Added self-hosted Renovate workflow

[9larsons]

ref https://linear.app/ghost/issue/PLA-48

Why

Mend's hosted Renovate ticks every ~4h. With platformAutomerge: false (intentional, so merges stay inside automergeSchedule) and branchConcurrentLimit: 10, each merge forces every other open Renovate branch to rebase, and the rebased CI doesn't finish before the next tick. Net throughput is ~1 PR per tick — capped at ~2 PRs per weeknight automerge window and ~5–6 per weekend day. Small backlogs take all weekend to drain, and the concurrent-branch cap saturates the queue.

Other levers (platformAutomerge for low-risk classes, merge queue, wider schedule) help around the edges but don't change the math. The tick frequency is the bottleneck.

What this does

.github/workflows/renovate.yml — runs the official renovatebot/github-action on a 2h cron. The repo-level schedule / automergeSchedule in renovate.json5 still gate when Renovate acts or merges, so out-of-window wake-ups are no-ops. Auths via the already-org-installed TryGhost Renovate GitHub App (no new install or permission grant), with the App token scoped to repositories: Ghost. Runner-level overrides (RENOVATE_REPOSITORIES, RENOVATE_ONBOARDING: false) are passed via env rather than a separate config file.

workflow_dispatch with an ignoreSchedule toggle injects RENOVATE_FORCE — manual "drain the backlog now" button.

Pattern lifted from TryGhost/Toast's working setup; third-party actions pinned by SHA matching Toast's set.

Cutover

Both Mend and self-hosted Renovate use deterministic renovate/* branch names, so running them in parallel would race on rebases/pushes during merge windows. We're currently outside every block in the schedule, so neither bot is actively acting on PRs — safe to merge now, smoke-test with a manual run (leave ignoreSchedule off; expected outcome is "no work in schedule, exiting" confirming auth + config), then disable Mend in the Mend dashboard before the next merge window opens.

Rollback is "delete the workflow file" — Mend can be re-enabled.

Acceptance signal

After one normal automergeSchedule window with a non-empty backlog: ≥3 PRs merged in a single window (vs. current ~1–2).

[coderabbitai]

Walkthrough

This PR adds a new GitHub Actions workflow for Renovate that automates dependency updates for the TryGhost/Ghost repository. The workflow runs on a 2-hour cron schedule and supports manual dispatch via workflow_dispatch. A boolean input ignoreSchedule allows manual runs to bypass Renovate's schedule and automerge gating constraints. The workflow mints a GitHub App token, checks out the repository, and executes the Renovate GitHub Action (v46.1.14) with environment configuration for debug logging, repository caching, and repository scoping.

Possibly related PRs

• TryGhost/Ghost#28041: Updates renovate.json5 with rules controlling which digest updates Renovate will automerge, affecting the behavior of the Renovate automation introduced in this workflow.

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title accurately summarizes the main change—adding a self-hosted Renovate workflow—which is the core focus of the PR and matches the changeset.
Description check	✅ Passed	The description is directly related to the changeset, providing context, rationale, and implementation details about the Renovate workflow addition.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch chore/pla-48-self-hosted-renovate

Warning

Review ran into problems

🔥 Problems

Stopped waiting for pipeline failures after 30000ms. One of your pipelines takes longer than our 30000ms fetch window to run, so review may not consider pipeline-failure results for inline comments if any failures occurred after the fetch window. Increase the timeout if you want to wait longer or run a @coderabbit review after the pipeline has finished.

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[nx-cloud]

🤖 Nx Cloud AI Fix

Ensure the fix-ci command is configured to always run in your CI pipeline to get automatic fixes in future runs. For more information, please see https://nx.dev/ci/features/self-healing-ci

---

View your CI Pipeline Execution ↗ for commit 0ba9314

Command	Status	Duration	Result
nx run ghost:test:ci:integration	✅ Succeeded	1m 59s	View ↗
nx run @tryghost/admin-x-settings:test:acceptance	✅ Succeeded	9m 50s	View ↗
nx run ghost:test:ci:e2e	✅ Succeeded	7m 33s	View ↗
nx run ghost:test:ci:legacy	✅ Succeeded	3m 6s	View ↗
nx build @tryghost/activitypub	✅ Succeeded	2s	View ↗
nx build @tryghost/portal	✅ Succeeded	<1s	View ↗
nx build @tryghost/sodo-search	✅ Succeeded	<1s	View ↗
nx build @tryghost/announcement-bar	✅ Succeeded	<1s	View ↗
Additional runs (12)	✅ Succeeded	...	View ↗

---

☁️ Nx Cloud last updated this comment at 2026-05-26 14:12:24 UTC

[coderabbitai]

🧹 Nitpick comments (1)

.github/workflows/renovate.yml (1)

45-46: ⚡ Quick win

Consider adding persist-credentials: false for defense-in-depth.

The Renovate action uses the GitHub App token explicitly passed in line 55, so the persisted credentials from checkout aren't used. Adding persist-credentials: false would follow security hardening best practices.

🔒 Suggested hardening

      - name: Checkout
        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
+        with:
+          persist-credentials: false

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/renovate.yml around lines 45 - 46, The checkout step using
"uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd" should be
hardened by adding the persist-credentials: false option so the runner does not
retain persisted GitHub credentials; update the Checkout step to include
persist-credentials: false under that uses entry to ensure the Renovate workflow
only uses the explicit GitHub App token passed later.

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Nitpick comments:
In @.github/workflows/renovate.yml:
- Around line 45-46: The checkout step using "uses:
actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd" should be hardened by
adding the persist-credentials: false option so the runner does not retain
persisted GitHub credentials; update the Checkout step to include
persist-credentials: false under that uses entry to ensure the Renovate workflow
only uses the explicit GitHub App token passed later.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

Run ID: 9efa1721-15f3-4e3b-b35b-0f19748ed26b

📥 Commits

Reviewing files that changed from the base of the PR and between e68f832 and 0ba9314.

📒 Files selected for processing (3)

• .github/renovate-bot.cjs
• .github/workflows/renovate.yml
• docs/renovate-throughput-assessment.md

[coderabbitai]

🧹 Nitpick comments (1)

.github/workflows/renovate.yml (1)

45-46: ⚡ Quick win

Disable actions/checkout credential persistence for defense-in-depth.

In actions/checkout@v6, persist-credentials defaults to true; it writes auth material under $RUNNER_TEMP (not into .git/config). Since this workflow doesn’t need authenticated git push/commit after checkout, set persist-credentials: false on the Checkout step (lines 45-46).

Proposed patch

       - name: Checkout
         uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
+        with:
+          persist-credentials: false

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/renovate.yml around lines 45 - 46, Update the "Checkout"
step that uses actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd to
explicitly disable credential persistence by adding persist-credentials: false
to the step definition; locate the Checkout step in the workflow and add the
persist-credentials: false key under that action so no auth tokens are persisted
to $RUNNER_TEMP after checkout.

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Nitpick comments:
In @.github/workflows/renovate.yml:
- Around line 45-46: Update the "Checkout" step that uses
actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd to explicitly disable
credential persistence by adding persist-credentials: false to the step
definition; locate the Checkout step in the workflow and add the
persist-credentials: false key under that action so no auth tokens are persisted
to $RUNNER_TEMP after checkout.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

Run ID: 27fb9f6f-0d3d-496c-ae17-a293d96f7c12

📥 Commits

Reviewing files that changed from the base of the PR and between 0ba9314 and fe56bc8.

📒 Files selected for processing (1)

• .github/workflows/renovate.yml

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 73.88%. Comparing base (5980dbc) to head (fe56bc8).
⚠️ Report is 2 commits behind head on main.

Additional details and impacted files

@@           Coverage Diff           @@
##             main   #28130   +/-   ##
=======================================
  Coverage   73.87%   73.88%           
=======================================
  Files        1529     1529           
  Lines      129757   129757           
  Branches    15567    15574    +7     
=======================================
+ Hits        95854    95866   +12     
+ Misses      32941    32928   -13     
- Partials      962      963    +1     

Flag	Coverage Δ
e2e-tests	76.18% <ø> (+0.01%)	⬆️

Flags with carried forward coverage won't be shown. Click here to find out more.

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.