From 431d8f7dd441d024219276cce8e9e361abdf6cd4 Mon Sep 17 00:00:00 2001 From: Marco Franssen Date: Fri, 18 Apr 2025 14:37:23 +0200 Subject: [PATCH] renovate: Use GitHub app to retrieve a token As Renovate will run with a different token, there is no need for specific workflow permissions anymore. Instead the GitHub app should have sufficient permissions to create a PullRequest on the repo. See https://github.com/actions/create-github-app-token/blob/main/README.md on instructions how to add the GitHub App. Please note we need to configure following on the repo settings: variable RENOVATE_APP_ID secret RENOVATE_PRIVATE_KEY I named it specific like this so we can dedicate this app specifically to Renovate and therefore also keep permissions limited to the Renovate usecase. Signed-off-by: Marco Franssen --- .github/workflows/renovate.yaml | 12 +++++++----- 1 file changed, 7 insertions(+), 5 deletions(-) diff --git a/.github/workflows/renovate.yaml b/.github/workflows/renovate.yaml index 61f6ed28d..62e91d5e2 100644 --- a/.github/workflows/renovate.yaml +++ b/.github/workflows/renovate.yaml @@ -15,14 +15,16 @@ jobs: renovate: runs-on: ubuntu-latest - permissions: - contents: write - pull-requests: write - steps: - name: Checkout uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 + - uses: actions/create-github-app-token@3ff1caaa28b64c9cc276ce0a02e2ff584f3900c5 # v2.0.2 + id: app-token + with: + app-id: ${{ vars.RENOVATE_APP_ID }} + private-key: ${{ secrets.RENOVATE_PRIVATE_KEY }} + - name: Self-hosted Renovate uses: renovatebot/github-action@e084b5ac6fd201023db6dd7743aec023babb02c8 # v41.0.13 with: @@ -30,6 +32,6 @@ jobs: token: "${{ secrets.GITHUB_TOKEN }}" env: LOG_LEVEL: ${{ env.ACTIONS_STEP_DEBUG == 'true' && 'debug' || 'info' }} - RENOVATE_REPOSITORIES: ${{ github.repository }} + RENOVATE_REPOSITORIES: ${{ steps.app-token.outputs.token }} RENOVATE_ALLOW_SCRIPTS: true RENOVATE_SEPARATE_MAJOR_MINOR: false