raf/renovate
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
Renovate bot config for auto-updating dependencies across all raf/* forgejo repos
2 commits 1 branch 0 tags 29 KiB
  • Shell 68%
  • JavaScript 32%
Find a file
Exact
raf 9211d02db1 feat: email renovate scan summary+log to helpdesk@proserver1.at 
Renovate previously only sent an ntfy note — NO email — so 'renovate emails to
helpdesk' never arrived (none were sent). Add a swaks send mirroring openvas
weekly-diff, using the CORRECT $SMARTHOST_PASSWORD var. Verified the SMARTHOST
path delivers (235 auth ok, 250 queued).

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
2026-06-21 08:44:29 +02:00
.gitignore init: renovate setup for ps1raf forgejo 2026-05-17 08:30:28 +02:00
config.js init: renovate setup for ps1raf forgejo 2026-05-17 08:30:28 +02:00
README.md init: renovate setup for ps1raf forgejo 2026-05-17 08:30:28 +02:00
run.sh feat: email renovate scan summary+log to helpdesk@proserver1.at 2026-06-21 08:44:29 +02:00

README.md

renovate — automatic dependency updates for Forgejo

Periodically scans every raf/* repo on ps1raf's Forgejo and opens PRs for out-of-date dependencies. Runs daily via systemd user timer.

How it works

  • config.js — renovate config (platform=forgejo, autodiscover, filters, schedule)
  • run.sh — wrapper: pulls ghcr.io/renovatebot/renovate:latest, mounts config + step-CA root, passes RENOVATE_TOKEN from ~/.env
  • ~/.config/systemd/user/renovate.service — one-shot unit calling run.sh
  • ~/.config/systemd/user/renovate.timer — daily trigger
  • logs/ — per-run log files

Token

Forgejo PAT renovate-bot owned by raf (admin), scope all. Created via forgejo admin user generate-access-token. Saved to ~/.env as RENOVATE_TOKEN. Rotate by re-running:

podman exec -u git forgejo forgejo admin user generate-access-token \
  --username raf --token-name renovate-bot --scopes all

SSL

The Forgejo instance terminates TLS with a cert from the local step-CA. Both node (NODE_EXTRA_CA_CERTS) and git (GIT_SSL_CAINFO) inside the renovate container are pointed at /home/raf/CERTS/root_ca.crt mounted read-only.

Onboarding

On first encounter of a repo, renovate opens a renovate/configure PR adding renovate.json with config:recommended + :dependencyDashboard. Merge it to opt in; close it to opt out. The dependency dashboard issue then tracks ongoing update PRs.

Operations

# Dry-run a single repo (no PRs created)
./run.sh --dry-run=full raf/scannerserver

# Trigger a full run now
systemctl --user start renovate.service

# Tail latest log
tail -f $(ls -t /home/raf/renovate/logs/*.log | head -1)

# Check schedule
systemctl --user list-timers renovate.timer

Filters

autodiscoverFilter: ['raf/*'] limits scope to the raf user's repos. Add patterns like '!raf/scratch-*' to exclude.

Throttling

prHourlyLimit: 4, prConcurrentLimit: 10 keep PR floods bounded across the ~50 repos. The onboarding PR each repo asks for schedule: after 4am and before 8am on monday so update PRs only land in the weekly window.