From be1d3fa18ea4df1e4df7d1510e1133ef373594d7 Mon Sep 17 00:00:00 2001 From: Josh Soref <2119212+jsoref@users.noreply.github.com> Date: Thu, 15 Feb 2024 20:24:07 -0500 Subject: [PATCH 1/4] docs: document support for fine-grained pat --- lib/modules/platform/github/readme.md | 28 ++++++++++++++++++++++++--- 1 file changed, 25 insertions(+), 3 deletions(-) diff --git a/lib/modules/platform/github/readme.md b/lib/modules/platform/github/readme.md index a12ff89f11c617..584f05c3260bcd 100644 --- a/lib/modules/platform/github/readme.md +++ b/lib/modules/platform/github/readme.md @@ -2,13 +2,15 @@ ## Authentication -First, [create a classic Personal Access Token](https://docs.github.com/en/authentication/keeping-your-account-and-data-secure/creating-a-personal-access-token#creating-a-personal-access-token-classic) for the bot account, select `repo` scope. -Fine-grained Personal Access Tokens do not support the GitHub GraphQL API and cannot be used with Renovate. +First, create a +[fine-grained](https://docs.github.com/en/authentication/keeping-your-account-and-data-secure/managing-your-personal-access-tokens#creating-a-fine-grained-personal-access-token) +or [classic](https://docs.github.com/en/authentication/keeping-your-account-and-data-secure/creating-a-personal-access-token#creating-a-personal-access-token-classic) +PAT ([Personal Access Token](https://docs.github.com/en/authentication/keeping-your-account-and-data-secure/managing-your-personal-access-tokens#about-personal-access-tokens)) for the bot account, select `repo` scope. Let Renovate use your PAT by doing _one_ of the following: - Set your PAT as a `token` in your `config.js` file -- Set your PAT as an environment variable `RENOVATE_TOKEN` +- Set your PAT as an environment variable `RENOVATE_TOKEN` (generally via `${{ secrets.RENOVATE_TOKEN }}`) - Set your PAT when you run Renovate in the CLI with `--token=` Remember to set `platform=github` somewhere in your Renovate config file. @@ -25,6 +27,26 @@ You can choose where you want to set `endpoint`: If you're self-hosting Renovate on GitHub.com with GitHub Actions in forking mode, and want Renovate to apply labels then you must give the PAT `triage` level rights on `issues`. The `triage` level allows the PAT to apply/dismiss existing labels. +## Running using a Fine-grained Token + +### Permissions + +These are the permissions required for a Fine-grained token: + +| Permission | Access | Level | +| ------------------- | ---------------- | ------------------------------ | +| `Members` | `Read-only` | _Organization_ | +| `Commit statuses` | `Read and write` | _Repository_ or _Organization_ | +| `Contents` | `Read and write` | _Repository_ or _Organization_ | +| `Dependabot alerts` | `Read-only` | _Repository_ or _Organization_ | +| `Issues` | `Read and write` | _Repository_ or _Organization_ | +| `Pull requests` | `Read and write` | _Repository_ or _Organization_ | +| `Workflows` | `Read and write` | _Repository_ or _Organization_ | + + +!!! tip "Use a bot role account" + You should create a bot role account instead of using a human's github account. + ## Running as a GitHub App Instead of a bot account with a Personal Access Token you can run `renovate` as a self-hosted [GitHub App](https://docs.github.com/en/developers/apps/getting-started-with-apps). From 8b6214bbb77272ef7966c3d00c1f671adc5981c7 Mon Sep 17 00:00:00 2001 From: Josh Soref <2119212+jsoref@users.noreply.github.com> Date: Fri, 16 Feb 2024 15:37:20 -0500 Subject: [PATCH 2/4] Tweak tip Revert secret suggestion as that's only applicable to the github action as opposed to this underlying module. --- lib/modules/platform/github/readme.md | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/lib/modules/platform/github/readme.md b/lib/modules/platform/github/readme.md index 584f05c3260bcd..18f05332e1d7fd 100644 --- a/lib/modules/platform/github/readme.md +++ b/lib/modules/platform/github/readme.md @@ -10,7 +10,7 @@ PAT ([Personal Access Token](https://docs.github.com/en/authentication/keeping-y Let Renovate use your PAT by doing _one_ of the following: - Set your PAT as a `token` in your `config.js` file -- Set your PAT as an environment variable `RENOVATE_TOKEN` (generally via `${{ secrets.RENOVATE_TOKEN }}`) +- Set your PAT as an environment variable `RENOVATE_TOKEN` - Set your PAT when you run Renovate in the CLI with `--token=` Remember to set `platform=github` somewhere in your Renovate config file. @@ -45,7 +45,8 @@ These are the permissions required for a Fine-grained token: !!! tip "Use a bot role account" - You should create a bot role account instead of using a human's github account. + Consider creating a GitHub App to use instead of using your own GitHub user account. + ## Running as a GitHub App From 9a8752b48e32f4a5424353d1cc4b8ede96f4b2b3 Mon Sep 17 00:00:00 2001 From: Rhys Arkins Date: Sun, 18 Feb 2024 17:20:38 +0100 Subject: [PATCH 3/4] Update readme.md --- lib/modules/platform/github/readme.md | 1 - 1 file changed, 1 deletion(-) diff --git a/lib/modules/platform/github/readme.md b/lib/modules/platform/github/readme.md index 18f05332e1d7fd..93c00addefcded 100644 --- a/lib/modules/platform/github/readme.md +++ b/lib/modules/platform/github/readme.md @@ -47,7 +47,6 @@ These are the permissions required for a Fine-grained token: !!! tip "Use a bot role account" Consider creating a GitHub App to use instead of using your own GitHub user account. - ## Running as a GitHub App Instead of a bot account with a Personal Access Token you can run `renovate` as a self-hosted [GitHub App](https://docs.github.com/en/developers/apps/getting-started-with-apps). From e7dc25e03fdd2879f7e37c865c6bbae1e72433b5 Mon Sep 17 00:00:00 2001 From: Josh Soref <2119212+jsoref@users.noreply.github.com> Date: Wed, 13 Mar 2024 07:43:08 -0400 Subject: [PATCH 4/4] Apply suggestions from code review Co-authored-by: HonkingGoose <34918129+HonkingGoose@users.noreply.github.com> --- lib/modules/platform/github/readme.md | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/lib/modules/platform/github/readme.md b/lib/modules/platform/github/readme.md index 93c00addefcded..a163664e91604f 100644 --- a/lib/modules/platform/github/readme.md +++ b/lib/modules/platform/github/readme.md @@ -2,10 +2,10 @@ ## Authentication -First, create a -[fine-grained](https://docs.github.com/en/authentication/keeping-your-account-and-data-secure/managing-your-personal-access-tokens#creating-a-fine-grained-personal-access-token) -or [classic](https://docs.github.com/en/authentication/keeping-your-account-and-data-secure/creating-a-personal-access-token#creating-a-personal-access-token-classic) -PAT ([Personal Access Token](https://docs.github.com/en/authentication/keeping-your-account-and-data-secure/managing-your-personal-access-tokens#about-personal-access-tokens)) for the bot account, select `repo` scope. +First, create a [fine-grained](https://docs.github.com/en/authentication/keeping-your-account-and-data-secure/managing-your-personal-access-tokens#creating-a-fine-grained-personal-access-token) _or_ a [classic](https://docs.github.com/en/authentication/keeping-your-account-and-data-secure/creating-a-personal-access-token#creating-a-personal-access-token-classic) PAT. +The PAT must have the `repo` scope. + +Read the [GitHub Docs, about Personal Access Tokens](https://docs.github.com/en/authentication/keeping-your-account-and-data-secure/managing-your-personal-access-tokens#about-personal-access-tokens) to learn more about PATs. Let Renovate use your PAT by doing _one_ of the following: @@ -27,11 +27,11 @@ You can choose where you want to set `endpoint`: If you're self-hosting Renovate on GitHub.com with GitHub Actions in forking mode, and want Renovate to apply labels then you must give the PAT `triage` level rights on `issues`. The `triage` level allows the PAT to apply/dismiss existing labels. -## Running using a Fine-grained Token +## Running using a fine-grained token ### Permissions -These are the permissions required for a Fine-grained token: +A fine-grained token must have these permissions: | Permission | Access | Level | | ------------------- | ---------------- | ------------------------------ |