{"id":13412399,"url":"https://github.com/renovatebot/github-action","last_synced_at":"2026-01-30T11:36:59.255Z","repository":{"id":37495925,"uuid":"252754603","full_name":"renovatebot/github-action","owner":"renovatebot","description":null,"archived":false,"fork":false,"pushed_at":"2026-01-19T04:25:27.000Z","size":13513,"stargazers_count":454,"open_issues_count":16,"forks_count":105,"subscribers_count":6,"default_branch":"main","last_synced_at":"2026-01-19T11:28:13.412Z","etag":null,"topics":["github-action","github-actions","renovate"],"latest_commit_sha":null,"homepage":"","language":"TypeScript","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"other","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/renovatebot.png","metadata":{"files":{"readme":"README.md","changelog":"CHANGELOG.md","contributing":null,"funding":null,"license":"license","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null,"notice":null,"maintainers":null,"copyright":null,"agents":null,"dco":null,"cla":null}},"created_at":"2020-04-03T14:24:03.000Z","updated_at":"2026-01-19T04:24:25.000Z","dependencies_parsed_at":"2025-12-07T14:03:02.448Z","dependency_job_id":null,"html_url":"https://github.com/renovatebot/github-action","commit_stats":{"total_commits":3610,"total_committers":40,"mean_commits":90.25,"dds":0.2542936288088643,"last_synced_commit":"13076dbca14b6fb9d8695a518b8f879973d68705"},"previous_names":[],"tags_count":1479,"template":false,"template_full_name":null,"purl":"pkg:github/renovatebot/github-action","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/renovatebot%2Fgithub-action","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/renovatebot%2Fgithub-action/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/renovatebot%2Fgithub-action/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/renovatebot%2Fgithub-action/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/renovatebot","download_url":"https://codeload.github.com/renovatebot/github-action/tar.gz/refs/heads/main","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/renovatebot%2Fgithub-action/sbom","scorecard":{"id":722417,"data":{"date":"2025-08-11","repo":{"name":"github.com/renovatebot/github-action","commit":"8823e9ced0aba57136b80b62c921271b262b411f"},"scorecard":{"version":"v5.2.1-40-gf6ed084d","commit":"f6ed084d17c9236477efd66e5b258b9d4cc7b389"},"score":6.2,"checks":[{"name":"Packaging","score":-1,"reason":"packaging workflow not detected","details":["Warn: no GitHub/GitLab publishing workflow detected."],"documentation":{"short":"Determines if the project is published as a package that others can easily download, install, easily update, and uninstall.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#packaging"}},{"name":"Code-Review","score":0,"reason":"Found 0/30 approved changesets -- score normalized to 0","details":null,"documentation":{"short":"Determines if the project requires human code review before pull requests (aka merge requests) are merged.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#code-review"}},{"name":"Maintained","score":10,"reason":"30 commit(s) and 0 issue activity found in the last 90 days -- score normalized to 10","details":null,"documentation":{"short":"Determines if the project is \"actively maintained\".","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#maintained"}},{"name":"Dangerous-Workflow","score":10,"reason":"no dangerous workflow patterns detected","details":null,"documentation":{"short":"Determines if the project's GitHub Action workflows avoid dangerous patterns.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#dangerous-workflow"}},{"name":"SAST","score":0,"reason":"no SAST tool detected","details":["Warn: no pull requests merged into dev branch"],"documentation":{"short":"Determines if the project uses static code analysis.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#sast"}},{"name":"Binary-Artifacts","score":10,"reason":"no binaries found in the repo","details":null,"documentation":{"short":"Determines if the project has generated executable (binary) artifacts in the source repository.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#binary-artifacts"}},{"name":"Token-Permissions","score":0,"reason":"detected GitHub workflow tokens with excessive permissions","details":["Warn: no topLevel permission defined: .github/workflows/build.yml:1","Info: no jobLevel write permissions found"],"documentation":{"short":"Determines if the project's workflows follow the principle of least privilege.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#token-permissions"}},{"name":"Pinned-Dependencies","score":10,"reason":"all dependencies are pinned","details":["Info: 5 out of 5 GitHub-owned GitHubAction dependencies pinned","Info: 1 out of 1 third-party GitHubAction dependencies pinned"],"documentation":{"short":"Determines if the project has declared and pinned the dependencies of its build process.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#pinned-dependencies"}},{"name":"CII-Best-Practices","score":0,"reason":"no effort to earn an OpenSSF best practices badge detected","details":null,"documentation":{"short":"Determines if the project has an OpenSSF (formerly CII) Best Practices Badge.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#cii-best-practices"}},{"name":"License","score":9,"reason":"license file detected","details":["Info: project has a license file: license:0","Warn: project license file does not contain an FSF or OSI license."],"documentation":{"short":"Determines if the project has defined a license.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#license"}},{"name":"Fuzzing","score":0,"reason":"project is not fuzzed","details":["Warn: no fuzzer integrations found"],"documentation":{"short":"Determines if the project uses fuzzing.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#fuzzing"}},{"name":"Signed-Releases","score":-1,"reason":"no releases found","details":null,"documentation":{"short":"Determines if the project cryptographically signs release artifacts.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#signed-releases"}},{"name":"Branch-Protection","score":-1,"reason":"internal error: error during branchesHandler.setup: internal error: githubv4.Query: Resource not accessible by integration","details":null,"documentation":{"short":"Determines if the default and release branches are protected with GitHub's branch protection settings.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#branch-protection"}},{"name":"Security-Policy","score":10,"reason":"security policy file detected","details":["Info: security policy file detected: github.com/renovatebot/.github/SECURITY.md:1","Info: Found linked content: github.com/renovatebot/.github/SECURITY.md:1","Info: Found disclosure, vulnerability, and/or timelines in security policy: github.com/renovatebot/.github/SECURITY.md:1","Info: Found text in security policy: github.com/renovatebot/.github/SECURITY.md:1"],"documentation":{"short":"Determines if the project has published a security policy.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#security-policy"}},{"name":"Vulnerabilities","score":10,"reason":"0 existing vulnerabilities detected","details":null,"documentation":{"short":"Determines if the project has open, known unfixed vulnerabilities.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#vulnerabilities"}}]},"last_synced_at":"2025-08-22T11:46:16.000Z","repository_id":37495925,"created_at":"2025-08-22T11:46:16.000Z","updated_at":"2025-08-22T11:46:16.000Z"},"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":28580687,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2026-01-19T18:52:07.356Z","status":"ssl_error","status_checked_at":"2026-01-19T18:49:52.190Z","response_time":67,"last_error":"SSL_connect returned=1 errno=0 peeraddr=140.82.121.6:443 state=error: unexpected eof while reading","robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":false,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["github-action","github-actions","renovate"],"created_at":"2024-07-30T20:01:24.245Z","updated_at":"2026-01-26T07:15:37.889Z","avatar_url":"https://github.com/renovatebot.png","language":"TypeScript","readme":"# GitHub Action Renovate\n\nGitHub Action to run Renovate self-hosted.\n\n\u003c!-- markdownlint-disable no-inline-html --\u003e\n\n\u003ca name=\"toc\"\u003e\u003c/a\u003e\n\n## Table of contents\n\n- [Badges](#badges)\n- [Options](#options)\n - [`configurationFile`](#configurationfile)\n - [`docker-cmd-file`](#docker-cmd-file)\n - [`docker-network`](#docker-network)\n - [`docker-socket-host-path`](#docker-socket-host-path)\n - [`docker-user`](#docker-user)\n - [`docker-volumes`](#docker-volumes)\n - [`env-regex`](#env-regex)\n - [`mount-docker-socket`](#mount-docker-socket)\n - [`token`](#token)\n - [`renovate-image`](#renovate-image)\n - [`renovate-version`](#renovate-version)\n- [Example](#example)\n- [Environment Variables](#environment-variables)\n - [Passing other environment variables](#passing-other-environment-variables)\n- [Persisting the Repository Cache](#persisting-the-repository-cache)\n- [Troubleshooting](#troubleshooting)\n - [Debug Logging](#debug-logging)\n - [Special token requirements when using the `github-actions` manager](#special-token-requirements-when-using-the-github-actions-manager)\n\n## Badges\n\n| Badge | Description | Service |\n| ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ------------ | -------------------- |\n| \u003ca href=\"https://github.com/prettier/prettier#readme\"\u003e\u003cimg alt=\"code style\" src=\"https://img.shields.io/badge/code_style-prettier-ff69b4.svg?style=flat-square\"\u003e\u003c/a\u003e | Code style | Prettier |\n| \u003ca href=\"https://conventionalcommits.org\"\u003e\u003cimg alt=\"Conventional Commits: 1.0.0\" src=\"https://img.shields.io/badge/Conventional%20Commits-1.0.0-yellow.svg?style=flat-square\"\u003e\u003c/a\u003e | Commit style | Conventional Commits |\n| \u003ca href=\"https://renovatebot.com\"\u003e\u003cimg alt=\"Renovate enabled\" src=\"https://img.shields.io/badge/renovate-enabled-brightgreen.svg?style=flat-square\"\u003e\u003c/a\u003e | Dependencies | Renovate |\n| \u003ca href=\"https://github.com/renovatebot/github-action/actions\"\u003e\u003cimg alt=\"GitHub workflow status\" src=\"https://img.shields.io/github/actions/workflow/status/renovatebot/github-action/build.yml?style=flat-square\"\u003e\u003c/a\u003e | Build | GitHub Actions |\n\n## Options\n\nOptions can be passed using the inputs of this action or the corresponding environment variables.\nWhen both are passed, the input takes precedence over the environment variable.\nFor the available environment variables, see the Renovate [Self-Hosted Configuration](https://docs.renovatebot.com/self-hosted-configuration/) docs.\n\n### `configurationFile`\n\nConfiguration file to configure Renovate (\"global\" config) in JavaScript or JSON format.\nIt is recommended to not name it one of the repository configuration filenames listed in the Renovate Docs for [Configuration Options](https://docs.renovatebot.com/configuration-options/).\n\nConfig examples can be found in the [example](./example) directory.\n\nThe configurations that can be done in this file consists of two parts, as listed below.\nRefer to the links to the [Renovate Docs](https://docs.renovatebot.com/) for all options.\n\n1. [Self-Hosted Configuration Options](https://docs.renovatebot.com/self-hosted-configuration/)\n2. [Configuration Options](https://docs.renovatebot.com/configuration-options/)\n\nThe [`branchPrefix`](https://docs.renovatebot.com/configuration-options/#branchprefix) option is important to configure and should be configured to a value other than the default to prevent interference with e.g. the Renovate GitHub App.\n\nIf you want to use this with just the single configuration file, make sure to include the following two configuration lines.\nThis disables the requirement of a configuration file for the repository and disables onboarding.\n\n```js\n onboarding: false,\n requireConfig: 'optional',\n```\n\n### `docker-cmd-file`\n\nSpecify a command to run when the image start.\nBy default the image run\n`renovate`.\nThis option is useful to customize the image before running `renovate`.\nIt must be an existing executable file on the local system.\nIt will be mounted to the docker container.\n\nFor example you can create a simple script like this one (let's call it\n`renovate-entrypoint.sh`).\n\n```sh\n#!/bin/bash\n\napt update\n\napt install -y build-essential libpq-dev\n\nrunuser -u ubuntu renovate\n```\n\nNow use this action\n\n```yml\n....\njobs:\n renovate:\n runs-on: ubuntu-latest\n steps:\n - name: Checkout\n uses: actions/checkout@v6.0.2\n - name: Self-hosted Renovate\n uses: renovatebot/github-action@v44.2.5\n with:\n docker-cmd-file: .github/renovate-entrypoint.sh\n docker-user: root\n token: ${{ secrets.RENOVATE_TOKEN }}\n```\n\n### `docker-network`\n\nSpecify a network to run container in.\n\nYou can use `${{ job.container.network }}` to run renovate container [in the same network as other containers for this job](https://docs.github.com/en/actions/learn-github-actions/contexts#job-context),\nor set it to `host` to run in the same network as github runner, or specify any custom network.\n\n### `docker-socket-host-path`\n\nAllows the overriding of the host path for the Docker socket that is mounted into the container.\nUseful on systems where the host Docker socket is located somewhere other than `/var/run/docker.sock` (the default).\nOnly applicable when `mount-docker-socket` is true.\n\n### `docker-user`\n\nSpecify a user (or user-id) to run docker command.\n\nYou can use it with [`docker-cmd-file`](#docker-cmd-file) in order to start the\nimage as root, do some customization and switch back to a unprivileged user.\n\n### `docker-volumes`\n\nSpecify volume mounts. Defaults to `/tmp:/tmp`.\nThe volume mounts are separated through `;`.\n\nThis sample will mount `/tmp:/tmp` and `/foo:/bar`.\n\n```yml\n....\njobs:\n renovate:\n runs-on: ubuntu-latest\n steps:\n - name: Checkout\n uses: actions/checkout@v6.0.2\n - name: Self-hosted Renovate\n uses: renovatebot/github-action@v44.2.5\n with:\n token: ${{ secrets.RENOVATE_TOKEN }}\n docker-volumes: |\n /tmp:/tmp ;\n /foo:/bar\n```\n\n### `env-regex`\n\nAllows to configure the regex to define which environment variables are passed to the renovate container.\nSee [Passing other environment variables](#passing-other-environment-variables) section for more details.\n\n## `mount-docker-socket`\n\nDefault to `false`. If set to `true` the action will mount the Docker socket\ninside the renovate container so that the commands can use Docker. Can be useful\nfor `postUpgradeTasks`'s commands. Also add the user inside the renovate\ncontainer to the docker group for socket permissions.\n\n### `token`\n\n[Generate a Personal Access Token (classic)](https://github.com/settings/tokens), with the `repo:public_repo` scope for only public repositories or the `repo` scope for public and private repositories, and add it to _Secrets_ (repository settings) as `RENOVATE_TOKEN`.\nYou can also create a token without a specific scope, which gives read-only access to public repositories, for testing.\nThis token is only used by Renovate, see the [token configuration](https://docs.renovatebot.com/self-hosted-configuration/#token), and gives it access to the repositories.\nThe name of the secret can be anything as long as it matches the argument given to the `token` option.\n\nNote that Renovate _cannot_ currently use [Fine-grained Personal Access Tokens](https://github.com/settings/tokens?type=beta) since they do not support the GitHub GraphQL API, yet.\n\nNote that the [`GITHUB_TOKEN`](https://help.github.com/en/actions/configuring-and-managing-workflows/authenticating-with-the-github_token#permissions-for-the-github_token) secret can't be used for authenticating Renovate because it has too restrictive permissions.\nIn particular, using the `GITHUB_TOKEN` to create a new `Pull Request` from more types of Github Workflows results in `Pull Requests` that [do not trigger your `Pull Request` and `Push` CI events](https://docs.github.com/en/actions/security-guides/automatic-token-authentication#using-the-github_token-in-a-workflow).\n\nIf you want to use the `github-actions` manager, you must setup a [special token](#special-token-requirements-when-using-the-github-actions-manager) with some requirements.\n\n### `renovate-image`\n\nThe Renovate Docker image name to use.\nIf omitted the action will use the `ghcr.io/renovatebot/renovate:\u003crenovate-version\u003e` Docker image name otherwise.\nIf a Docker image name is defined, the action will use that name to pull the image.\n\nThis sample will use `myproxyhub.domain.com/renovate/renovate:\u003crenovate-version\u003e` image.\n\n```yml\n....\njobs:\n renovate:\n runs-on: ubuntu-latest\n steps:\n - name: Checkout\n uses: actions/checkout@v6.0.2\n - name: Self-hosted Renovate\n uses: renovatebot/github-action@v44.2.5\n with:\n renovate-image: myproxyhub.domain.com/renovate/renovate\n token: ${{ secrets.RENOVATE_TOKEN }}\n```\n\nThis sample will use `ghcr.io/renovatebot/renovate:\u003crenovate-version\u003e` image.\n\n```yml\n....\njobs:\n renovate:\n runs-on: ubuntu-latest\n steps:\n - name: Checkout\n uses: actions/checkout@v6.0.2\n - name: Self-hosted Renovate\n uses: renovatebot/github-action@v44.2.5\n with:\n token: ${{ secrets.RENOVATE_TOKEN }}\n```\n\n### `renovate-version`\n\nThe Renovate version to use.\nIf omitted the action will use the [`default version`](./action.yml#L28) Docker tag.\nCheck [the available tags on Docker Hub](https://hub.docker.com/r/renovate/renovate/tags).\n\nThis sample will use `ghcr.io/renovatebot/renovate:42.92.4` image.\n\n```yml\n....\njobs:\n renovate:\n runs-on: ubuntu-latest\n steps:\n - name: Checkout\n uses: actions/checkout@v6.0.2\n - name: Self-hosted Renovate\n uses: renovatebot/github-action@v44.2.5\n with:\n renovate-version: 42.92.4\n token: ${{ secrets.RENOVATE_TOKEN }}\n```\n\nThis sample will use `ghcr.io/renovatebot/renovate:full` image.\n\n```yml\n....\njobs:\n renovate:\n runs-on: ubuntu-latest\n steps:\n - name: Checkout\n uses: actions/checkout@v6.0.2\n - name: Self-hosted Renovate\n uses: renovatebot/github-action@v44.2.5\n with:\n renovate-version: full\n token: ${{ secrets.RENOVATE_TOKEN }}\n```\n\nWe recommend you pin the version of Renovate to a full version or a full checksum, and use Renovate's regex manager to create PRs to update the pinned version.\nSee `.github/workflows/build.yml` for an example of how to do this.\n\n## Example\n\nThis example uses a Personal Access Token and will run every 15 minutes.\nThe Personal Access token is configured as a GitHub secret named `RENOVATE_TOKEN`.\nThis example uses the [`example/renovate-config.js`](./example/renovate-config.js) file as configuration.\nLive examples with more advanced configurations of this action can be found in the following repositories:\n\n- [vidavidorra/renovate](https://github.com/vidavidorra/renovate/blob/main/.github/renovate.json)\n- [jenkinsci/helm-charts](https://github.com/jenkinsci/helm-charts/blob/main/.github/renovate-config.json5)\n\n**Remark** Update the action version to the most current, see [here](https://github.com/renovatebot/github-action/releases/latest) for latest release.\n\n```yml\nname: Renovate\non:\n schedule:\n # The \"*\" (#42, asterisk) character has special semantics in YAML, so this\n # string has to be quoted.\n - cron: '0/15 * * * *'\njobs:\n renovate:\n runs-on: ubuntu-latest\n steps:\n - name: Checkout\n uses: actions/checkout@v6.0.2\n - name: Self-hosted Renovate\n uses: renovatebot/github-action@v44.2.5\n with:\n configurationFile: example/renovate-config.js\n token: ${{ secrets.RENOVATE_TOKEN }}\n```\n\n### Example for GitHub Enterprise\n\nIf you want to use the Renovate Action on a GitHub Enterprise instance you have to add the following environment variable:\n\n```yml\n....\n - name: Self-hosted Renovate\n uses: renovatebot/github-action@v44.2.5\n with:\n configurationFile: example/renovate-config.js\n token: ${{ secrets.RENOVATE_TOKEN }}\n env:\n RENOVATE_ENDPOINT: \"https://git.your-company.com/api/v3\"\n```\n\n### Example with GitHub App\n\nInstead of using a Personal Access Token (PAT) that is tied to a particular user you can use a [GitHub App](https://docs.github.com/en/developers/apps/building-github-apps) where permissions can be even better tuned.\n[Create a new app](https://docs.github.com/en/developers/apps/creating-a-github-app) and configure the app permissions and your `config.js` as described in the [Renovate documentation](https://docs.renovatebot.com/modules/platform/github/#running-as-a-github-app).\n\nGenerate and download a new private key for the app, adding the contents of the downloaded `.pem` file to _Secrets_ (repository settings) with the name `private_key` and app ID as a secret with name `app_id`.\n\nAdjust your Renovate configuration file to specify the username of your bot.\n\nFrom the Github app configuration page, install the app in your account or your organization's account, and configure the repository access.\n\nGoing forward we will be using the [`actions/create-github-app-token` action](https://github.com/actions/create-github-app-token) in order to exchange the GitHub App certificate for an access token that Renovate can use.\n\nThe final workflow will look like this:\n\n```yaml\nname: Renovate\non:\n schedule:\n # The \"*\" (#42, asterisk) character has special semantics in YAML, so this\n # string has to be quoted.\n - cron: '0/15 * * * *'\njobs:\n renovate:\n runs-on: ubuntu-latest\n steps:\n - name: Get token\n id: get_token\n uses: actions/create-github-app-token@v1\n with:\n private-key: ${{ secrets.private_key }}\n app-id: ${{ secrets.app_id }}\n owner: ${{ github.repository_owner }}\n repositories: 'repo1,repo2'\n\n - name: Checkout\n uses: actions/checkout@v6.0.2\n\n - name: Self-hosted Renovate\n uses: renovatebot/github-action@v44.2.5\n with:\n configurationFile: example/renovate-config.js\n token: '${{ steps.get_token.outputs.token }}'\n```\n\n### Commit signing with GitHub App\n\nRenovate can sign commits when deployed as a GitHub App by utilizing GitHub's API-based commits.\nTo activate this, ensure that `platformCommit` is set to `true` in global config.\nIf a configuration file is defined, include `platformCommit: true` to activate this feature.\nFor example:\n\n```yaml\n- name: Self-hosted Renovate\n uses: renovatebot/github-action@v44.2.5\n with:\n token: '${{ steps.get_token.outputs.token }}'\n env:\n RENOVATE_PLATFORM_COMMIT: 'true'\n```\n\n## Environment Variables\n\nIf you wish to pass through environment variables through to the Docker container that powers this action you need to prefix the environment variable with `RENOVATE_`.\n\nFor example if you wish to pass through some credentials for a [host rule](https://docs.renovatebot.com/configuration-options/#hostrules) to the `config.js` then you should do so like this.\n\n1. In your workflow pass in the environment variable\n\n ```yml\n ....\n jobs:\n renovate:\n runs-on: ubuntu-latest\n steps:\n - name: Checkout\n uses: actions/checkout@v6.0.2\n - name: Self-hosted Renovate\n uses: renovatebot/github-action@v44.2.5\n with:\n configurationFile: example/renovate-config.js\n token: ${{ secrets.RENOVATE_TOKEN }}\n env:\n RENOVATE_TFE_TOKEN: ${{ secrets.MY_TFE_TOKEN }}\n ```\n\n1. In `example/renovate-config.js` include the hostRules block\n\n ```js\n module.exports = {\n hostRules: [\n {\n hostType: 'terraform-module',\n matchHost: 'app.terraform.io',\n token: process.env.RENOVATE_TFE_TOKEN,\n },\n ],\n };\n ```\n\n### Passing other environment variables\n\nIf you want to pass other variables to the Docker container use the `env-regex` input to override the regular expression that is used to allow environment variables.\n\nIn your workflow pass the environment variable and whitelist it by specifying the `env-regex`:\n\n```yml\n....\njobs:\n renovate:\n runs-on: ubuntu-latest\n steps:\n - name: Checkout\n uses: actions/checkout@v6.0.2\n - name: Self-hosted Renovate\n uses: renovatebot/github-action@v44.2.5\n with:\n configurationFile: example/renovate-config.js\n token: ${{ secrets.RENOVATE_TOKEN }}\n env-regex: \"^(?:RENOVATE_\\\\w+|LOG_LEVEL|GITHUB_COM_TOKEN|NODE_OPTIONS|AWS_TOKEN)$\"\n env:\n AWS_TOKEN: ${{ secrets.AWS_TOKEN }}\n```\n\n## Persisting the repository cache\n\nIn some cases, Renovate can update PRs more frequently than you expect. The [repository cache](https://docs.renovatebot.com/self-hosted-configuration/#repositorycache) can help with this issue. You need a few things to persist this cache in GitHub actions:\n\n1. Enable the `repositoryCache` [option](https://docs.renovatebot.com/self-hosted-configuration/#repositorycache) via env vars or renovate.json.\n2. Persist `/tmp/renovate/cache/renovate/repository` as an artifact.\n3. Restore the artifact before renovate runs.\n\nBelow is a workflow example with caching.\n\nNote that while archiving and compressing the cache is more performant, especially if you need to handle lots of files within the cache, it's not strictly necessary. You could simplify this workflow and only upload and download a single artifact file (or directory) with a direct path (e.g. `/tmp/renovate/cache/renovate/repository/github/$org/$repo.json`). However, you'll still need to set the correct permissions with `chown` as shown in the example.\n\n```yml\nname: Renovate\non:\n # This lets you dispatch a renovate job with different cache options if you want to reset or disable the cache manually.\n workflow_dispatch:\n inputs:\n repoCache:\n description: 'Reset or disable the cache?'\n type: choice\n default: enabled\n options:\n - enabled\n - disabled\n - reset\n schedule:\n # Run every 30 minutes:\n - cron: '0,30 * * * *'\n\n# Adding these as env variables makes it easy to re-use them in different steps and in bash.\nenv:\n cache_archive: renovate_cache.tar.gz\n # This is the dir renovate provides -- if we set our own directory via cacheDir, we can run into permissions issues.\n # It is also possible to cache a higher level of the directory, but it has minimal benefit. While renovate execution\n # time gets faster, it also takes longer to upload the cache as it grows bigger.\n cache_dir: /tmp/renovate/cache/renovate/repository\n # This can be manually changed to bust the cache if neccessary.\n cache_key: renovate-cache\n\njobs:\n renovate:\n name: Renovate\n runs-on: ubuntu-latest\n steps:\n - uses: actions/checkout@v3\n\n # This third party action allows you to download the cache artifact from different workflow runs\n # Note that actions/cache doesn't work well because the cache key would need to be computed from\n # a file within the cache, meaning there would never be any data to restore. With other keys, the\n # cache wouldn't necessarily upload when it changes. actions/download-artifact also doesn't work\n # because it only handles artifacts uploaded in the same run, and we want to restore from the\n # previous successful run.\n - uses: dawidd6/action-download-artifact@v2\n if: github.event.inputs.repoCache != 'disabled'\n continue-on-error: true\n with:\n name: ${{ env.cache_key }}\n path: cache-download\n\n # Using tar to compress and extract the archive isn't strictly necessary, but it can improve\n # performance significantly when uploading artifacts with lots of files.\n - name: Extract renovate cache\n run: |\n set -x\n # Skip if no cache is set, such as the first time it runs.\n if [ ! -d cache-download ] ; then\n echo \"No cache found.\"\n exit 0\n fi\n\n # Make sure the directory exists, and extract it there. Note that it's nested in the download directory.\n mkdir -p $cache_dir\n tar -xzf cache-download/$cache_archive -C $cache_dir\n\n # Unfortunately, the permissions expected within renovate's docker container\n # are different than the ones given after the cache is restored. We have to\n # change ownership to solve this. We also need to have correct permissions in\n # the entire /tmp/renovate tree, not just the section with the repo cache.\n sudo chown -R 12021:0 /tmp/renovate/\n ls -R $cache_dir\n\n - uses: renovatebot/github-action@v44.2.5\n with:\n configurationFile: renovate.json5\n token: ${{ secrets.RENOVATE_TOKEN }}\n renovate-version: 42.92.4\n env:\n # This enables the cache -- if this is set, it's not necessary to add it to renovate.json.\n RENOVATE_REPOSITORY_CACHE: ${{ github.event.inputs.repoCache || 'enabled' }}\n\n # Compression helps performance in the upload step!\n - name: Compress renovate cache\n run: |\n ls $cache_dir\n # The -C is important -- otherwise we end up extracting the files with\n # their full path, ultimately leading to a nested directory situation.\n # To solve *that*, we'd have to extract to root (/), which isn't safe.\n tar -czvf $cache_archive -C $cache_dir .\n\n - uses: actions/upload-artifact@v3\n if: github.event.inputs.repoCache != 'disabled'\n with:\n name: ${{ env.cache_key }}\n path: ${{ env.cache_archive }}\n # Since this is updated and restored on every run, we don't need to keep it\n # for long. Just make sure this value is large enough that multiple renovate\n # runs can happen before older cache archives are deleted.\n retention-days: 1\n```\n\n## Troubleshooting\n\n### Debug logging\n\nIn case of issues, it's always a good idea to enable debug logging first.\nTo enable debug logging, add the environment variable `LOG_LEVEL: 'debug'` to the action:\n\n```yml\n- name: Self-hosted Renovate\n uses: renovatebot/github-action@v44.2.5\n with:\n configurationFile: example/renovate-config.js\n token: ${{ secrets.RENOVATE_TOKEN }}\n env:\n LOG_LEVEL: 'debug'\n```\n\n### Special token requirements when using the `github-actions` manager\n\nIf you want to use the `github-actions` [manager](https://docs.renovatebot.com/modules/manager/github-actions/) in Renovate, ensure that the `token` you provide contains the `workflow` scope.\nOtherwise, GitHub does not allow Renovate to update workflow files and therefore it will be unable to create update PRs for affected packages (like `actions/checkout` or `renovatebot/github-action` itself).\n","funding_links":[],"categories":["TypeScript"],"sub_categories":[],"project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Frenovatebot%2Fgithub-action","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Frenovatebot%2Fgithub-action","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Frenovatebot%2Fgithub-action/lists"}