guettli/sharedinbox
1
0
Fork 0
Code Issues 21 Pull Requests 6 Actions Packages Projects Releases Wiki Activity

Renovate Bot #257

New Issue
Closed
opened 2026-05-25 17:35:30 +00:00 by guettli · 5 comments
guettli commented 2026-05-25 17:35:30 +00:00 (Migrated from codeberg.org)
Copy Link
Copy Source

Renovate Bot should run once per day via Forgejo Actions to keep dependencies up to date.

Renovate natively supports Forgejo as a platform: https://docs.renovatebot.com/modules/platform/forgejo/

Implementation

  • renovate.json — Renovate config covering pub, Dockerfile, and Forgejo Actions workflows
  • ci/main.goRenovate() Dagger function using RENOVATE_PLATFORM=forgejo and endpoint https://codeberg.org
  • .forgejo/workflows/renovate.yml — daily cron (06:00 UTC) workflow calling task renovate
  • Taskfile.ymlrenovate task wrapping the Dagger call

Secret

Repository secret name: RENOVATE_FORGEJO_TOKEN

Needs scopes: repo (read/write), user (read), issue (read/write), organization (read).

Renovate Bot should run once per day via Forgejo Actions to keep dependencies up to date. Renovate natively supports Forgejo as a platform: https://docs.renovatebot.com/modules/platform/forgejo/ ## Implementation - `renovate.json` — Renovate config covering pub, Dockerfile, and Forgejo Actions workflows - `ci/main.go` — `Renovate()` Dagger function using `RENOVATE_PLATFORM=forgejo` and endpoint `https://codeberg.org` - `.forgejo/workflows/renovate.yml` — daily cron (06:00 UTC) workflow calling `task renovate` - `Taskfile.yml` — `renovate` task wrapping the Dagger call ## Secret Repository secret name: `RENOVATE_FORGEJO_TOKEN` Needs scopes: repo (read/write), user (read), issue (read/write), organization (read).
guettlibot commented 2026-05-25 17:44:50 +00:00 (Migrated from codeberg.org)
Copy Link
Copy Source

Implementation Plan: Renovate Bot via Dagger Forgejo Action (Issue #257)

This plan extends PR #226 (branch issue-216-fix), which added renovate.json with basic configuration for pub, Dockerfile, and Forgejo Actions dependency updates.

Context

PR #226 already provides:

  • renovate.json: configures Renovate to scan pub (pubspec.yaml), Dockerfile, and .forgejo/workflows/ action versions

What is missing: a Forgejo Actions workflow that actually runs Renovate once per day, calling it via Dagger.

Approach: Dagger function wrapping the official Renovate container

The cleanest way to satisfy "Call Renovate via Dagger" while keeping the action small is:

  1. Add a Renovate() function to ci/main.go that spins up the official renovate/renovate Docker image inside a Dagger container, passes the required environment variables, and executes Renovate against the repository.
  2. Add a minimal .forgejo/workflows/renovate.yml that runs on a daily cron, sets up the remote Dagger engine (via the existing scripts/setup_dagger_remote.sh), and calls dagger call -m ci --source=. renovate.

This keeps the workflow YAML tiny — just the Dagger engine setup and a single dagger call — exactly as done in ci.yml.

Files to Change

1. ci/main.go

Add a new exported Dagger function:

// Renovate runs Renovate Bot against the repository to create/update dependency-update PRs.
// renovateToken is a Forgejo personal access token with read/write access to the repo.
func (m *Ci) Renovate(ctx context.Context, renovateToken *dagger.Secret) error {
    tokenVal, err := renovateToken.Plaintext(ctx)
    if err != nil {
        return err
    }
    _, err = dag.Container().
        From("renovate/renovate:latest").
        WithSecretVariable("RENOVATE_TOKEN", renovateToken).
        WithEnvVariable("RENOVATE_PLATFORM", "gitea").
        WithEnvVariable("RENOVATE_ENDPOINT", "https://codeberg.org").
        WithEnvVariable("RENOVATE_REPOSITORIES", "guettli/sharedinbox").
        WithEnvVariable("LOG_LEVEL", "debug").
        WithExec([]string{"renovate"}).
        Sync(ctx)
    _ = tokenVal // used only to force secret resolution for error checking
    return err
}

Key points:

  • Use WithSecretVariable (not WithEnvVariable) for the token so it is never logged.
  • RENOVATE_PLATFORM=gitea is the correct Renovate platform identifier for Forgejo/Codeberg.
  • RENOVATE_ENDPOINT points to Codeberg's API.
  • No source directory mount is needed — Renovate clones the repo itself using the token.

2. .forgejo/workflows/renovate.yml

A minimal new workflow file:

name: Renovate Bot

on:
  schedule:
    - cron: '0 6 * * *'   # once per day at 06:00 UTC
  workflow_dispatch:       # allow manual trigger for testing

jobs:
  renovate:
    name: Run Renovate
    runs-on: ubuntu-latest
    timeout-minutes: 30

    steps:
      - uses: actions/checkout@v4

      - name: Setup Dagger Remote Engine (via stunnel)
        env:
          DAGGER_STUNNEL_URL: ${{ secrets.DAGGER_STUNNEL_URL }}
          DAGGER_CA_CERT: ${{ secrets.DAGGER_CA_CERT }}
          DAGGER_CLIENT_CERT: ${{ secrets.DAGGER_CLIENT_CERT }}
          DAGGER_CLIENT_KEY: ${{ secrets.DAGGER_CLIENT_KEY }}
        run: scripts/setup_dagger_remote.sh

      - name: Run Renovate via Dagger
        env:
          DAGGER_NO_NAG: "1"
        run: |
          dagger call -m ci --source=. renovate             --renovate-token env:RENOVATE_TOKEN
        env:
          RENOVATE_TOKEN: ${{ secrets.RENOVATE_TOKEN }}
          DAGGER_NO_NAG: "1"

      - name: Cleanup TLS credentials
        if: always()
        run: rm -rf /tmp/dagger-tls /tmp/stunnel-dagger.conf /tmp/stunnel.pid

New Secret Required

A new Codeberg repository secret must be added:

Secret name Value
RENOVATE_TOKEN A Forgejo personal access token for the sharedinbox@thomas-guettler.de account (or a dedicated bot account) with Contents: Read/Write and Issues/PRs: Read/Write permissions on the guettli/sharedinbox repository.

Renovate container image pinning

renovate/renovate:latest should be pinned to a specific version (e.g., renovate/renovate:39) to avoid unexpected breakage and to allow Renovate itself to update the pin via its docker manager (self-update). The exact version to use at implementation time should be the latest stable major.

Risks and Open Questions

  1. Renovate platform value: Forgejo is treated as gitea platform in Renovate. This is documented and stable, but worth verifying that the current Renovate version supports Codeberg's Forgejo version.

  2. Token permissions: The token must have write access to create branches and open PRs. If a dedicated bot account is not available, the maintainer's token can be used but it is less auditable.

  3. Self-hosted runner availability: The renovate job uses the same ubuntu-latest self-hosted runner as other jobs. If the runner is busy or offline, the daily run is simply skipped (no retry). This is acceptable for a dependency-update job.

  4. Dagger module path: The existing workflows call dagger call -m ci --source=.. This works because the Dagger module is at the repo root (the dagger.json is at root level, with the Go source in ci/). The new Renovate function fits naturally into the existing Ci struct in ci/main.go.

  5. No source mount needed: Unlike build/test functions, Renovate clones the repository itself. Passing --source=. to dagger call is still required as a module argument, but the Renovate function does not need to use it (it can accept Source *dagger.Directory as an optional unused param, or the Dagger module SDK may require it as the receiver field — verify at implementation time).

  6. Cron timing: 06:00 UTC daily is a reasonable default (low runner contention, early-morning for CEST). Can be adjusted.

Summary of Changes

File Change
ci/main.go Add Renovate(ctx, renovateToken) function
.forgejo/workflows/renovate.yml New file: daily cron, Dagger engine setup, dagger call … renovate
Codeberg secrets Add RENOVATE_TOKEN

No changes to renovate.json (already correct in PR #226). No changes to Taskfile.yml (optional: a renovate: task could be added for local testing, but the issue says keep it small).

## Implementation Plan: Renovate Bot via Dagger Forgejo Action (Issue #257) This plan extends PR #226 (branch `issue-216-fix`), which added `renovate.json` with basic configuration for pub, Dockerfile, and Forgejo Actions dependency updates. ### Context PR #226 already provides: - `renovate.json`: configures Renovate to scan `pub` (pubspec.yaml), `Dockerfile`, and `.forgejo/workflows/` action versions What is missing: a Forgejo Actions workflow that actually **runs** Renovate once per day, calling it via Dagger. --- ### Approach: Dagger function wrapping the official Renovate container The cleanest way to satisfy "Call Renovate via Dagger" while keeping the action small is: 1. Add a `Renovate()` function to `ci/main.go` that spins up the official `renovate/renovate` Docker image inside a Dagger container, passes the required environment variables, and executes Renovate against the repository. 2. Add a minimal `.forgejo/workflows/renovate.yml` that runs on a daily cron, sets up the remote Dagger engine (via the existing `scripts/setup_dagger_remote.sh`), and calls `dagger call -m ci --source=. renovate`. This keeps the workflow YAML tiny — just the Dagger engine setup and a single `dagger call` — exactly as done in `ci.yml`. --- ### Files to Change #### 1. `ci/main.go` Add a new exported Dagger function: ```go // Renovate runs Renovate Bot against the repository to create/update dependency-update PRs. // renovateToken is a Forgejo personal access token with read/write access to the repo. func (m *Ci) Renovate(ctx context.Context, renovateToken *dagger.Secret) error { tokenVal, err := renovateToken.Plaintext(ctx) if err != nil { return err } _, err = dag.Container(). From("renovate/renovate:latest"). WithSecretVariable("RENOVATE_TOKEN", renovateToken). WithEnvVariable("RENOVATE_PLATFORM", "gitea"). WithEnvVariable("RENOVATE_ENDPOINT", "https://codeberg.org"). WithEnvVariable("RENOVATE_REPOSITORIES", "guettli/sharedinbox"). WithEnvVariable("LOG_LEVEL", "debug"). WithExec([]string{"renovate"}). Sync(ctx) _ = tokenVal // used only to force secret resolution for error checking return err } ``` Key points: - Use `WithSecretVariable` (not `WithEnvVariable`) for the token so it is never logged. - `RENOVATE_PLATFORM=gitea` is the correct Renovate platform identifier for Forgejo/Codeberg. - `RENOVATE_ENDPOINT` points to Codeberg's API. - No source directory mount is needed — Renovate clones the repo itself using the token. #### 2. `.forgejo/workflows/renovate.yml` A minimal new workflow file: ```yaml name: Renovate Bot on: schedule: - cron: '0 6 * * *' # once per day at 06:00 UTC workflow_dispatch: # allow manual trigger for testing jobs: renovate: name: Run Renovate runs-on: ubuntu-latest timeout-minutes: 30 steps: - uses: actions/checkout@v4 - name: Setup Dagger Remote Engine (via stunnel) env: DAGGER_STUNNEL_URL: ${{ secrets.DAGGER_STUNNEL_URL }} DAGGER_CA_CERT: ${{ secrets.DAGGER_CA_CERT }} DAGGER_CLIENT_CERT: ${{ secrets.DAGGER_CLIENT_CERT }} DAGGER_CLIENT_KEY: ${{ secrets.DAGGER_CLIENT_KEY }} run: scripts/setup_dagger_remote.sh - name: Run Renovate via Dagger env: DAGGER_NO_NAG: "1" run: | dagger call -m ci --source=. renovate --renovate-token env:RENOVATE_TOKEN env: RENOVATE_TOKEN: ${{ secrets.RENOVATE_TOKEN }} DAGGER_NO_NAG: "1" - name: Cleanup TLS credentials if: always() run: rm -rf /tmp/dagger-tls /tmp/stunnel-dagger.conf /tmp/stunnel.pid ``` --- ### New Secret Required A new Codeberg repository secret must be added: | Secret name | Value | |---|---| | `RENOVATE_TOKEN` | A Forgejo personal access token for the `sharedinbox@thomas-guettler.de` account (or a dedicated bot account) with **Contents: Read/Write** and **Issues/PRs: Read/Write** permissions on the `guettli/sharedinbox` repository. | --- ### Renovate container image pinning `renovate/renovate:latest` should be pinned to a specific version (e.g., `renovate/renovate:39`) to avoid unexpected breakage and to allow Renovate itself to update the pin via its `docker` manager (self-update). The exact version to use at implementation time should be the latest stable major. --- ### Risks and Open Questions 1. **Renovate platform value**: Forgejo is treated as `gitea` platform in Renovate. This is documented and stable, but worth verifying that the current Renovate version supports Codeberg's Forgejo version. 2. **Token permissions**: The token must have write access to create branches and open PRs. If a dedicated bot account is not available, the maintainer's token can be used but it is less auditable. 3. **Self-hosted runner availability**: The `renovate` job uses the same `ubuntu-latest` self-hosted runner as other jobs. If the runner is busy or offline, the daily run is simply skipped (no retry). This is acceptable for a dependency-update job. 4. **Dagger module path**: The existing workflows call `dagger call -m ci --source=.`. This works because the Dagger module is at the repo root (the `dagger.json` is at root level, with the Go source in `ci/`). The new `Renovate` function fits naturally into the existing `Ci` struct in `ci/main.go`. 5. **No source mount needed**: Unlike build/test functions, Renovate clones the repository itself. Passing `--source=.` to `dagger call` is still required as a module argument, but the `Renovate` function does not need to use it (it can accept `Source *dagger.Directory` as an optional unused param, or the Dagger module SDK may require it as the receiver field — verify at implementation time). 6. **Cron timing**: 06:00 UTC daily is a reasonable default (low runner contention, early-morning for CEST). Can be adjusted. --- ### Summary of Changes | File | Change | |---|---| | `ci/main.go` | Add `Renovate(ctx, renovateToken)` function | | `.forgejo/workflows/renovate.yml` | New file: daily cron, Dagger engine setup, `dagger call … renovate` | | Codeberg secrets | Add `RENOVATE_TOKEN` | No changes to `renovate.json` (already correct in PR #226). No changes to `Taskfile.yml` (optional: a `renovate:` task could be added for local testing, but the issue says keep it small).
guettlibot commented 2026-05-25 17:45:03 +00:00 (Migrated from codeberg.org)
Copy Link
Copy Source

Planning complete. To resume this session:

claude --resume 3b136318-60a3-4158-9d2b-859415271b5f
Planning complete. To resume this session: ``` claude --resume 3b136318-60a3-4158-9d2b-859415271b5f ```
guettlibot commented 2026-05-25 20:06:24 +00:00 (Migrated from codeberg.org)
Copy Link
Copy Source

Automatic merge of PR #262 failed (PR is still open after the merge command). Please merge manually.

Automatic merge of PR #262 failed (PR is still open after the merge command). Please merge manually.
guettlibot commented 2026-05-25 20:26:22 +00:00 (Migrated from codeberg.org)
Copy Link
Copy Source

Automatic merge of PR #262 failed (PR is still open after the merge command). Please merge manually.

Automatic merge of PR #262 failed (PR is still open after the merge command). Please merge manually.
guettlibot commented 2026-05-26 06:19:36 +00:00 (Migrated from codeberg.org)
Copy Link
Copy Source

All required components are now in main:\n- renovate.json — Renovate configuration\n- ci/main.goRenovate() Dagger function using RENOVATE_PLATFORM=gitea and Codeberg endpoint\n- .forgejo/workflows/renovate.yml — daily cron (06:00 UTC) workflow\n- Taskfile.ymlrenovate task\n\nClosing as implemented.

All required components are now in main:\n- `renovate.json` — Renovate configuration\n- `ci/main.go` — `Renovate()` Dagger function using `RENOVATE_PLATFORM=gitea` and Codeberg endpoint\n- `.forgejo/workflows/renovate.yml` — daily cron (06:00 UTC) workflow\n- `Taskfile.yml` — `renovate` task\n\nClosing as implemented.
Sign in to join this conversation.
No Branch/Tag Specified
Branches Tags
Labels
Clear labels
NeedSupervisor
Issue escalated to a human supervisor; agentloop will skip it until cleared.
 State/InProgress
State/Later
State/Planned
automerge
Eligible for automatic merge by CI
 ci-failure
Issue opened by agentloop to track a failing CI workflow; used for deduplication.
 do-not-merge
Plan PR — review only, do not merge.
 loop/code
Add to run the built-in "code" prompt; override at prompts/code.md.
 loop/code-ci-pending
Prompt "code" finished; waiting for the PR's CI to pass before advancing.
 loop/code-done
Prompt "code" finished successfully.
 loop/code-in-process
Agent for the "code" prompt is currently running on this issue.
 loop/merge
Managed by agentloop
 loop/merge-done
Managed by agentloop
 loop/merge-in-process
Managed by agentloop
 loop/plan
Add to run the built-in "plan" prompt; override at prompts/plan.md.
 loop/plan-done
Prompt "plan" finished successfully.
 loop/plan-in-process
Agent for the "plan" prompt is currently running on this issue.
No labels
Milestone
No items
No Milestone
Projects
Clear projects
No projects
Assignees
Clear assignees
guettlibot guettli
No Assignees
1 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: guettli/sharedinbox#257