From 83df833ae742e5b0f966a78e9510eb9fe61aed53 Mon Sep 17 00:00:00 2001 From: copilotcoder Date: Wed, 1 Jul 2026 17:41:12 -0400 Subject: [PATCH] ci: harden renovate auth and token fallback --- .gitea/workflows/renovate.yml | 53 ++++++++++++++++++++++++++++++----- 1 file changed, 46 insertions(+), 7 deletions(-) diff --git a/.gitea/workflows/renovate.yml b/.gitea/workflows/renovate.yml index b51d0e6..5e32cff 100644 --- a/.gitea/workflows/renovate.yml +++ b/.gitea/workflows/renovate.yml @@ -230,27 +230,66 @@ jobs: - name: Run Renovate env: - # RENOVATE_TOKEN is the primary auth mechanism — set via repo secret. - RENOVATE_TOKEN: ${{ secrets.RENOVATE_TOKEN }} + # Prefer dedicated Renovate token, then fall back to existing CI tokens. + RENOVATE_TOKEN_SECRET: ${{ secrets.RENOVATE_TOKEN }} + ACTIONS_TRIGGER_TOKEN: ${{ secrets.ACTIONS_TRIGGER_TOKEN }} + PACKAGE_ACCESS_TOKEN: ${{ secrets.PACKAGE_ACCESS_TOKEN }} RENOVATE_DRY_RUN: ${{ inputs.dry_run }} RENOVATE_CONFIG_FILE: renovate-config.js + RENOVATE_PLATFORM: gitea + RENOVATE_ENDPOINT: https://dogar.darkhelm.org/api/v1 LOG_LEVEL: info run: | echo "=== Running Renovate Bot ===" - # Verify token is available - if [ -z "${RENOVATE_TOKEN}" ]; then - echo "❌ RENOVATE_TOKEN secret not configured" - echo "Please add a Gitea API token to repository secrets" + select_token() { + if [ -n "${RENOVATE_TOKEN_SECRET:-}" ]; then + echo "${RENOVATE_TOKEN_SECRET}" + return 0 + fi + if [ -n "${ACTIONS_TRIGGER_TOKEN:-}" ]; then + echo "${ACTIONS_TRIGGER_TOKEN}" + return 0 + fi + if [ -n "${PACKAGE_ACCESS_TOKEN:-}" ]; then + echo "${PACKAGE_ACCESS_TOKEN}" + return 0 + fi + return 1 + } + + if ! SELECTED_TOKEN="$(select_token)"; then + echo "❌ No token available for Renovate authentication" + echo "Configure one of: RENOVATE_TOKEN, ACTIONS_TRIGGER_TOKEN, PACKAGE_ACCESS_TOKEN" exit 1 fi + export RENOVATE_TOKEN="${SELECTED_TOKEN}" + unset SELECTED_TOKEN + + # Validate token before starting Renovate to fail with actionable diagnostics. + AUTH_CHECK_STATUS=$(curl -sS -o /tmp/renovate-auth-check.json -w "%{http_code}" \ + -H "Authorization: token ${RENOVATE_TOKEN}" \ + "${RENOVATE_ENDPOINT}/user" || true) + + if [ "${AUTH_CHECK_STATUS}" != "200" ]; then + echo "❌ Renovate token authentication preflight failed (HTTP ${AUTH_CHECK_STATUS})" + echo "Expected a personal access token with repo/issue read-write permissions." + if [ -s /tmp/renovate-auth-check.json ]; then + echo "Response body:" + cat /tmp/renovate-auth-check.json || true + fi + exit 1 + fi + + echo "✓ Renovate auth preflight passed" + # Run Renovate with configuration if [ "${RENOVATE_DRY_RUN}" = "true" ]; then echo "🔍 Running in DRY-RUN mode (no changes will be made)" fi - renovate DarkHelm.org/plex-playlist + renovate --platform "${RENOVATE_PLATFORM}" --endpoint "${RENOVATE_ENDPOINT}" DarkHelm.org/plex-playlist echo "✓ Renovate execution completed"