From 7ec91bb82ccc9e7593efec90c1f1c58f7881581f Mon Sep 17 00:00:00 2001
From: Xuan Hu <i@huxuan.org>
Date: Fri, 23 Feb 2024 12:05:55 +0800
Subject: [PATCH 1/2] chore: authenticate renovate with github app

---
 .github/workflows/renovate.yml | 16 +++++++++++++---
 1 file changed, 13 insertions(+), 3 deletions(-)

diff --git a/.github/workflows/renovate.yml b/.github/workflows/renovate.yml
index fd92c918..50cf81d8 100644
--- a/.github/workflows/renovate.yml
+++ b/.github/workflows/renovate.yml
@@ -13,12 +13,22 @@ jobs:
         RENOVATE_REPOSITORY_CACHE: enabled
         RENOVATE_TOKEN: ${{ secrets.RENOVATE_TOKEN }}
       image: ghcr.io/renovatebot/renovate:37.202.2
+      options: '--user root'
     runs-on: ubuntu-latest
     steps:
       - run: env | sort
-      - run: |
-          if [ -z "${{ secrets.RENOVATE_TOKEN }}" ]; then
-            echo "RENOVATE_TOKEN not set, skipping ..."
+      - id: generate-token
+        name: Generate a token with GitHub App if App ID exists
+        if: vars.BOT_APP_ID
+        uses: actions/create-github-app-token@v1
+        with:
+          app-id: ${{ vars.BOT_APP_ID }}
+          private-key: ${{ secrets.BOT_PRIVATE_KEY }}
+      - env:
+          RENOVATE_TOKEN: ${{ secrets.RENOVATE_TOKEN || steps.generate-token.outputs.token }}
+        run: |
+          if [ -z "$RENOVATE_TOKEN" ]; then
+            echo "RENOVATE_TOKEN is not properly configured, skipping ..."
           else
             renovate $RENOVATE_EXTRA_FLAG
           fi

From e0ff6336ee37a516d5407fb6ad9bb249ec6889be Mon Sep 17 00:00:00 2001
From: Xuan Hu <i@huxuan.org>
Date: Fri, 23 Feb 2024 12:40:58 +0800
Subject: [PATCH 2/2] Update template.

---
 .../workflows/renovate.yml.jinja                 | 16 +++++++++++++---
 1 file changed, 13 insertions(+), 3 deletions(-)

diff --git a/template/[% if repo_host_type == 'github.com' %].github[% endif %]/workflows/renovate.yml.jinja b/template/[% if repo_host_type == 'github.com' %].github[% endif %]/workflows/renovate.yml.jinja
index f48cd321..e28da103 100644
--- a/template/[% if repo_host_type == 'github.com' %].github[% endif %]/workflows/renovate.yml.jinja	
+++ b/template/[% if repo_host_type == 'github.com' %].github[% endif %]/workflows/renovate.yml.jinja	
@@ -13,12 +13,22 @@ jobs:
         RENOVATE_REPOSITORY_CACHE: enabled
         RENOVATE_TOKEN: {{ '${{ secrets.RENOVATE_TOKEN }}' }}
       image: ghcr.io/renovatebot/renovate:37.202.2
+      options: '--user root'
     runs-on: ubuntu-latest
     steps:
       - run: env | sort
-      - run: |
-          if [ -z "{{ '${{ secrets.RENOVATE_TOKEN }}' }}" ]; then
-            echo "RENOVATE_TOKEN not set, skipping ..."
+      - id: generate-token
+        name: Generate a token with GitHub App if App ID exists
+        if: vars.BOT_APP_ID
+        uses: actions/create-github-app-token@v1
+        with:
+          app-id: {{ '${{ vars.BOT_APP_ID }}' }}
+          private-key: {{ '${{ secrets.BOT_PRIVATE_KEY }}' }}
+      - env:
+          RENOVATE_TOKEN: {{ '${{ secrets.RENOVATE_TOKEN || steps.generate-token.outputs.token }}' }}
+        run: |
+          if [ -z "$RENOVATE_TOKEN" ]; then
+            echo "RENOVATE_TOKEN is not properly configured, skipping ..."
           else
             renovate $RENOVATE_EXTRA_FLAG
           fi