ci: harden renovate auth and token fallback

This commit is contained in:
copilotcoder
2026-07-01 17:41:12 -04:00
parent 21d81ec74c
commit 83df833ae7

View File

@@ -230,27 +230,66 @@ jobs:
- name: Run Renovate
env:
# RENOVATE_TOKEN is the primary auth mechanism — set via repo secret.
RENOVATE_TOKEN: ${{ secrets.RENOVATE_TOKEN }}
# Prefer dedicated Renovate token, then fall back to existing CI tokens.
RENOVATE_TOKEN_SECRET: ${{ secrets.RENOVATE_TOKEN }}
ACTIONS_TRIGGER_TOKEN: ${{ secrets.ACTIONS_TRIGGER_TOKEN }}
PACKAGE_ACCESS_TOKEN: ${{ secrets.PACKAGE_ACCESS_TOKEN }}
RENOVATE_DRY_RUN: ${{ inputs.dry_run }}
RENOVATE_CONFIG_FILE: renovate-config.js
RENOVATE_PLATFORM: gitea
RENOVATE_ENDPOINT: https://dogar.darkhelm.org/api/v1
LOG_LEVEL: info
run: |
echo "=== Running Renovate Bot ==="
# Verify token is available
if [ -z "${RENOVATE_TOKEN}" ]; then
echo "RENOVATE_TOKEN secret not configured"
echo "Please add a Gitea API token to repository secrets"
select_token() {
if [ -n "${RENOVATE_TOKEN_SECRET:-}" ]; then
echo "${RENOVATE_TOKEN_SECRET}"
return 0
fi
if [ -n "${ACTIONS_TRIGGER_TOKEN:-}" ]; then
echo "${ACTIONS_TRIGGER_TOKEN}"
return 0
fi
if [ -n "${PACKAGE_ACCESS_TOKEN:-}" ]; then
echo "${PACKAGE_ACCESS_TOKEN}"
return 0
fi
return 1
}
if ! SELECTED_TOKEN="$(select_token)"; then
echo "❌ No token available for Renovate authentication"
echo "Configure one of: RENOVATE_TOKEN, ACTIONS_TRIGGER_TOKEN, PACKAGE_ACCESS_TOKEN"
exit 1
fi
export RENOVATE_TOKEN="${SELECTED_TOKEN}"
unset SELECTED_TOKEN
# Validate token before starting Renovate to fail with actionable diagnostics.
AUTH_CHECK_STATUS=$(curl -sS -o /tmp/renovate-auth-check.json -w "%{http_code}" \
-H "Authorization: token ${RENOVATE_TOKEN}" \
"${RENOVATE_ENDPOINT}/user" || true)
if [ "${AUTH_CHECK_STATUS}" != "200" ]; then
echo "❌ Renovate token authentication preflight failed (HTTP ${AUTH_CHECK_STATUS})"
echo "Expected a personal access token with repo/issue read-write permissions."
if [ -s /tmp/renovate-auth-check.json ]; then
echo "Response body:"
cat /tmp/renovate-auth-check.json || true
fi
exit 1
fi
echo "✓ Renovate auth preflight passed"
# Run Renovate with configuration
if [ "${RENOVATE_DRY_RUN}" = "true" ]; then
echo "🔍 Running in DRY-RUN mode (no changes will be made)"
fi
renovate DarkHelm.org/plex-playlist
renovate --platform "${RENOVATE_PLATFORM}" --endpoint "${RENOVATE_ENDPOINT}" DarkHelm.org/plex-playlist
echo "✓ Renovate execution completed"