store.ts:24:29)\n at /usr/src/app/node_modules/simple-git/src/lib/runners/git-executor-chain.ts:114:40\n at new Promise (<anonymous>)\n at GitExecutorChain.handleTaskData (/usr/src/app/node_modules/simple-git/src/lib/runners/git-executor-chain.ts:111:14)\n at GitExecutorChain.<anonymous> (/usr/src/app/node_modules/simple-git/src/lib/runners/git-executor-chain.ts:88:40)\n at Generator.next (<anonymous>)\n at fulfilled (/usr/src/app/node_modules/simple-git/src/lib/runners/git-executor-chain.js:5:58)\n at processTicksAndRejections (internal/process/task_queues.js:95:5)"
2022-01-25T14:51:57.5687636Z }
No reproduction repository
Following renovatebot/renovate#5881,
When a user doesn't pass the configurationFile attribute, it should use an enmpty configuration and rely only on the renovate.json
configuration.
Avoiding two files configuration :)
I currently have the log level configured via the renovate-config.js
file in this way:
module.exports = {
...
logLevel: 'debug'
};
However setting the log level via the Renovate configuration file is deprecated according to the documentation. Instead you should use the LOG_LEVEL
environment variable. I tried that by adding the following lines to the Renovate step of my workflow:
env:
LOG_LEVEL: 'debug'
Unfortunately this doesn't seem to affect Renovate's behaviour. I think this is because the environment variable isn't passed through into the container. If someone can confirm this, I'm happy to raise a PR for the fix.
Setting GOPROXY: "https://proxy.golang.org,direct"
on the renovatebot/[email protected]
has no effect to the executed "gomod" command. I see this in my logs in GitHub Actions:
"cmd": "/bin/sh -c docker run --rm --name=renovate_go --label=renovate_child -v \"/tmp/renovate/repos/github/Cinemo-GmbH/pace\":\"/tmp/renovate/repos/github/Cinemo-GmbH/pace\" -v \"/tmp/renovate/cache\":\"/tmp/renovate/cache\" -e GOPATH -e GOFLAGS -e CGO_ENABLED -e GIT_CONFIG_KEY_0 -e GIT_CONFIG_VALUE_0 -e GIT_CONFIG_KEY_1 -e GIT_CONFIG_VALUE_1 -e GIT_CONFIG_KEY_2 -e GIT_CONFIG_VALUE_2 -e GIT_CONFIG_COUNT -e BUILDPACK_CACHE_DIR -w \"/tmp/renovate/repos/github/Cinemo-GmbH/pace\" [docker.io/renovate/go:1.19.0](http://docker.io/renovate/go:1.19.0) bash -l -c \"go get -d -t ./... && go mod tidy && go mod tidy\"",
It seems like -e GOPROXY
is just missing.
Not sure if this is a duplicate of #585, but as you have already a very long Golang specific list of env variables that are forwarded, I've created this ticket.
Because I need renovate to run a custom script to repin my rust deps, I've set up a GitHub action as per the instructions on the GitHub page. However, when it makes any pull request, it makes it as me and says "does not recognize the last commit author" (example), preventing it from updating the PRs automatically. Have I done something wrong? How do I fix this? HEAD
Say I have a Renovate config that requires an environment variable to be set in order to access a private repository:
module.exports = {
hostRules: [
{
matchHost: "https://pypi.example.com/simple",
username: "foo",
password: process.env.PYPI_SECRET,
},
],
};
Using the Docker slim image, I would be able to pass the environment variable like so:
$ docker run --rm -e PYPI_SECRET=$PYPI_SECRET ... renovate/renovate:slim
On Renovate GitHub action, support for environment variables has been added in #534, but as of today, it's only possible to pass environment variables starting with RENOVATE_
, or being exactly LOG_LEVEL
and GITHUB_COM_TOKEN
, as per this regex.
This makes it not possible to pass an arbitrary environment variable, like PYPI_SECRET
in the example.
For the example to work, I believe that the expected environment variable could be renamed to RENOVATE_PYPI_SECRET
, but doing that, depending on the environment variable name, we may risk colliding with a renovate configuration option being passed as an environment variable.
Alternatively, a stringified RENOVATE_CONFIG
environment variable containing the secret could be passed, but if I'm not mistaken, this fully replaces the configuration file being provided, rather than merging the content of both RENOVATE_CONFIG
and the configuration file.
Correct me if I'm wrong, but I believe that we limit the environment variables that are retrieved because technically, environment variables in GitHub Actions workflows can be defined in different parts of the workflows (specific steps, jobs, or for the whole workflow), so by accepting everything, we would risk passing environment variables the user may not want to.
Are there any other way we could pass environment variables we explicitly want to docker run
?
One thing in mind that may be ugly could be to add an optional environmentVariables
field in the accepted inputs, where the user would be able to pass a stringified version of the environment variables keys and values.
Otherwise, maybe an optional allowedEnvironmentVariables
where a user would write down the environment variables to retrieve from the step/job/workflow, additionally to the ones already in the regex?
When using Renovate self-hosted, with a GitHub App, we're hitting credentials errors:
WARN: Bad credentials - aborting (repository={org}/{repo})
In this case, we're using --autodiscover
, on a GitHub organisation with ~2000 repos.
GitHub App Authentication expires after 1 hour (source).
It may also be helpful to handle the authentication in Renovate's Action itself, so in the case an error is detected, we can break out and handle this appropriately before re-starting.
Hi,
I was having an issue with Artifact upload failing on Renovate used in Github Action. I switched to this official Github Action but with no luck, as I am still having this issue.
Here is tje Github comment by renovate :
โ ๏ธ Artifact update problem
Renovate failed to update an artifact related to this branch. You probably do not want to merge this PR as-is.
โป๏ธ Renovate will retry this branch, including artifacts, only when one of the following happens:
any of the package files in this branch needs updating, or
the branch becomes conflicted, or
you check the rebase/retry checkbox if found above, or
you rename this PR's title to start with "rebase!" to trigger it manually
The artifact failure details are included below:
File name: yarn.lock
Error: EACCES: permission denied, mkdir '/github/home/.npm'
warning "workspace-aggregator-b6da7d63-b201-4798-9504-fb7c1e7f651a > @nextbot/admin > antd > [email protected]" has unmet peer dependency "dayjs@^1.8.18".
warning Ignored scripts due to flag.
/bin/sh: 1: /github/home/.npm/[email protected]/bin/lerna: not found
And here is the complete Renovate log :
INFO: Repository started (repository=Djiit/nextbot)
"renovateVersion": "19.189.0"
INFO: Extraction statistics (repository=Djiit/nextbot)
"stats": {
"managers": {
"dockerfile": {"fileCount": 1, "depCount": 2},
"npm": {"fileCount": 3, "depCount": 30},
"nvm": {"fileCount": 1, "depCount": 1}
},
"fileCount": 5,
"depCount": 33
}
INFO: Branch created (repository=Djiit/nextbot, branch=renovate/jest-25.1.x)
"commitHash": "cd9e6bf"
INFO: PR created (repository=Djiit/nextbot, branch=renovate/jest-25.1.x)
"pr": 55,
"prTitle": "โฌ๏ธ Update dependency @types/jest to v25.1.5"
WARN: artifactErrors (repository=Djiit/nextbot, branch=renovate/jest-25.1.x)
"artifactErrors": [
{
"lockFile": "yarn.lock",
"stderr": "Error: EACCES: permission denied, mkdir '/github/home/.npm'\nwarning \"workspace-aggregator-b6da7d63-b201-4798-9504-fb7c1e7f651a > @nextbot/admin > antd > [email protected]\" has unmet peer dependency \"dayjs@^1.8.18\".\nwarning Ignored scripts due to flag.\n/bin/sh: 1: /github/home/.npm/[email protected]/bin/lerna: not found\n"
}
]
Unfortunately this one is not a public repo so I won't be able to give you access to a reproductible example soon.
It seems to be complaining about lerna not being here (FYI I used lerna from the project dependencies, like in yarn lerna
and not just lerna
)
Happy to help debug this :) Thanks !
According to the documentation:
Note that the GITHUB_TOKEN secret can't be used for authenticating Renovate.
However, it is not explained why this is the case.
Renovate should theoretically only need read-write access to the repository content and pull-requests in which the action is run, so why does it need more permissions than that?
If there is a simple explanation, the docs could probably be updated with it for future reference
Idea:
command
option, which is renovate
by default and can be validate
for validation modevalidateFiles
options for additional files to validate (colon / pipe separated glob patterns)We have three dependency dashboards on this repository:
renovate
accountghost
accountghost
accountI checked the closed issues, and @rarkins
recently closed another ghost
dashboard.
I don't know why we ended up with those extra dashboards.
May I suggest we use renovate.config.js
as a default (or suggestion) ? Having this as an official standard would enable such things as VSCode using the right icon (vscode-icons/vscode-icons#2445)
Originally posted by @Djiit in #6 (comment)
We noticed that since some time, Renovate no longer updates itself (the Github Action) by creating PRs for the renovatebot/github-action@xxx
versions. Back some time last year, it did indeed update itself.
We have the github-actions
manager activated. Also, as far as I understood from the changelog, docker major updates are now enabled by default beginning with renovatebot v25.
Here's our Github Actions workflow:
jobs:
renovate:
runs-on: ubuntu-latest
timeout-minutes: 5
steps:
- name: Checkout
uses: actions/checkout@v2
- name: Renovate
uses: renovatebot/[email protected]
with:
configurationFile: renovate.config.js
token: ${{ secrets.RENOVATE_TOKEN }}
And here are our configs:
renovate.json
{
"extends": [
"config:base",
":timezone(Europe/Amsterdam)"
],
"ignorePresets": [
":prHourlyLimit2"
],
"lockFileMaintenance": {
"enabled": true,
"schedule": ["after 2pm and before 5pm on Wednesday"]
},
"major": {
"stabilityDays": 3
},
"rangeStrategy": "bump",
"prCreation": "not-pending",
"assignees": [
...........................
],
"assigneesSampleSize": 1
}
renovate.config.js
:
const branchName = "auto-dep-update";
module.exports = {
branchPrefix: `${branchName}/`,
enabledManagers: ["github-actions", "npm"],
gitAuthor: "--------------NAME---------------------",
logLevel: "info",
onboarding: true,
onboardingBranch: `${branchName}/configure`,
platform: "github",
schedule: ["after 9am and before 4pm on Wednesday"],
regexManagers: [],
repositories: [------OURREPO----],
rebaseWhen: "behind-base-branch",
ignoreDeps: [],
packageRules: [
{
packageNames: ["node", "@types/node"],
allowedVersions: "^14.0.0",
},
{
packageNames: ["npm"],
allowedVersions: "^6.0.0",
},
],
};
Prior we used renovate v23.68.0
and it did not create update PRs for v24.x
or v25.x
.
Also, now after manually updating the action to v25.13.0
, it does not create an update PR for the update to v25.16.1
.
Was there any configuration setting changed that now needs to be enabled again that we missed so that renovate again creates updates for github-actions
?
Actually, I'm not sure if only the renovatebot/github-action
is affected or if generally no action updates are performed at all.
But as said, some time in the past this worked.
Edit: It seems to have stopped since it updated itself to v23.68.0
We're using GitHub Enterprise Cloud. Following the guide, I've setup a GitHub app and stored the APP_ID and APP_PEM to the repository -> GitHub Actions secrets.
I've configured the following permissions on the app, and installed the app to the organisation:
Permission | Level |
---|---|
Contents | Read & write |
Metadata | Read-only |
Pull requests | Read & write |
Workflows | Read & write |
When the action / workflow runs, I see the following error at the "Self-hosted Renovate" step. It's failing to query the https://api.github.com/user
endpoint.
As a sanity test, to prove it's not the APP_ID
/ APP_PEM
, when running with an invalid APP_ID
I receive an error at the "Get token" step (as expected):
and when the APP_PEM
is not in base64 format the message differs:
Full log output is:
Status: Downloaded newer image for renovate/renovate:34.29.1-slim
DEBUG: Using RE2 as regex engine
DEBUG: Parsing configs
DEBUG: Checking for config file in /github-action/renovate-config.js
DEBUG: File config
"config": {
"branchPrefix": "ourname-renovate/",
"dryRun": "full",
"gitAuthor": "Renovate Bot <[email protected]>",
"onboarding": false,
"requireConfig": "optional",
"platform": "github",
"includeForks": true,
"repositories": [
"ourorg/a-valid-repo-name",
"ourorg/another-valid-repo-name"
],
"packageRules": [
{
"description": "lockFileMaintenance",
"matchUpdateTypes": [
"pin",
"digest",
"patch",
"minor",
"major",
"lockFileMaintenance"
],
"dependencyDashboardApproval": false,
"stabilityDays": 0
}
]
}
DEBUG: CLI config
"config": {}
DEBUG: Env config
"config": {"hostRules": [], "binarySource": "docker", "token": "***********"}
DEBUG: Combined config
"config": {
"branchPrefix": "ourname-renovate/",
"dryRun": "full",
"gitAuthor": "Renovate Bot <[email protected]>",
"onboarding": false,
"requireConfig": "optional",
"platform": "github",
"includeForks": true,
"repositories": [
"ourorg/a-valid-repo-name",,
ourorg/another-valid-repo-name"
],
"packageRules": [
{
"description": "lockFileMaintenance",
"matchUpdateTypes": [
"pin",
"digest",
"patch",
"minor",
"major",
"lockFileMaintenance"
],
"dependencyDashboardApproval": false,
"stabilityDays": 0
}
],
"hostRules": [],
"binarySource": "docker",
"token": "***********"
}
DEBUG: Found valid git version: 2.38.1
DEBUG: Using default github endpoint: https://api.github.com/
DEBUG: GET https://api.github.com/user = (code=ERR_NON_2XX_3XX_RESPONSE, statusCode=403 retryCount=0, duration=160)
DEBUG: GitHub failure: Resource not accessible by integration
"err": {
"name": "HTTPError",
"code": "ERR_NON_2XX_3XX_RESPONSE",
"timings": {
"start": 1669352526004,
"socket": 1669352526007,
"lookup": 1669352526009,
"connect": 1669352526042,
"secureConnect": 1669352526078,
"upload": 1669352526078,
"response": 1669352526158,
"end": 1669352526164,
"phases": {
"wait": 3,
"dns": 2,
"tcp": 33,
"tls": 36,
"request": 0,
"firstByte": [80](https://github.com/ourorg/renovate-on-prem/actions/runs/3545452572/jobs/5953611995#step:5:81),
"download": 6,
"total": 160
}
},
"message": "Response code 403 (Forbidden)",
"stack": "HTTPError: Response code 403 (Forbidden)\n at Request.<anonymous> (/usr/src/app/node_modules/got/dist/source/as-promise/index.js:118:42)\n at processTicksAndRejections (node:internal/process/task_queues:96:5)",
"options": {
"headers": {
"user-agent": "RenovateBot/34.29.1 (https://github.com/renovatebot/renovate)",
"accept": "application/vnd.github.machine-man-preview+json",
"authorization": "***********",
"accept-encoding": "gzip, deflate, br"
},
"url": "https://api.github.com/user",
"hostType": "github",
"username": "",
"password": "",
"method": "GET",
"http2": false
},
"response": {
"statusCode": 403,
"statusMessage": "Forbidden",
"body": {
"message": "Resource not accessible by integration",
"documentation_url": "https://docs.github.com/rest/reference/users#get-the-authenticated-user"
},
"headers": {
"server": "GitHub.com",
"date": "Fri, 25 Nov 2022 05:02:06 GMT",
"content-type": "application/json; charset=utf-8",
"transfer-encoding": "chunked",
"x-github-media-type": "github.v3; param=machine-man-preview; format=json",
"x-ratelimit-limit": "15000",
"x-ratelimit-remaining": "14999",
"x-ratelimit-reset": "1669356126",
"x-ratelimit-used": "1",
"x-ratelimit-resource": "core",
"access-control-expose-headers": "ETag, Link, Location, Retry-After, X-GitHub-OTP, X-RateLimit-Limit, X-RateLimit-Remaining, X-RateLimit-Used, X-RateLimit-Resource, X-RateLimit-Reset, X-OAuth-Scopes, X-Accepted-OAuth-Scopes, X-Poll-Interval, X-GitHub-Media-Type, X-GitHub-SSO, X-GitHub-Request-Id, Deprecation, Sunset",
"access-control-allow-origin": "*",
"strict-transport-security": "max-age=31536000; includeSubdomains; preload",
"x-frame-options": "deny",
"x-content-type-options": "nosniff",
"x-xss-protection": "0",
"referrer-policy": "origin-when-cross-origin, strict-origin-when-cross-origin",
"content-security-policy": "default-src 'none'",
"vary": "Accept-Encoding, Accept, X-Requested-With",
"content-encoding": "gzip",
"x-github-request-id": "0780:47B9:5F8F8C:C541B8:63804C4E",
"connection": "close"
},
"httpVersion": "1.1",
"retryCount": 0
}
}
DEBUG: Error authenticating with GitHub
"err": {
"message": "integration-unauthorized",
"stack": "Error: integration-unauthorized\n at handleGotError (/usr/src/app/node_modules/renovate/lib/util/http/github.ts:116:12)\n at GithubHttp.request (/usr/src/app/node_modules/renovate/lib/util/http/github.ts:353:13)\n at processTicksAndRejections (node:internal/process/task_queues:96:5)\n at GithubHttp.requestJson (/usr/src/app/node_modules/renovate/lib/util/http/index.ts:251:17)\n at getUserDetails (/usr/src/app/node_modules/renovate/lib/modules/platform/github/user.ts:13:7)\n at Proxy.initPlatform (/usr/src/app/node_modules/renovate/lib/modules/platform/github/index.ts:148:36)\n at initPlatform (/usr/src/app/node_modules/renovate/lib/modules/platform/index.ts:46:24)\n at globalInitialize (/usr/src/app/node_modules/renovate/lib/workers/global/initialize.ts:71:12)\n at /usr/src/app/node_modules/renovate/lib/workers/global/index.ts:123:16\n at Object.start (/usr/src/app/node_modules/renovate/lib/workers/global/index.ts:112:5)\n at /usr/src/app/node_modules/renovate/lib/renovate.ts:17:22"
}
FATAL: Authentication failure
DEBUG: Renovate exiting
INFO: Renovate is exiting with a non-zero code due to the following logged errors
"loggerErrors": [
{
"name": "renovate",
"level": 60,
"logContext": "ltv7x0NdLo-gefuJht4DY",
"msg": "Authentication failure"
}
]
Error: The process '/usr/bin/docker' failed with exit code 1
at ExecState._setResult (/home/runner/work/_actions/renovatebot/github-action/v34.29.1/dist/index.js:1702:25)
at ExecState.CheckComplete (/home/runner/work/_actions/renovatebot/github-action/v34.29.1/dist/index.js:16[85](https://github.com/oneiress/renovate-on-prem/actions/runs/3545452572/jobs/5953611995#step:5:86):18)
at ChildProcess.<anonymous> (/home/runner/work/_actions/renovatebot/github-action/v34.29.1/dist/index.js:1579:27)
at ChildProcess.emit (node:events:3[90](https://github.com/ourorg/renovate-on-prem/actions/runs/3545452572/jobs/5953611995#step:5:91):28)
at maybeClose (node:internal/child_process:[106](https://github.com/ourorg/renovate-on-prem/actions/runs/3545452572/jobs/5953611995#step:5:107)4:16)
at Process.ChildProcess._handle.onexit (node:internal/child_process:301:5)
Error: Error: The process '/usr/bin/docker' failed with exit code 1
I am trying to get the renovatebot GitHub action to authenticate using a GitHub App Access Token instead of a Personal Access Token using machine-learning-apps/actions-app-token action like this:
name: Renovate
on:
push:
workflow_dispatch:
schedule:
- cron: '0 5 * * *'
jobs:
renovate:
runs-on: ubuntu-latest
env:
LOG_LEVEL: 'trace'
steps:
- name: Get token
id: get_token
uses: machine-learning-apps/actions-app-token@master
with:
APP_PEM: ${{ secrets.APP_PEM }}
APP_ID: ${{ secrets.APP_ID }}
- name: Test token
run: |
curl -vL "https://api.github.com/repos/my-org/repo1" \
-H "Authorization: token ${{ steps.get_token.outputs.app_token }}" \
-H "Accept: application/vnd.github.v3+json"
- name: Checkout
uses: actions/[email protected]
- name: Self-hosted Renovate
uses: renovatebot/[email protected]
with:
configurationFile: renovate.json
token: ${{ steps.get_token.outputs.app_token }}
As you can see the renovatebot gets it's token from a the app token, so far so good. The fun thing begins with app token not able to access the user APIs (for obvious reasons as it is not a user). Luckily renovate supports hard-coding user information to prevent it from trying to access these APIs and I ended up with the following config:
{
"logLevel": "trace",
"printConfig": true,
"trustLevel": "high",
"assignAutomerge": true,
"automerge": false,
"branchPrefix": "private-renovatebot/",
"platform": "github",
"includeForks": true,
"assigneesFromCodeOwners": true,
"prHourlyLimit": 0,
"timezone": "Arctic/Longyearbyen",
"extends": [
"config:base"
],
"vulnerabilityAlerts": {
"addLabels": ["security"]
},
"repositories": [
"my-org/repo1",
"my-org/repo2",
"my-org/repo3"
],
"username": "renovate-config-app-private",
"gitAuthor": "renovate-config-app-private <[email protected]>"
}
This causes the following problem that I am unable to figure out:
{
"name": "renovate",
"level": 50,
"logContext": "3VP5cwkQi",
"repository": "my-org/repo3",
"err": {
"task": {
"concatStdErr": false,
"format": "utf-8",
"commands": [
"ls-remote",
"--heads",
"https://**redacted**@github.com/my-org/repo3.git"
]
},
"message": "fatal: could not read Password for 'https://**redacted**@github.com': No such device or address\n",
"stack": "Error: fatal: could not read Password for 'https://**redacted**@github.com': No such device or address\n\n at GitExecutorChain.onFatalException (/usr/src/app/node_modules/simple-git/src/lib/runners/git-executor-chain.ts:67:77)\n at GitExecutorChain.<anonymous> (/usr/src/app/node_modules/simple-git/src/lib/runners/git-executor-chain.ts:59:21)\n at Generator.throw (<anonymous>)\n at rejected (/usr/src/app/node_modules/simple-git/src/lib/runners/git-executor-chain.js:6:65)\n at processTicksAndRejections (internal/process/task_queues.js:93:5)"
},
"msg": "Repository has unknown error"
}
]
Error: The process '/usr/bin/docker' failed with exit code 1
at ExecState._setResult (/home/runner/work/_actions/renovatebot/github-action/v24.11.5/dist/index.js:1010:25)
at ExecState.CheckComplete (/home/runner/work/_actions/renovatebot/github-action/v24.11.5/dist/index.js:993:18)
at ChildProcess.<anonymous> (/home/runner/work/_actions/renovatebot/github-action/v24.11.5/dist/index.js:887:27)
at ChildProcess.emit (events.js:210:5)
at maybeClose (internal/child_process.js:1021:16)
at Process.ChildProcess._handle.onexit (internal/child_process.js:283:5)
Error: The process '/usr/bin/docker' failed with exit code 1
A few weeks back I tested the action with a GitHub App, and everything worked well. I recreated the configuration again, and now I get following on the 'Self-hosted renovate' step. The configs work fine with a PAT, and I enabled the permissions for contents, metadata and PR as per the doc. I re-entered the secrets, but I verified they work with a JWT and API request. I want to say I did something wrong this time around, but if so, I do not know.
Status: Downloaded newer image for renovate/renovate:31.14.1-slim
DEBUG: Using RE2 as regex engine
DEBUG: Parsing configs
DEBUG: Checking for config file in /github-action/renovate.json
DEBUG: File config
"config": {
"branchPrefix": "renovate/",
"gitAuthor": "Renovate Bot <[email protected]>",
"onboarding": false,
"platform": "github",
"requireConfig": false,
"repositories": ["ckstevenson/inf-tests"],
"labels": ["dependencies", "infra-sync-required"],
"enabledManagers": ["jenkins"],
"packageRules": [
{
"description": "Jenkins plugins dependency matching properties",
"matchUpdateTypes": [
"pin",
"digest",
"patch",
"minor",
"major",
"lockFileMaintenance"
]
}
]
}
DEBUG: CLI config
"config": {}
DEBUG: Env config
"config": {"hostRules": [], "binarySource": "docker", "token": "***********"}
DEBUG: Combined config
"config": {
"branchPrefix": "renovate/",
"gitAuthor": "Renovate Bot <[email protected]>",
"onboarding": false,
"platform": "github",
"requireConfig": false,
"repositories": ["ckstevenson/inf-tests"],
"labels": ["dependencies", "infra-sync-required"],
"enabledManagers": ["jenkins"],
"packageRules": [
{
"description": "Jenkins plugins dependency matching properties",
"matchUpdateTypes": [
"pin",
"digest",
"patch",
"minor",
"major",
"lockFileMaintenance"
]
}
],
"hostRules": [],
"binarySource": "docker",
"token": "***********"
}
DEBUG: Found valid git version: 2.34.1
DEBUG: Using default github endpoint: https://api.github.com/
DEBUG: GitHub failure: Resource not accessible by integration
"err": {
"name": "HTTPError",
"code": "ERR_NON_2XX_3XX_RESPONSE",
"timings": {
"start": 1642500094940,
"socket": 1642500094942,
"lookup": 1642500094986,
"connect": 1642500095023,
"secureConnect": 1642500095062,
"upload": 1642500095063,
"response": 1642500095130,
"end": 1642500095133,
"phases": {
"wait": 2,
"dns": 44,
"tcp": 37,
"tls": 39,
"request": 1,
"firstByte": 67,
"download": 3,
"total": 193
}
},
"message": "Response code 403 (Forbidden)",
"stack": "HTTPError: Response code 403 (Forbidden)\n at Request.<anonymous> (/usr/src/app/node_modules/got/dist/source/as-promise/index.js:117:42)\n at processTicksAndRejections (internal/process/task_queues.js:95:5)",
"options": {
"headers": {
"user-agent": "RenovateBot/31.14.1 (https://github.com/renovatebot/renovate)",
"accept": "application/vnd.github.machine-man-preview+json",
"authorization": "***********",
"accept-encoding": "gzip, deflate, br"
},
"url": "https://api.github.com/user",
"hostType": "github",
"username": "",
"password": "",
"method": "GET",
"http2": false
},
"response": {
"statusCode": 403,
"statusMessage": "Forbidden",
"body": {
"message": "Resource not accessible by integration",
"documentation_url": "https://docs.github.com/rest/reference/users#get-the-authenticated-user"
},
"headers": {
"server": "GitHub.com",
"date": "Tue, 18 Jan 2022 10:01:35 GMT",
"content-type": "application/json; charset=utf-8",
"transfer-encoding": "chunked",
"x-github-media-type": "github.v3; param=machine-man-preview; format=json",
"x-ratelimit-limit": "5000",
"x-ratelimit-remaining": "4998",
"x-ratelimit-reset": "1642503099",
"x-ratelimit-used": "2",
"x-ratelimit-resource": "core",
"access-control-expose-headers": "ETag, Link, Location, Retry-After, X-GitHub-OTP, X-RateLimit-Limit, X-RateLimit-Remaining, X-RateLimit-Used, X-RateLimit-Resource, X-RateLimit-Reset, X-OAuth-Scopes, X-Accepted-OAuth-Scopes, X-Poll-Interval, X-GitHub-Media-Type, X-GitHub-SSO, X-GitHub-Request-Id, Deprecation, Sunset",
"access-control-allow-origin": "*",
"strict-transport-security": "max-age=31536000; includeSubdomains; preload",
"x-frame-options": "deny",
"x-content-type-options": "nosniff",
"x-xss-protection": "0",
"referrer-policy": "origin-when-cross-origin, strict-origin-when-cross-origin",
"content-security-policy": "default-src 'none'",
"vary": "Accept-Encoding, Accept, X-Requested-With",
"content-encoding": "gzip",
"x-github-request-id": "0780:1478:22C8230:40B7B6B:61E68FFF",
"connection": "close"
},
"httpVersion": "1.1"
}
}
DEBUG: Error authenticating with GitHub
"err": {
"message": "integration-unauthorized",
"stack": "Error: integration-unauthorized\n at handleGotError (/usr/src/app/node_modules/renovate/lib/util/http/github.ts:105:11)\n at GithubHttp.request (/usr/src/app/node_modules/renovate/lib/util/http/github.ts:254:7)\n at processTicksAndRejections (internal/process/task_queues.js:95:5)\n at GithubHttp.requestJson (/usr/src/app/node_modules/renovate/lib/util/http/index.ts:233:17)\n at getUserDetails (/usr/src/app/node_modules/renovate/lib/platform/github/user.ts:22:7)\n at Proxy.initPlatform (/usr/src/app/node_modules/renovate/lib/platform/github/index.ts:125:19)\n at initPlatform (/usr/src/app/node_modules/renovate/lib/platform/index.ts:45:24)\n at globalInitialize (/usr/src/app/node_modules/renovate/lib/workers/global/initialize.ts:50:12)\n at Object.start (/usr/src/app/node_modules/renovate/lib/workers/global/index.ts:93:14)\n at /usr/src/app/node_modules/renovate/lib/renovate.ts:16:22"
}
FATAL: Authentication failure
DEBUG: Renovate exiting
INFO: Renovate is exiting with a non-zero code due to the following logged errors
"loggerErrors": [
{
"name": "renovate",
"level": 60,
"logContext": "S-qUSZ-dHuGFgOu6h_gOh",
"msg": "Authentication failure"
}
]
Error: The process '/usr/bin/docker' failed with exit code 1
at ExecState._setResult (/home/runner/work/_actions/renovatebot/github-action/v31.14.1/dist/index.js:1307:25)
at ExecState.CheckComplete (/home/runner/work/_actions/renovatebot/github-action/v31.14.1/dist/index.js:1290:18)
at ChildProcess.<anonymous> (/home/runner/work/_actions/renovatebot/github-action/v31.14.1/dist/index.js:1184:27)
at ChildProcess.emit (events.js:210:5)
at maybeClose (internal/child_process.js:1021:16)
at Process.ChildProcess._handle.onexit (internal/child_process.js:283:5)
Error: The process '/usr/bin/docker' failed with exit code 1
Is there any way to make Renovate as a GitHub action update more than 1 package at a time (either to reduce the frequency of runs, and to reduce the number of commits/PRs)?
@viceice Can you please take a look at https://app.renovatebot.com/dashboard#github/renovatebot/github-action/172751295. I've checked it and it detects the one file with regex but doesn't seem to detect the current version (look for Dependency extraction complete
). Could that be due to the enabledManagers
or do you think it has more likely to do with the match string?
There is an error with this repository's Renovate configuration that needs to be fixed. As a precaution, Renovate will stop PRs until it is resolved.
Error type: undefined. Note: this is a nested preset so please contact the preset author if you are unable to fix it yourself.
This build succeeded when I think it should have failed due to the Renovate warning. Let's see whether we can do something like warnings as errors for our test runs.
https://github.com/renovatebot/github-action/runs/654100781?check_suite_focus=true
The command listed in the readme to base64 encode the .pem doesn't work - see here for details.
On Mac, the equivalent command is:
cat your_app_key.pem | base64 && echo
I'm not even sure you need the && echo
, at least not on mac, as the encoded string is output to the console without it.
This issue lists Renovate updates and detected dependencies. Read the Dependency Dashboard docs to learn more.
These branches will be created by Renovate only once you click their checkbox below.
@commitlint/cli
, @commitlint/config-conventional
)@typescript-eslint/eslint-plugin
, @typescript-eslint/parser
, eslint
)@semantic-release/github
, @semantic-release/npm
)These updates are awaiting their schedule. Click on a checkbox to get an update now.
These updates await pending status checks. To force their creation now, click the checkbox below.
.github/workflows/build.yml
actions/checkout v4.1.5@44c2b7a8a4ea60a981eaca3cf939b5f4305c123b
wagoid/commitlint-github-action v5.5.1@9763196e10f27aef304c9b8b660d31d97fce0f99
actions/checkout v4.1.5@44c2b7a8a4ea60a981eaca3cf939b5f4305c123b
actions/setup-node v4.0.2@60edb5dd545a775178f52524783378180af0d1f8
actions/checkout v4.1.5@44c2b7a8a4ea60a981eaca3cf939b5f4305c123b
actions/setup-node v4.0.2@60edb5dd545a775178f52524783378180af0d1f8
actions/checkout v4.1.5@44c2b7a8a4ea60a981eaca3cf939b5f4305c123b
actions/setup-node v4.0.2@60edb5dd545a775178f52524783378180af0d1f8
package.json
@actions/core 1.10.1
@actions/exec 1.1.1
@commitlint/cli 18.6.1
@commitlint/config-conventional 18.6.3
@semantic-release/git 10.0.1
@semantic-release/github 9.2.6
@semantic-release/npm 11.0.3
@tsconfig/node20 20.1.4
@types/node 20.12.10
@typescript-eslint/eslint-plugin 6.21.0
@typescript-eslint/parser 6.21.0
@vercel/ncc 0.38.1
conventional-changelog-conventionalcommits 7.0.2
eslint 8.57.0
eslint-config-prettier 9.1.0
eslint-plugin-json 3.1.0
husky 9.0.11
lint-staged 15.2.2
npm-run-all2 6.1.2
prettier 3.2.5
prettier-plugin-packagejson 2.5.0
rimraf 5.0.5
semantic-release 23.0.8
ts-node 10.9.2
typescript 5.4.5
node >=20.9.0
pnpm ^8.0.0
pnpm 8.15.8
README.md
ghcr.io/renovatebot/renovate 37.356.1
README.md
actions/checkout v4.1.5
renovatebot/github-action v40.1.11
actions/checkout v4.1.5
renovatebot/github-action v40.1.11
actions/checkout v4.1.5
renovatebot/github-action v40.1.11
actions/checkout v4.1.5
renovatebot/github-action v40.1.11
actions/checkout v4.1.5
renovatebot/github-action v40.1.11
actions/checkout v4.1.5
renovatebot/github-action v40.1.11
actions/checkout v4.1.5
renovatebot/github-action v40.1.11
renovatebot/github-action v40.1.11
actions/checkout v4.1.5
renovatebot/github-action v40.1.11
renovatebot/github-action v40.1.11
actions/checkout v4.1.5
renovatebot/github-action v40.1.11
actions/checkout v4.1.5
renovatebot/github-action v40.1.11
renovatebot/github-action v40.1.11
renovatebot/github-action v40.1.11
.github/workflows/build.yml
renovate 37.358.0
README.md
renovatebot/github-action v40.1.11
renovatebot/github-action v40.1.11
renovatebot/github-action v40.1.11
renovatebot/github-action v40.1.11
renovatebot/github-action v40.1.11
renovatebot/github-action v40.1.11
renovatebot/github-action v40.1.11
renovatebot/github-action v40.1.11
renovatebot/github-action v40.1.11
renovatebot/github-action v40.1.11
renovatebot/github-action v40.1.11
renovatebot/github-action v40.1.11
renovatebot/github-action v40.1.11
renovatebot/github-action v40.1.11
README.md
ghcr.io/renovatebot/renovate 37.356.1
ghcr.io/renovatebot/renovate 37.356.1
actions/create-release
is now unmaintained, we should replace it.
I have seen this action is not being updated for two weeks and I want to use the new Gradle Version Catalogs which was added in 26.18
Is there plan to match the releases of this version to the app one?
Package @zeit/ncc
is deprecated, @vercel/ncc
is the successor. Simple switching package is enough.
What Renovate type are you using?
GitHub Actions:
- uses: renovatebot/[email protected]
if: ${{ !contains(github.head_ref, 'renovate') && github.event_name == 'push' }}
with:
token: ${{ secrets.RENOVATE_TOKEN }}
configurationFile: .github/renovate.js
Describe the bug
Renovate crashes with a JavaScript heap out of memory error. This is similar to renovatebot/renovate#5527
2020-05-21T11:22:02.4499714Z FATAL ERROR: Ineffective mark-compacts near heap limit Allocation failed - JavaScript heap out of memory
2020-05-21T11:22:02.4499952Z
2020-05-21T11:22:02.4500970Z <--- Last few GCs --->
2020-05-21T11:22:02.4501243Z
2020-05-21T11:22:02.4501966Z [8:0x4a97390] 4009937 ms: Scavenge 2034.3 (2050.2) -> 2033.8 (2050.2) MB, 77.8 / 0.0 ms (average mu = 0.112, current mu = 0.003) allocation failure
2020-05-21T11:22:02.4502724Z [8:0x4a97390] 4010312 ms: Scavenge 2034.4 (2050.2) -> 2034.1 (2050.2) MB, 371.0 / 0.0 ms (average mu = 0.112, current mu = 0.003) allocation failure
2020-05-21T11:22:02.4503459Z [8:0x4a97390] 4010320 ms: Scavenge 2034.7 (2050.2) -> 2034.3 (2050.5) MB, 4.3 / 0.0 ms (average mu = 0.112, current mu = 0.003) allocation failure
2020-05-21T11:22:02.4503733Z
2020-05-21T11:22:02.4504231Z
2020-05-21T11:22:02.4504733Z <--- JS stacktrace --->
2020-05-21T11:22:02.4504963Z
2020-05-21T11:22:02.4505260Z ==== JS stack trace =========================================
2020-05-21T11:22:02.4505648Z
2020-05-21T11:22:02.4505986Z 0: ExitFrame [pc: 0x13a71b9]
2020-05-21T11:22:02.4506265Z Security context: 0x17bbf2a008d1 <JSObject>
2020-05-21T11:22:02.4506617Z 1: create [0x17bbf2a013b9](this=0x17bbf2a00969 <JSFunction Object (sfi = 0x3e8aa12083e1)>,0x1e9861a001b9 <null>)
2020-05-21T11:22:02.4507491Z 2: createProtoAccessControl [0x3cb69dfe2161] [/usr/src/app/node_modules/handlebars/dist/cjs/handlebars/internal/proto-access.js:26] [bytecode=0x21d259039049 offset=56](this=0x3cb69dfdddd9 <Object map = 0x5dccedb3109>,0x10f90d916831 <Object map ...
2020-05-21T11:22:02.4507821Z
2020-05-21T11:22:02.4687142Z
2020-05-21T11:22:03.3089167Z Writing Node.js report to file: report.20200521.112202.8.0.001.json
2020-05-21T11:22:03.3089385Z Node.js report completed
2020-05-21T11:22:03.3089689Z 1: 0x9ef190 node::Abort() [node]
2020-05-21T11:22:03.3089947Z 2: 0x9f13b2 node::OnFatalError(char const*, char const*) [node]
2020-05-21T11:22:03.3090196Z 3: 0xb5da9e v8::Utils::ReportOOMFailure(v8::internal::Isolate*, char const*, bool) [node]
2020-05-21T11:22:03.3090456Z 4: 0xb5de19 v8::internal::V8::FatalProcessOutOfMemory(v8::internal::Isolate*, char const*, bool) [node]
2020-05-21T11:22:03.3090652Z 5: 0xd0a765 [node]
2020-05-21T11:22:03.3090865Z 6: 0xd0adf6 v8::internal::Heap::RecomputeLimits(v8::internal::GarbageCollector) [node]
2020-05-21T11:22:03.3091239Z 7: 0xd1760a v8::internal::Heap::PerformGarbageCollection(v8::internal::GarbageCollector, v8::GCCallbackFlags) [node]
2020-05-21T11:22:03.3091504Z 8: 0xd18515 v8::internal::Heap::CollectGarbage(v8::internal::AllocationSpace, v8::internal::GarbageCollectionReason, v8::GCCallbackFlags) [node]
2020-05-21T11:22:03.3091753Z 9: 0xd1afcc v8::internal::Heap::AllocateRawWithRetryOrFail(int, v8::internal::AllocationType, v8::internal::AllocationOrigin, v8::internal::AllocationAlignment) [node]
2020-05-21T11:22:03.3092011Z 10: 0xce19bb v8::internal::Factory::NewFillerObject(int, bool, v8::internal::AllocationType, v8::internal::AllocationOrigin) [node]
2020-05-21T11:22:03.3092247Z 11: 0x10246ce v8::internal::Runtime_AllocateInYoungGeneration(int, unsigned long*, v8::internal::Isolate*) [node]
2020-05-21T11:22:03.3092453Z 12: 0x13a71b9 [node]
2020-05-21T11:22:03.3092656Z /usr/entrypoint.sh: line 28: 8 Aborted (core dumped) RENOVATE_TOKEN="${TOKEN}" node /usr/src/app/dist/renovate.js
2020-05-21T11:22:04.1785515Z Post job cleanup.
Did you see anything helpful in debug logs?
I tried, but turning on debug for GitHub actions eventually fails due to massive amount of data put out.
To Reproduce
Seems like this might be reproduced if the repository (Gradle-based) has a large number of dependencies or a handful of declared different repositories. This build is running with JDK 11.0.7 and Gradle 6.4.1.
Additional context
Contents of renovate.js file:
module.exports = {
branchPrefix: 'renovate/',
gitAuthor: 'Renovate Bot <[email protected]>',
logLevel: 'warn',
onboarding: false,
platform: 'github',
includeForks: true,
repositories: [
'apereo/cas'
],
enabledManagers: ["gradle"],
"gradle": {
"enabled": true
}
};
Trying to use this GitHub action I can't get it to detect my repositories - turning on debug logs did not help shed light on the matter -
renovate-config.js
:
module.export = {
extends: ['config:base', ':automergeMinor'],
timezone: 'Asia/Jerusalem',
schedule: ['after 6am and before 9am'],
rebaseWhen: 'conflicted',
updateLockFiles: true,
prCreation: 'immediate',
rangeStrategy: 'auto',
prHourlyLimit: 5,
prConcurrentLimit: 5,
requiredStatusChecks: null, // bors will always be pending and this feature is only partially implemented so setting to not wait on pr status
automergeType: 'pr-comment',
automergeComment: 'bors r+',
labels: ['chore', 'renovate ๐จ'],
npm: {
fileMatch: ['(^|/)package.json$', '(^|/)package.dist.json$']
},
packageRules: [
{
sourceUrlPrefixes: ['https://github.com/middyjs/middy'],
groupName: 'Middy monorepo packages'
},
{
packageNames: ['aws-appsync'],
allowedVersions: '4.0.1' // we don't trust them :\
},
{
paths: ['e2e/**'],
packageNames: ['webpack'],
allowedVersions: '4.*' // https://github.com/env0/env0/pull/2872#issuecomment-761878435
},
{
packageNames: ['@shiftcoders/dynamo-easy'],
allowedVersions: '6.0.0-pr91.1' // https://github.com/shiftcode/dynamo-easy/issues/331
},
{
packageNames: ['serverless-vpc-plugin'],
allowedVersions: '0.10.0' // breaking changes in https://github.com/smoketurner/serverless-vpc-plugin/releases/tag/v1.0.0
},
{
packageNames: ['@azure/identity'],
allowedVersions: '1.0.3' // can be removed when v2 becomes stable. See: https://github.com/Azure/azure-sdk-for-js/issues/14346#issuecomment-825995352
},
{
packageNames: ['antd', '@ant-design/icons', '@nivo/line', 'auth0-lock', 'react-datepicker'],
automerge: false // always manually visually verify our ui library
},
{
packageNames: ['@gitbeaker/node'],
allowedVersions: '< 28.0.0 || > 28.0.1' // Random console print on those two versions https://github.com/jdalrymple/gitbeaker/pull/1413#discussion_r550482902, can be removed when 28.0.1 is not the latest version
},
{
packageNames: ['hashicorp/terraform'], // We don't want to update our TF version automatically
enabled: false
}
],
// Self-Hosted configuration
branchPrefix: 'renovate-bump/',
allowScripts: true,
repositories: ['env0/env0']
};
Step logs:
Run renovatebot/[email protected]
with:
configurationFile: .github/renovate-config.js
token: ***
env:
LOG_LEVEL: debug
/usr/bin/docker run --env LOG_LEVEL --env RENOVATE_TOKEN=*** --env RENOVATE_CONFIG_FILE=/github-action/renovate-config.js --volume /home/runner/work/env0/env0/.github/renovate-config.js:/github-action/renovate-config.js --volume /var/run/docker.sock:/var/run/docker.sock --volume /tmp:/tmp --user ubuntu:121 --rm renovate/renovate:25.75.0-slim
Unable to find image 'renovate/renovate:25.75.0-slim' locally
25.75.0-slim: Pulling from renovate/renovate
16ec32c2132b: Already exists
ec0600f87592: Pulling fs layer
d96d71dcf296: Pulling fs layer
58b0cfa416b5: Pulling fs layer
08796e723b58: Pulling fs layer
bf33e2c1d21f: Pulling fs layer
4351c6bd0c0d: Pulling fs layer
ae8f77e2cedc: Pulling fs layer
e21848d3dc3f: Pulling fs layer
5f1a1a27976f: Pulling fs layer
a3bfb940c339: Pulling fs layer
f4195badfff8: Pulling fs layer
355ec66235d0: Pulling fs layer
8cb1d3326ae9: Pulling fs layer
60c7dde4912b: Pulling fs layer
08796e723b58: Waiting
bf33e2c1d21f: Waiting
4351c6bd0c0d: Waiting
ae8f77e2cedc: Waiting
e21848d3dc3f: Waiting
5f1a1a27976f: Waiting
a3bfb940c339: Waiting
f4195badfff8: Waiting
355ec66235d0: Waiting
8cb1d3326ae9: Waiting
60c7dde4912b: Waiting
d96d71dcf296: Verifying Checksum
d96d71dcf296: Download complete
ec0600f87592: Download complete
58b0cfa416b5: Verifying Checksum
58b0cfa416b5: Download complete
ec0600f87592: Pull complete
d96d71dcf296: Pull complete
4351c6bd0c0d: Verifying Checksum
4351c6bd0c0d: Download complete
08796e723b58: Verifying Checksum
08796e723b58: Download complete
bf33e2c1d21f: Verifying Checksum
bf33e2c1d21f: Download complete
ae8f77e2cedc: Verifying Checksum
ae8f77e2cedc: Download complete
e21848d3dc3f: Verifying Checksum
e21848d3dc3f: Download complete
5f1a1a27976f: Verifying Checksum
5f1a1a27976f: Download complete
a3bfb940c339: Verifying Checksum
a3bfb940c339: Download complete
355ec66235d0: Verifying Checksum
355ec66235d0: Download complete
58b0cfa416b5: Pull complete
f4195badfff8: Verifying Checksum
f4195badfff8: Download complete
8cb1d3326ae9: Verifying Checksum
8cb1d3326ae9: Download complete
60c7dde4912b: Verifying Checksum
60c7dde4912b: Download complete
08796e723b58: Pull complete
bf33e2c1d21f: Pull complete
4351c6bd0c0d: Pull complete
ae8f77e2cedc: Pull complete
e21848d3dc3f: Pull complete
5f1a1a27976f: Pull complete
a3bfb940c339: Pull complete
f4195badfff8: Pull complete
355ec66235d0: Pull complete
8cb1d3326ae9: Pull complete
60c7dde4912b: Pull complete
Digest: sha256:362bc56e12faecabb4c5c731266730b1840cb96ecfc007b700bcf5c1cff16ca0
Status: Downloaded newer image for renovate/renovate:25.75.0-slim
DEBUG: Using RE2 as regex engine
DEBUG: Parsing configs
DEBUG: File config
"config": {}
DEBUG: CLI config
"config": {}
DEBUG: Env config
"config": {"hostRules": [], "binarySource": "docker", "token": "***********"}
DEBUG: Combined config
"config": {"hostRules": [], "binarySource": "docker", "token": "***********"}
DEBUG: Using default github endpoint: https://api.github.com/
DEBUG: GitHub 404
"url": "https://api.github.com/user/emails"
DEBUG: Cannot read user/emails endpoint on GitHub to retrieve gitAuthor
DEBUG: Authenticated as GitHub user: bot-env0
DEBUG: Using default gitAuthor: Renovate Bot <[email protected]>
DEBUG: Adding token authentication for api.github.com to hostRules
DEBUG: Using baseDir: /tmp/renovate
DEBUG: Using cacheDir: /tmp/renovate/cache
DEBUG: Initializing Renovate internal cache into /tmp/renovate/cache/renovate/renovate-cache-v1
DEBUG: Commits limit = null
WARN: No repositories found - did you want to run with flag --autodiscover?
DEBUG: Renovate exiting
When using GitHub Actions' caching functionality, Renovate ends up hitting an EACCESS
when trying to write to the restored cache keys.
A failing job with workflow definition reports the following error on subsequent runs:
INFO: Renovate is exiting with a non-zero code due to the following logged errors
"loggerErrors": [
{
"name": "renovate",
"level": 60,
"logContext": "BxuFXuCsh1JmPxe_hfhG1",
"err": {
"errno": -13,
"code": "EACCES",
"syscall": "mkdir",
"path": "/tmp/renovate-baseDir/repos/github/jamietanna/jamietanna",
"message": "EACCES: permission denied, mkdir '/tmp/renovate-baseDir/repos/github/jamietanna/jamietanna'",
"stack": "Error: EACCES: permission denied, mkdir '/tmp/renovate-baseDir/repos/github/jamietanna/jamietanna'"
},
"msg": "Fatal error: EACCES: permission denied, mkdir '/tmp/renovate-baseDir/repos/github/jamietanna/jamietanna'"
}
]
It appears that:
/usr/bin/docker run --env RENOVATE_TOKEN=x-access-token:*** --env RENOVATE_CONFIG_FILE=/github-action/config.js --volume /home/runner/work/actions-testing/actions-testing/config.js:/github-action/config.js --volume /var/run/docker.sock:/var/run/docker.sock --volume /tmp:/tmp --user 1000:121 --rm renovate/renovate:34.2.0-slim
May be at fault, as running id -u
outside of the Renovate runner shows:
uid=1001(runner) gid=121(docker) groups=121(docker),4(adm),101(systemd-journal)
Whereas we're trying to use the uid 1000
, which doesn't match, and is therefore denied from reading the files:
# this is from a different run, so not visible on the above link
/tmp/renovate-baseDir:
total 12
drwxr-xr-x 3 runner docker 4096 Nov 2 16:40 .
Actions now support node v16
TODO
action.yml
package.json
enginesI like to bundle renovate internally, so we can run this action on Windows / MacOS agents.
That way we can support updating lockfiles which required a specific environment. Eg: XCode or VisualStudio.
We are already using @vercel/ncc
to bundle the action code.
Due to the renovate config:
github-action/.github/renovate.json
Lines 13 to 16 in 6690277
How to use always latest version of this repository?
Currently I have something like this:
- name: Self-hosted Renovate
uses: renovatebot/[email protected]
Add back changelog generation
This issue provides visibility into Renovate updates and their statuses. Learn more
These branches will be created by Renovate only once you click their checkbox below.
@commitlint/cli
, @commitlint/config-conventional
)@typescript-eslint/eslint-plugin
, @typescript-eslint/parser
, eslint
)These updates are awaiting their schedule. Click on a checkbox to get an update now.
I see that the image tag is hard-coded. to use the slim version. I have started to play around with postUpgradeTasks, but since they run inside the slim image there aren't any useful binaries and I have to install everything, e.g. make, patch, runtimes, etc. The normal renovatebot image does have all the binaries I need, so it would be nice if I could configure the github action to use that one instead.
Allow passing additional environment variables to renovate so they can be used in config.js
. eg secrets
This is nessessary because we can't use encrypted config keys.
Steps
env=NPM_TOKEN,DOCKER_PASSWORD
env
and pass vars to docker run command, eg docker run .... -e NPM_TOKEN -e DOCKER_PASSWORD ... renovate:slim
Renovate GitHub Action (latest released version, v21.29.2)
GitHub.com
Yes, please see here for an example run: https://github.com/iniinikoski/tf-dependencytest-repo/pull/3/checks?check_run_id=870786431#step:3:6
I'd like to use the GitHub Actions- version to connect to private Terraform Cloud / Enterprise registries.
For this, I'd need to pass a hostRule - and a token for it using GitHub Secrets. I found out that it should be possible to set hostRules using environment variables - so I tried to do this: https://github.com/iniinikoski/tf-dependencytest-repo/blob/6508b37f88997d8a8409d4d0e1c4f9b42d7cbce8/.github/workflows/renovate.yml#L19 - and we can see that this should be correctly passed to the Renovate self-hosted Action (at least for me it looks like this), but the run does not authenticate (we still get "Datasource unauthorized") - and - also - when trying to check the contents of hostRules detected by Renovate, the config is missing...
What is the best (and only?) way to configure this to work...?
I tried to read the docs about this, but, did not find anything usable...
When I run it on private agent I have problem with access to docker socket because of hardcoded user
https://github.com/renovatebot/github-action/blob/main/src/renovate.ts#L20
We dont have ubuntu user.
I wonder if we should customize user or maybe even better remove this user setting completely, is it really must?
I change action to simple docker run and works fine.
- name: Run Renovate
run: |
docker run --env RENOVATE_TOKEN=$TOKEN --env RENOVATE_CONFIG_FILE=/github-action/renovate-config.js \
--volume ${GITHUB_WORKSPACE}/renovate/renovate-config.js:/github-action/renovate-config.js \
--volume /var/run/docker.sock:/var/run/docker.sock --volume /tmp:/tmp --rm renovate/renovate:${RENOVATE_TAG}
env:
TOKEN: ${{ secrets.RENOVATE_TOKEN }}
RENOVATE_TAG: 25.69.4-slim
I was trying to use the NPM_REGISTRY_NPMJS_ORG_TOKEN
variable in order to inject a secret setup in the repository settings. But after checking process.env
in the config, I realized that the variable is not passed to the container itself.
Right now I do not see any way to pass a variable from the repository secrets to the renovate config using the github-action runner.
There are other variables (see below https://docs.renovatebot.com/self-hosted-configuration/#detectHostRulesFromEnv ) that could also be used for authentication with npm/gitlab/docker.
This issue lists Renovate updates and detected dependencies. Read the Dependency Dashboard docs to learn more.
These branches will be created by Renovate only once you click their checkbox below.
@commitlint/cli
, @commitlint/config-conventional
)These updates have been manually edited so Renovate will no longer make changes. To discard all commits and start over, click on a checkbox.
These updates await pending status checks. To force their creation now, click the checkbox below.
@typescript-eslint/eslint-plugin
, @typescript-eslint/parser
).github/workflows/build.yml
actions/checkout 755da8c3cf115ac066823e79a1e1788f8940201b
wagoid/commitlint-github-action v4.1.15@416045160973f9fff174ac6698412cfe7181c3f3
actions/checkout 755da8c3cf115ac066823e79a1e1788f8940201b
actions/setup-node v3.5.1@8c91899e586c5b171469028077307d293428b516
actions/checkout 755da8c3cf115ac066823e79a1e1788f8940201b
actions/checkout 755da8c3cf115ac066823e79a1e1788f8940201b
actions/setup-node v3.5.1@8c91899e586c5b171469028077307d293428b516
actions/create-release v1.1.4@0cb9c9b65d5d1901c1f53e5e66eaf4afd303e70e
package.json
@actions/core 1.10.0
@actions/exec 1.1.1
@commitlint/cli 16.3.0
@commitlint/config-conventional 16.2.4
@types/node 16.18.6
@typescript-eslint/eslint-plugin 5.45.1
@typescript-eslint/parser 5.45.1
@vercel/ncc 0.36.0
eslint 8.29.0
eslint-config-prettier 8.5.0
eslint-plugin-json 3.1.0
husky 7.0.4
lint-staged 12.5.0
npm-run-all 4.1.5
prettier 2.8.0
standard-version 9.5.0
ts-node 10.9.1
typescript 4.9.3
node >=16.0.0
yarn ^1.22.0
README.md
actions/checkout v2.0.0
renovatebot/github-action v32.238.4
actions/checkout v2.0.0
renovatebot/github-action v32.238.4
renovatebot/github-action v32.238.4
src/docker.ts
renovate/renovate 34.55.0-slim
README.md
renovatebot/github-action v32.238.4
renovatebot/github-action v32.238.4
renovatebot/github-action v32.238.4
Hey there,
first of all, thanks for providing this action. It's super useful and I'm glad something like this exists!
In some of my repositories Renovate was unable to update dependencies (because of some module errors), but the workflow's job succeeded. It seems like the the renovate process always returns a non-zero error code even though an error occured. Is it possible to return an error code 1
and therefore fail the whole workflow in case something went wrong? I'm not sure whether this is a duplicate of #65 . Feel free to close if that's the case
Thanks for taking your time reading this!
Is this GitHub Action listed on the GitHub Action Marketplace?
I can't find this GitHub Action on the GitHub Action Marketplace https://github.com/marketplace?type=actions
I see the previous version https://github.com/marketplace/actions/self-hosted-renovate , but I don't see the current version.
Seems its not possible to set AWS authentication for https://docs.renovatebot.com/modules/datasource/#aws-machine-image-datasource
jobs:
renovate:
runs-on: ubuntu-latest
steps:
- name: Checkout
uses: actions/[email protected]
- name: Self-hosted Renovate
uses: renovatebot/[email protected]
with:
configurationFile: renovate/config.js
token: ${{ secrets.RENOVATE_TOKEN }}
env:
LOG_LEVEL: debug
RENOVATE_CUSTOM_ENV_VARIABLES: '[{"AWS_ACCESS_KEY_ID":"${{secrets.RENOVATE_IAM_USER_ID}}","AWS_SECRET_ACCESS_KEY":"${{secrets.RENOVATE_IAM_USER_SECRET}}","AWS_DEFAULT_REGION":"us-east-1"}]'
AWS_ACCESS_KEY_ID: "${{secrets.RENOVATE_IAM_USER_ID}}"
AWS_SECRET_ACCESS_KEY: "${{secrets.RENOVATE_IAM_USER_SECRET}}"
AWS_DEFAULT_REGION: "us-east-1"
In both cases, RENOVATE_CUSTOM_ENV_VARIABLES, and static ENVs are failing to ( config is properly massaged ):
DEBUG: Datasource unknown error (repository=apify/guesswhat)
"datasource": "aws-machine-image",
"packageName": "[{\"Name\":\"owner-id\",\"Values\":[\"125523088429\"]},{\"Name\":\"name\",\"Values\":[\"fedora-coreos-*.3.*-x86_64\"]}]\r",
"err": {
"message": "Region is missing",
"stack": "Error: Region is missing\n at default (/usr/src/app/node_modules/@aws-sdk/config-resolver/dist-cjs/regionConfig/config.js:10:15)\n at /usr/src/app/node_modules/@aws-sdk/node-config-provider/dist-cjs/fromStatic.js:6:83\n at /usr/src/app/node_modules/@aws-sdk/property-provider/dist-cjs/chain.js:11:28"
}
Thanks
We would like to use the slim docker image instead of the full image, as most projects don't need all tool's. So the slim images would reduce the required download size.
TODO
/mnt/
for baseDir
and chown 1000:0
( /mnt
is a second 14GB ssd drive on github hosted runner)baseDir
(host and container mount must match, because renovate will use baseDir
to mount repo to side containers)baseDir
as env RENOVATE_BASE_DIR
Hi Team,
we are using self hosted renovate bot in github actions,
we are looking to configure renovate to create PR for security vulnerability only.
with the below configuration used no PR is getting created but if we enable package rules then we do get PRs created but those are not just for security ones.
name: Renovate
on:
push:
workflow_dispatch:
schedule:
- cron: "0 0 * * MON" #Every MON 10:00 AM AEST
jobs:
renovate:
runs-on: ubuntu-latest
steps:
- name: Checkout
uses: actions/checkout@master
- name: Substitute vars
shell: bash
run: sed -i "s/GITHUB_TOKEN/${{ secrets}}/g" config.json
- name: Self-hosted Renovate
uses: renovatebot/[email protected]
with:
configurationFile: config.json
token: ${{ secrets }}
{
"groupName ":"all",
"branchPrefix":"renovate/reno-",
"dryRun":false,
"gitAuthor":"Renovate Bot <[email protected]>",
"labels":[
"renovate-dependencies"
],
"onboarding":true,
"onboardingConfigFileName":".github/renovate.json",
"onboardingBranch":"renovate/reno-cfg",
"platform":"github",
"hashedBranchLength":20,
"github-actions":{
"enabled":false
},
"docker":{
"enabled":false
},
"extends":[
":enableVulnerabilityAlerts"
],
"repositories":[
"<<repo name here>>"
],
"ignoreDeps":[
"EPPlus"
],
"hostRules":[
{
"matchHost":"https://npm.pkg.github.com/",
"hostType":"npm",
"token":"GITHUB_TOKEN"
}
],
"includePaths":[
"test/*"
],
"packageRules":[
{
"enabled":false,
"matchDatasources":[
"npm"
],
"matchPackagePatterns":[
"*"
],
"groupName":"NPM: all dependencies",
"groupSlug":"all"
}
],
"vulnerabilityAlerts":{
"enabled":"true"
},
}
{
"name": "test",
"version": "1.0.0",
"description": "",
"main": "*.test.js",
"scripts": {
"test": "mocha *.test.js --timeout 30000 && eslint *.js"
},
"author": "",
"dependencies": {
"bluebird": "*",
"cheerio": "^0.22.0",
"expect": "^26.6.2",
"mocha": "^9.1.2",
"request": "^2.88.2",
"should": "13.2.3"
},
"devDependencies": {
"eslint": "^7.32.0",
"eslint-plugin-mocha-no-only": "^1.1.1"
}
}
I realise this is probably pretty clear to people who are familiar with Github's Apps and Actions, but for someone getting used to the system, it wasn't obvious to me that I had to install the application after having created it under my account via the Developer Settings (or in fact, that this was even an option).
Would it make sense to add such an instruction under the Example with GitHub App section?
A declarative, efficient, and flexible JavaScript library for building user interfaces.
๐ Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. ๐๐๐
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google โค๏ธ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.