ci: harden renovate auth and token fallback
This commit is contained in:
@@ -230,27 +230,66 @@ jobs:
|
||||
|
||||
- name: Run Renovate
|
||||
env:
|
||||
# RENOVATE_TOKEN is the primary auth mechanism — set via repo secret.
|
||||
RENOVATE_TOKEN: ${{ secrets.RENOVATE_TOKEN }}
|
||||
# Prefer dedicated Renovate token, then fall back to existing CI tokens.
|
||||
RENOVATE_TOKEN_SECRET: ${{ secrets.RENOVATE_TOKEN }}
|
||||
ACTIONS_TRIGGER_TOKEN: ${{ secrets.ACTIONS_TRIGGER_TOKEN }}
|
||||
PACKAGE_ACCESS_TOKEN: ${{ secrets.PACKAGE_ACCESS_TOKEN }}
|
||||
RENOVATE_DRY_RUN: ${{ inputs.dry_run }}
|
||||
RENOVATE_CONFIG_FILE: renovate-config.js
|
||||
RENOVATE_PLATFORM: gitea
|
||||
RENOVATE_ENDPOINT: https://dogar.darkhelm.org/api/v1
|
||||
LOG_LEVEL: info
|
||||
run: |
|
||||
echo "=== Running Renovate Bot ==="
|
||||
|
||||
# Verify token is available
|
||||
if [ -z "${RENOVATE_TOKEN}" ]; then
|
||||
echo "❌ RENOVATE_TOKEN secret not configured"
|
||||
echo "Please add a Gitea API token to repository secrets"
|
||||
select_token() {
|
||||
if [ -n "${RENOVATE_TOKEN_SECRET:-}" ]; then
|
||||
echo "${RENOVATE_TOKEN_SECRET}"
|
||||
return 0
|
||||
fi
|
||||
if [ -n "${ACTIONS_TRIGGER_TOKEN:-}" ]; then
|
||||
echo "${ACTIONS_TRIGGER_TOKEN}"
|
||||
return 0
|
||||
fi
|
||||
if [ -n "${PACKAGE_ACCESS_TOKEN:-}" ]; then
|
||||
echo "${PACKAGE_ACCESS_TOKEN}"
|
||||
return 0
|
||||
fi
|
||||
return 1
|
||||
}
|
||||
|
||||
if ! SELECTED_TOKEN="$(select_token)"; then
|
||||
echo "❌ No token available for Renovate authentication"
|
||||
echo "Configure one of: RENOVATE_TOKEN, ACTIONS_TRIGGER_TOKEN, PACKAGE_ACCESS_TOKEN"
|
||||
exit 1
|
||||
fi
|
||||
|
||||
export RENOVATE_TOKEN="${SELECTED_TOKEN}"
|
||||
unset SELECTED_TOKEN
|
||||
|
||||
# Validate token before starting Renovate to fail with actionable diagnostics.
|
||||
AUTH_CHECK_STATUS=$(curl -sS -o /tmp/renovate-auth-check.json -w "%{http_code}" \
|
||||
-H "Authorization: token ${RENOVATE_TOKEN}" \
|
||||
"${RENOVATE_ENDPOINT}/user" || true)
|
||||
|
||||
if [ "${AUTH_CHECK_STATUS}" != "200" ]; then
|
||||
echo "❌ Renovate token authentication preflight failed (HTTP ${AUTH_CHECK_STATUS})"
|
||||
echo "Expected a personal access token with repo/issue read-write permissions."
|
||||
if [ -s /tmp/renovate-auth-check.json ]; then
|
||||
echo "Response body:"
|
||||
cat /tmp/renovate-auth-check.json || true
|
||||
fi
|
||||
exit 1
|
||||
fi
|
||||
|
||||
echo "✓ Renovate auth preflight passed"
|
||||
|
||||
# Run Renovate with configuration
|
||||
if [ "${RENOVATE_DRY_RUN}" = "true" ]; then
|
||||
echo "🔍 Running in DRY-RUN mode (no changes will be made)"
|
||||
fi
|
||||
|
||||
renovate DarkHelm.org/plex-playlist
|
||||
renovate --platform "${RENOVATE_PLATFORM}" --endpoint "${RENOVATE_ENDPOINT}" DarkHelm.org/plex-playlist
|
||||
|
||||
echo "✓ Renovate execution completed"
|
||||
|
||||
|
||||
Reference in New Issue
Block a user