Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

docs: Update section about Fine-grained PATs #796

Open
emilbader opened this issue Nov 15, 2023 · 2 comments
Open

docs: Update section about Fine-grained PATs #796

emilbader opened this issue Nov 15, 2023 · 2 comments
Labels
documentation Improvements or additions to documentation good first issue Good for newcomers

Comments

@emilbader
Copy link

Description

In https://github.com/renovatebot/github-action#token it's claimed that fine-grained PATs cannot be used since they don't support GitHub's GraphQL API. This seems to have been implemented now.
@viceice viceice added documentation Improvements or additions to documentation good first issue Good for newcomers labels Nov 16, 2023
@viceice
Copy link
Member

viceice commented Nov 16, 2023

feel free to open a PR 🤗

@HonkingGoose
Copy link
Contributor

Is this issue about the docs, or about getting renovatebot/github-action to work with fine-grained PATs on GitHub's GraphQL API? 😕

It sounds like the bug reporter wants us to get the action to work with GraphQL?

Related issue/PR

We had this issue:

That was closed with:

Copy/paste of current readme

It looks like the readme properly mentions the problems with fine-grained tokens and the GitHub GraphQL API:

### `token`

[Generate a Personal Access Token (classic)](https://github.com/settings/tokens), with the `repo:public_repo` scope for only public repositories or the `repo` scope for public and private repositories, and add it to _Secrets_ (repository settings) as `RENOVATE_TOKEN`.
You can also create a token without a specific scope, which gives read-only access to public repositories, for testing.
This token is only used by Renovate, see the [token configuration](https://docs.renovatebot.com/self-hosted-configuration/#token), and gives it access to the repositories.
The name of the secret can be anything as long as it matches the argument given to the `token` option.

Note that Renovate _cannot_ currently use [Fine-grained Personal Access Tokens](https://github.com/settings/tokens?type=beta) since they do not support the GitHub GraphQL API, yet.

Note that the [`GITHUB_TOKEN`](https://help.github.com/en/actions/configuring-and-managing-workflows/authenticating-with-the-github_token#permissions-for-the-github_token) secret can't be used for authenticating Renovate because it has too restrictive permissions.
In particular, using the `GITHUB_TOKEN` to create a new `Pull Request` from more types of Github Workflows results in `Pull Requests` that [do not trigger your `Pull Request` and `Push` CI events](https://docs.github.com/en/actions/security-guides/automatic-token-authentication#using-the-github_token-in-a-workflow).

If you want to use the `github-actions` manager, you must setup a [special token](#special-token-requirements-when-using-the-github-actions-manager) with some requirements.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
documentation Improvements or additions to documentation good first issue Good for newcomers
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@viceice @emilbader @HonkingGoose