GitHub Action to run Renovate self-hosted.
| Badge | Description | Service |
|---|---|---|
 |
Code style | Prettier |
 |
Commit style | Conventional Commits |
 |
Dependencies | Renovate |
 |
Build | GitHub Actions |
Options can be passed using the inputs of this action or the corresponding environment variables. When both are passed, the input takes precedence over the environment variable. For the available environment variables, see the Renovate Self-Hosted Configuration docs.
Configuration file to configure Renovate. The supported configurations files:
- one of the configuration files listed in the Renovate Docs for Configuration Options
- or a JavaScript file that exports a configuration object
For both of these options, an example can be found in the example directory.
The configurations that can be done in this file consists of two parts, as listed below. Refer to the links to the Renovate Docs for all options.
The branchPrefix option is important to configure and should be configured to a value other than the default to prevent interference with e.g. the Renovate GitHub App.
If you want to use this with just the single configuration file, make sure to include the following two configuration lines. This disables the requirement of a configuration file for the repository and disables onboarding.
onboarding: false,
requireConfig: false,Allows to configure the regex to define which environment variables are passed to the renovate container. See Passing other environment variables section for more details.
Default to false. If set to true the action will mount the Docker socket
inside the renovate container so that the commands can use Docker. Can be useful
for postUpgradeTasks's commands. Also add the user inside the renovate
container to the docker group for socket permissions.
Generate a Personal Access Token (classic), with the repo:public_repo scope for only public repositories or the repo scope for public and private repositories, and add it to Secrets (repository settings) as RENOVATE_TOKEN.
You can also create a token without a specific scope, which gives read-only access to public repositories, for testing.
This token is only used by Renovate, see the token configuration, and gives it access to the repositories.
The name of the secret can be anything as long as it matches the argument given to the token option.
Note that Renovate cannot currently use Fine-grained Personal Access Tokens since they do not support the GitHub GraphQL API, yet.
Note that the GITHUB_TOKEN secret can't be used for authenticating Renovate because it has too restrictive permissions.
In particular, using the GITHUB_TOKEN to create a new Pull Request from more types of Github Workflows results in Pull Requests that do not trigger your Pull Request and Push CI events.
If you want to use the github-actions manager, you must setup a special token with some requirements.
The Renovate Docker image name to use.
If omitted or renovate-image === '' the action will use the ghcr.io/renovatebot/renovate Docker image name otherwise.
If a Docker image name is defined, the action will use that name to pull the image.
This sample will use myproxyhub.domain.com/renovate/renovate image.
....
jobs:
renovate:
runs-on: ubuntu-latest
steps:
- name: Checkout
uses: actions/checkout@v3.5.3
- name: Self-hosted Renovate
uses: renovatebot/github-action@v39.0.0
with:
renovate-image: myproxyhub.domain.com/renovate/renovate
token: ${{ secrets.RENOVATE_TOKEN }}This sample will use ghcr.io/renovatebot/renovate image.
....
jobs:
renovate:
runs-on: ubuntu-latest
steps:
- name: Checkout
uses: actions/checkout@v3.5.3
- name: Self-hosted Renovate
uses: renovatebot/github-action@v39.0.0
with:
token: ${{ secrets.RENOVATE_TOKEN }}The Renovate version to use.
If omitted the action will use the latest Docker tag.
Check the available tags on Docker Hub.
This sample will use ghcr.io/renovatebot/renovate:35.103.0 image.
....
jobs:
renovate:
runs-on: ubuntu-latest
steps:
- name: Checkout
uses: actions/checkout@v3.5.3
- name: Self-hosted Renovate
uses: renovatebot/github-action@v39.0.0
with:
renovate-version: 35.103.0
token: ${{ secrets.RENOVATE_TOKEN }}This sample will use ghcr.io/renovatebot/renovate:full image.
....
jobs:
renovate:
runs-on: ubuntu-latest
steps:
- name: Checkout
uses: actions/checkout@v3.5.3
- name: Self-hosted Renovate
uses: renovatebot/github-action@v39.0.0
with:
renovate-version: full
token: ${{ secrets.RENOVATE_TOKEN }}We recommend you pin the version of Renovate to a full version or a full checksum, and use Renovate's regex manager to create PRs to update the pinned version.
See .github/workflows/build.yml for an example of how to do this.
Specify a command to run when the image start. By default the image run
renovate
This option is useful to customize the image before running renovate
For example you can create a simple script like this one (let's call it
renovate-entrypoint.sh)
#!/bin/bash
apt update
apt install -y build-essential libpq-dev
runuser -u ubuntu renovateNow use this action
....
jobs:
renovate:
runs-on: ubuntu-latest
steps:
- name: Checkout
uses: actions/checkout@v3.5.3
- name: Self-hosted Renovate
uses: renovatebot/github-action@v39.0.0
with:
docker-cmd-file: .github/renovate-entrypoint.sh
docker-user: root
token: ${{ secrets.RENOVATE_TOKEN }}Specify a user (or user-id) to run docker command.
You can use it with docker-cmd-file in order to start the
image as root, do some customization and switch back to a unprivileged user.
This example uses a Personal Access Token and will run every 15 minutes.
The Personal Access token is configured as a GitHub secret named RENOVATE_TOKEN.
This example uses the example/renovate-config.js file as configuration.
You can also see a live example of this action in the vidavidorra/github-renovate repository repository, which also includes a more advanced configuration for updating GitHub Action workflows.
Remark Update the action version to the most current, see here for latest release.
name: Renovate
on:
schedule:
# The "*" (#42, asterisk) character has special semantics in YAML, so this
# string has to be quoted.
- cron: '0/15 * * * *'
jobs:
renovate:
runs-on: ubuntu-latest
steps:
- name: Checkout
uses: actions/checkout@v3.5.3
- name: Self-hosted Renovate
uses: renovatebot/github-action@v39.0.0
with:
configurationFile: example/renovate-config.js
token: ${{ secrets.RENOVATE_TOKEN }}If you want to use the Renovate Action on a GitHub Enterprise instance you have to add the following environment variable:
....
- name: Self-hosted Renovate
uses: renovatebot/github-action@v39.0.0
with:
configurationFile: example/renovate-config.js
token: ${{ secrets.RENOVATE_TOKEN }}
env:
RENOVATE_ENDPOINT: "https://git.your-company.com/api/v3"Instead of using a Personal Access Token (PAT) that is tied to a particular user you can use a GitHub App where permissions can be even better tuned.
Create a new app and configure the app permissions and your config.js as described in the Renovate documentation.
Generate and download a new private key for the app, adding the contents of the downloaded .pem file to Secrets (repository settings) with the name private_key and app ID as a secret with name app_id.
Adjust your Renovate configuration file to specify the username of your bot.
Going forward we will be using the tibdex/github-app-token action in order to exchange the GitHub App certificate for an access token that Renovate can use.
The final workflow will look like this:
name: Renovate
on:
schedule:
# The "*" (#42, asterisk) character has special semantics in YAML, so this
# string has to be quoted.
- cron: '0/15 * * * *'
jobs:
renovate:
runs-on: ubuntu-latest
steps:
- name: Get token
id: get_token
uses: tibdex/github-app-token@v1
with:
private_key: ${{ secrets.private_key }}
app_id: ${{ secrets.app_id }}
- name: Checkout
uses: actions/checkout@v3.5.3
- name: Self-hosted Renovate
uses: renovatebot/github-action@v39.0.0
with:
configurationFile: example/renovate-config.js
token: '${{ steps.get_token.outputs.token }}'If you wish to pass through environment variables through to the Docker container that powers this action you need to prefix the environment variable with RENOVATE_.
For example if you wish to pass through some credentials for a host rule to the config.js then you should do so like this.
-
In your workflow pass in the environment variable
.... jobs: renovate: runs-on: ubuntu-latest steps: - name: Checkout uses: actions/checkout@v3.5.3 - name: Self-hosted Renovate uses: renovatebot/github-action@v39.0.0 with: configurationFile: example/renovate-config.js token: ${{ secrets.RENOVATE_TOKEN }} env: RENOVATE_TFE_TOKEN: ${{ secrets.MY_TFE_TOKEN }}
-
In
example/renovate-config.jsinclude the hostRules blockmodule.exports = { hostRules: [ { hostType: 'terraform-module', matchHost: 'app.terraform.io', token: process.env.RENOVATE_TFE_TOKEN, }, ], };
If you want to pass other variables to the Docker container use the env-regex input to override the regular expression that is used to allow environment variables.
In your workflow pass the environment variable and whitelist it by specifying the env-regex:
....
jobs:
renovate:
runs-on: ubuntu-latest
steps:
- name: Checkout
uses: actions/checkout@v3.5.3
- name: Self-hosted Renovate
uses: renovatebot/github-action@v39.0.0
with:
configurationFile: example/renovate-config.js
token: ${{ secrets.RENOVATE_TOKEN }}
env-regex: "^(?:RENOVATE_\\w+|LOG_LEVEL|GITHUB_COM_TOKEN|NODE_OPTIONS|AWS_TOKEN)$"
env:
AWS_TOKEN: ${{ secrets.AWS_TOKEN }}In case of issues, it's always a good idea to enable debug logging first.
To enable debug logging, add the environment variable LOG_LEVEL: 'debug' to the action:
- name: Self-hosted Renovate
uses: renovatebot/github-action@v39.0.0
with:
configurationFile: example/renovate-config.js
token: ${{ secrets.RENOVATE_TOKEN }}
env:
LOG_LEVEL: 'debug'If you want to use the github-actions manager in Renovate, ensure that the token you provide contains the workflow scope.
Otherwise, GitHub does not allow Renovate to update workflow files and therefore it will be unable to create update PRs for affected packages (like actions/checkout or renovatebot/github-action itself).