docs: document support for fine-grained pat (#27346)

Co-authored-by: Rhys Arkins <rhys@arkins.net> Co-authored-by: HonkingGoose <34918129+HonkingGoose@users.noreply.github.com>
renovatebot · Mar 18, 2024 · f4a96f8 · f4a96f8
1 parent 12377e4
commit f4a96f8
Showing 1 changed file with 24 additions and 2 deletions.
diff --git a/lib/modules/platform/github/readme.md b/lib/modules/platform/github/readme.md
@@ -2,8 +2,10 @@
 
 ## Authentication
 
-First, [create a classic Personal Access Token](https://docs.github.com/en/authentication/keeping-your-account-and-data-secure/creating-a-personal-access-token#creating-a-personal-access-token-classic) for the bot account, select `repo` scope.
-Fine-grained Personal Access Tokens do not support the GitHub GraphQL API and cannot be used with Renovate.
+First, create a [fine-grained](https://docs.github.com/en/authentication/keeping-your-account-and-data-secure/managing-your-personal-access-tokens#creating-a-fine-grained-personal-access-token) _or_ a [classic](https://docs.github.com/en/authentication/keeping-your-account-and-data-secure/creating-a-personal-access-token#creating-a-personal-access-token-classic) PAT.
+The PAT must have the `repo` scope.
+
+Read the [GitHub Docs, about Personal Access Tokens](https://docs.github.com/en/authentication/keeping-your-account-and-data-secure/managing-your-personal-access-tokens#about-personal-access-tokens) to learn more about PATs.
 
 Let Renovate use your PAT by doing _one_ of the following:
 
@@ -25,6 +27,26 @@ You can choose where you want to set `endpoint`:
     If you're self-hosting Renovate on GitHub.com with GitHub Actions in forking mode, and want Renovate to apply labels then you must give the PAT `triage` level rights on `issues`.
     The `triage` level allows the PAT to apply/dismiss existing labels.
 
+## Running using a fine-grained token
+
+### Permissions
+
+A fine-grained token must have these permissions:
+
+| Permission          | Access           | Level                          |
+| ------------------- | ---------------- | ------------------------------ |
+| `Members`           | `Read-only`      | _Organization_                 |
+| `Commit statuses`   | `Read and write` | _Repository_ or _Organization_ |
+| `Contents`          | `Read and write` | _Repository_ or _Organization_ |
+| `Dependabot alerts` | `Read-only`      | _Repository_ or _Organization_ |
+| `Issues`            | `Read and write` | _Repository_ or _Organization_ |
+| `Pull requests`     | `Read and write` | _Repository_ or _Organization_ |
+| `Workflows`         | `Read and write` | _Repository_ or _Organization_ |
+
+<!-- prettier-ignore -->
+!!! tip "Use a bot role account"
+    Consider creating a GitHub App to use instead of using your own GitHub user account.
+
 ## Running as a GitHub App
 
 Instead of a bot account with a Personal Access Token you can run `renovate` as a self-hosted [GitHub App](https://docs.github.com/en/developers/apps/getting-started-with-apps).