docs(devops): fix Renovate snippet in self-hosted-catalogue.md

Four corrections to the starter snippet that contradicted this issue: - Monday cron → daily (0 3 * * *) - github-action@v40 (unpinned) → digest-pinned @8217b3fc (v46.1.15) - renovate-version: latest → "46.1.15" - GITEA_TOKEN → RENOVATE_TOKEN (dedicated bot account, least-privilege) Also replaces the renovate.json example: removes automerge:true at root, adds osvVulnerabilityAlerts/dependencyDashboard/vulnerabilityAlerts pattern, and adds a note to keep platform config in the workflow env: block. Refs #818. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
2026-06-13 11:19:22 +02:00
parent 453e709a7c
commit 935c8eadd2
1 changed files with 38 additions and 12 deletions
--- a/docs/infrastructure/self-hosted-catalogue.md
+++ b/docs/infrastructure/self-hosted-catalogue.md
@@ -151,7 +151,7 @@ receivers:
 name: Renovate
 on:
  schedule:
-    - cron: '0 3 * * 1'  # every Monday at 3am
+    - cron: '0 3 * * *'  # daily at 03:00 UTC — cuts OSV-alert latency to ≤1 day
  workflow_dispatch:

 jobs:
@@ -160,32 +160,58 @@ jobs:
    steps:
      - uses: actions/checkout@v4
      - name: Run Renovate
-        uses: renovatebot/github-action@v40
+        # Pin by digest — this action holds contents+pull_request+issues token;
+        # an unpinned tag is a supply-chain risk. Update digest + renovate-version
+        # together when Renovate publishes a new release.
+        uses: renovatebot/github-action@8217b3fc286df088d7c27f3255fe8414463bc0fd  # v46.1.15
        with:
          configurationFile: renovate.json
-          token: ${{ secrets.GITEA_TOKEN }}
-          renovate-version: latest
+          token: ${{ secrets.RENOVATE_TOKEN }}
+          renovate-version: "46.1.15"
+        env:
+          RENOVATE_PLATFORM: gitea
+          RENOVATE_ENDPOINT: https://gitea.example.com   # replace with your Gitea URL
+          RENOVATE_REPOSITORIES: '["org/repo"]'          # replace with your repo slug
+          LOG_LEVEL: info
 ```

+> **Token:** `RENOVATE_TOKEN` must be a PAT on a dedicated bot account with scopes
+> `contents` + `pull_request` + `issues`. **Do not reuse** `GITEA_TOKEN` — that variable
+> is not auto-provided on self-hosted Gitea runners and must be manually created anyway;
+> using a single broad token violates least-privilege. See ADR-041.
+
 ### Renovate Configuration

+The `renovate.json` in the repo root carries only dependency rules — platform and
+endpoint config is injected via `env:` in the workflow above. Keep the two concerns
+separate so the config file remains portable.
+
 ```json
-// renovate.json
 {
-  "platform": "gitea",
-  "endpoint": "https://gitea.example.com",
-  "repositories": ["org/familienarchiv"],
-  "automerge": true,
-  "automergeType": "pr",
+  "$schema": "https://docs.renovatebot.com/renovate-schema.json",
+  "osvVulnerabilityAlerts": true,
+  "dependencyDashboard": true,
+  "schedule": ["before 6am on monday"],
+  "vulnerabilityAlerts": {
+    "labels": ["security", "P1-high"]
+  },
+  "lockFileMaintenance": {
+    "enabled": true,
+    "schedule": ["before 6am on monday"]
+  },
  "packageRules": [
    {
-      "matchUpdateTypes": ["patch"],
-      "automerge": true
+      "matchPackageNames": ["com.example:my-dep"],
+      "automerge": true,
+      "matchUpdateTypes": ["patch"]
    }
  ]
 }
 ```

+> **Do not add `automerge: true` at the root.** Security and digest-bump PRs should
+> always be reviewed manually. Per-rule `automerge` on patch-level routine deps is fine.
+
 ---

 ## Secrets Management -- age + git-crypt