Configure Renovate on your Forgejo or Gitea self-hosted

Self hosted Dependabot

dev

Created on 11 October 2024.

I was using Github at work and have really found Dependabot useful. Naturally, I wondered if I could have something similar on my own git instance powered by Forgejo.

A quick search led me to find... Renovate.

Here is what I did to have it up and running:

Prerequisites:

  • Gitea or Forgejo self-hosted instance with admin access
  • Gitea or Forgejo Actions enabled and at least one runner active

Let's get started:

  1. From my Forgejo account (or Gitea), logged in as the Admin, I went to Site Administration -> Identity & access -> User accounts.

There is a nice little button "Create User Account" which you can use. I made a new user called "renovate-bot". Note down the email address as well.

  1. Login into Forgejo instance with this new user created. Then go to Settings, Applications and generate a new Access Token. I called it "renovate-bot-token". The name is relevant only for you. Note down the generated key.

  2. Logged back as my normal account. I created a new repository. Most common tutorials will tell you to name this repository "renovate-config". Good enough for me.

  3. In this "renovate-config" repository I added 2 files:

  • config.js which is the centralised configuration file for Renovate
  • .gitea/workflows/renovate.yml which is the workflow responsible for automation

The config.js file I have contains something like this:

module.exports = {
    "endpoint": "https://yourdomainnamehere/api/v1", #change this with your domain or subdomain
    "gitAuthor": "Renovate Bot <renovate@yourdomain.com>", #change based on the address used for the account and name
    "platform": "gitea", #this should be kept the same even for Forgejo.
    "autodiscover": true,
    "optimizeForDisabled": true,
};

Since I enabled autodiscover, and have multiple repositories, I enabled optimizeForDisabled. You can read more about this option here. And there you will also find many more options to adjust to your liking.

Great. You now have a basic configuration. Just like Dependabot makes constant checks, we want Renovate to do the same, right? We will achieve this using the workflow.

The workflow files looks like this:

name: renovate

on:
  schedule:
    - cron: "@daily"
  push:
    branches:
      - main

jobs:
  renovate:
    runs-on: ubuntu-latest
    container: ghcr.io/renovatebot/renovate:38.116.0
    steps:
      - uses: actions/checkout@v4
      - run: renovate
        env:
          RENOVATE_CONFIG_FILE: "/workspace/<<username>>/<<repo name>>/config.js"
          LOG_LEVEL: "debug"
          RENOVATE_TOKEN: ${ { secrets.RENOVATE_TOKEN }}
          GITHUB_COM_TOKEN: ${ { secrets.TOKEN_GITHUB }}
          

The schedule -> cron -> @daily is where the magic happens. It can be changed to more often or less if you would like. Here are more options to consider.

You should update the RENOVATE_CONFIG_FILE env variable with your username and repository name. I would keep the debug log level for now. Until you get the hang and everything works to your liking.

And finally, for your renovate-config repository, go to your repository Settings -> Actions -> Secrets.

  • Add one called RENOVATE_TOKEN and paste in the code you saved at step 2.
  • Add another one called TOKEN_GITHUB and paste in the Personal Access Token from your own GitHub account. It only needs standard read account to access the public API. This is useful to decorate the PR created with the Release Notes for each dependency that is updated.

Also, please note there is an extra space here: ${ { }}. It is important to remove the first space between { and {.

  1. One more thing to do is enable Renovate for one of your repos. Create a renovate.json file in a repository of your choice.

Here is what I have in mine:

{
  "extends": [
    "config:best-practices"
  ],
  "packageRules": [
    {
      "matchUpdateTypes": [
        "minor",
        "patch",
        "pin",
        "digest"
      ],
      "automerge": true
    }
  ],
  "osvVulnerabilityAlerts": true
}

Be careful! These settings tell the Renovate bot to create PRs and for the minor, path etc versions to auto-merge them without human intervention. Your mileage might vary. Perhaps start by setting it to false in the beginning and then enable it in the future.

And one more thing you need to do: In this repository Settings -> Collaborators -> Add the renovate-bot as a collaborator with write permissions.

Other notes:

  • The first time the renovate workflow runs, it will take longer since it needs to download the docker image and build it. Subsequent runs will be faster since it will use the cache.
  • The first time Renovate runs in a repository, it will create a special PR that you need to merge to confirm settings and everything.
  • An issue called Dependency Dashboard will be created automatically as well. This happens if the repository/local Renovate config file is read correctly.

If you enjoyed this article and think others should read it, please share it on Bluesky or share on LinkedIn.