Skip to content

chore: restore self-hosted Renovate workflow#214

Open
vredchenko wants to merge 1 commit into
mainfrom
chore/restore-self-hosted-renovate
Open

chore: restore self-hosted Renovate workflow#214
vredchenko wants to merge 1 commit into
mainfrom
chore/restore-self-hosted-renovate

Conversation

@vredchenko
Copy link
Copy Markdown
Collaborator

@vredchenko vredchenko commented May 28, 2026

Summary

Restores the self-hosted Renovate workflow that was dropped in smartem-devtools#182 on 2026-03-25 in favour of the org-wide Mend.io Renovate GitHub App. The app has not been reliably processing this repo since then — visible in git log as a sequence of manually-authored chore(deps) and security: CVE bumps over the past month (mako, urllib3, idna, starlette on smartem-decisions; equivalent gaps elsewhere) that Renovate should have automated.

What this changes

Adds .github/workflows/renovate.yml:

  • Twice-daily schedule (04:00 and 16:00 UTC) plus workflow_dispatch for ad-hoc runs.
  • Pins renovatebot/github-action@v46.1.14 (latest as of 2026-05-11) — Renovate itself will bump it.
  • permissions block covers what GITHUB_TOKEN needs for checkout and the action's bookkeeping; the actual Renovate identity and write permissions come from RENOVATE_TOKEN.
  • Reads existing renovate.json (no config changes needed).

What does NOT change

  • renovate.json and the shared renovate/default.json preset are untouched — both validate cleanly via renovate-config-validator.
  • The Mend.io org-wide app remains installed but will no-op once the self-hosted workflow is running.

Required before merge

Repo admin must add a RENOVATE_TOKEN secret (fine-grained PAT with contents: write, pull-requests: write, issues: write, workflows: write, metadata: read on this repo). Without it the workflow will run but Renovate will exit immediately complaining about an empty token.

Test plan

  • RENOVATE_TOKEN secret added.
  • Trigger the workflow manually via Actions → Renovate → Run workflow.
  • Verify the run completes (visible in Actions tab; ~1-2 min).
  • Verify the Dependency Dashboard issue gets refreshed (Renovate updates in place).
  • Verify a real PR appears for at least one pending update from the dashboard's "Awaiting Schedule" list.

Why per-repo and not autodiscovery

Per-repo workflow keeps the Renovate orchestration footprint inside each repo — no cross-repo token scope, no single workflow whose failure stops dep updates everywhere. Aligned with the workspace's preference for vendor-independent, locally-controlled tooling.

@vredchenko
chore: restore self-hosted Renovate workflow
01e086a 
The org-wide Mend.io Renovate GitHub App has not been reliably
processing this repo since late April. Restore the self-hosted
workflow originally added in the Dependabot -> Renovate migration
and dropped in smartem-devtools#182. Schedule is twice daily plus
workflow_dispatch; renovate.json is unchanged and continues to drive
configuration via the shared preset.

Requires RENOVATE_TOKEN secret to be set.
@vredchenko vredchenko added the devops CI/CD, deployment, infrastructure, or tooling work label May 28, 2026
@vredchenko vredchenko mentioned this pull request May 28, 2026
Open
8 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

devops CI/CD, deployment, infrastructure, or tooling work

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@vredchenko