Replace dependabot with renovate for GitHub Actions updates

[silverwind]

Replace dependabot with Renovate for GitHub Actions dependency updates (and more in the future). Config is equivalent. To activate it, we have these options:

• Use https://github.com/apps/renovate, works without a token.
• Use renovatebot/github-action, requires a token.

Action would look like this:

name: renovate
on:
  schedule:
    - cron: '0 4 * * *'
  workflow_dispatch:

jobs:
  renovate:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4
      - uses: renovatebot/github-action@v42
        with:
          token: ${{ secrets.RENOVATE_TOKEN }}

Before merge, an admin must either enable the app or we add the action. I'm undecided which approach is better. App may be more secure, but action is more configurable from the repo and portable to gitea, so I think action overall wins.

Fixes: #33386

[TheFox0x7]

Alternatively we can run it in our CI directly, though it's also via app just not the mend one.
cc @techknowlogick per the discord talk few months ago

[silverwind]

Alternatively we can run it in our CI directly, though it's also via app just not the mend one. cc @techknowlogick per the discord talk few months ago

Pushed a action based on that in a0b98c6. It requires 2 secrets but may be a more secure approach because it uses short-lived tokens instead of a long-lived PAT. Here are the steps to obtain them:

---

1. Go to https://github.com/organizations/go-gitea/settings/apps/new
2. Give it a name like "Gitea Renovate"
3. Permissions needed: Contents (read/write), Pull requests (read/write)
4. Install the app on the go-gitea/gitea repository

Then from the app's settings page:

• RENOVATE_APP_ID — the "App ID" shown on the app's general settings page
• RENOVATE_PRIVATE_KEY — generate one under "Private keys", download the .pem file, and paste its full contents as the secret

---

Also recommended would be a branch protection rule so it can only push to renovate/* branches:

1. Go to https://github.com/go-gitea/gitea/settings/rules/new
2. Name: "Restrict Renovate"
3. Enforcement: Active
4. Target branches: Include renovate/**
5. Bypass list: Add the Renovate GitHub App
6. Rules: Enable "Restrict creations" and "Restrict pushes" — block everyone except the bypass list

[silverwind]

Once this is merged, I think we could go ahead with #36971, renovate understand and can update the SHA format, so no manual updates needed.

[Copilot]

Pull request overview

This PR migrates GitHub Actions dependency update automation from Dependabot to Renovate by adding a Renovate configuration and a scheduled workflow, and removing the existing Dependabot configuration.

Changes:

• Add renovate.json to configure Renovate for github-actions updates with matching labels and a 5-day minimum release age.
• Add a scheduled GitHub Actions workflow to run Renovate using a GitHub App installation token.
• Remove .github/dependabot.yml to disable Dependabot updates.

Reviewed changes

Copilot reviewed 3 out of 3 changed files in this pull request and generated 1 comment.

File	Description
renovate.json	Introduces Renovate configuration to manage GitHub Actions updates with repo labels and release age delay.
.github/workflows/cron-renovate.yml	Adds a scheduled/manual workflow to run Renovate using a GitHub App token.
.github/dependabot.yml	Removes Dependabot configuration now superseded by Renovate.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[silverwind]

Maybe it should extend gitea>gitea/renovate-config. @techknowlogick would you agree? Any problems with github -> gitea access expected?

[TheFox0x7]

might be relevant for you here: https://github.com/TheFox0x7/renovate-config/blob/main/config.js
We can start from that config but have it here it so if gitea.com has downtime this task won't fail.

[silverwind]

gitea.com downtime is a concern, but not the end of the world as it would just run the next day. I think we can either try to use gitea>gitea/renovate-config directly or replicate what's in there to avoid the gitea.com dependency.

[silverwind]

BTW how does renovate retrieve the config? Does it git clone the shared repo? Ideally I think I'd want shared config in a npm package or similar, e.g. infrastructure that is essentially guaranteed to be available.

[TheFox0x7]

npm hosted version will be deprecated from what I see. I think it just reads the given file and not the entire repository.... but I'm not sure and it's not written in docs at a glance.
https://docs.renovatebot.com/config-presets/

[TheFox0x7]

Thanks for this in general :)
I wanted to do it for a while but I didn't feel like the correct person to set it up with all the secrets needed to have it.

this also closes: #33386

[wxiaoguang]

It seems that there is actions/create-github-app-token@v3 now

https://github.com/actions/create-github-app-token

[silverwind]

Yeah. I'm also not sure if the extra complexity of this action is warranted over a simple token-based approach. @TheFox0x7 do you think it is?

[TheFox0x7]

I think I ended up on app for the permissions fine tune and that it's treated as it's own user instead the token owner. It's been a while though.

---

yup, see: TheFox0x7#15
It annoyed me enough to set up an app.

[silverwind]

I think it's better to use the same auth mechanism we use on gitea.com repos and gitea does not support github apps. I will check how it's done on gitea.com, e.g. likely a static app token.

[TheFox0x7]

gitea has separate account I think