From bd4d66f3bfd92771de2c74db6c27045de0b8bb52 Mon Sep 17 00:00:00 2001 From: Denis Bilenko Date: Fri, 13 Mar 2026 17:41:29 +0100 Subject: [PATCH 1/5] Fix Renovate Bot: set RENOVATE_REPOSITORIES Renovate failed with "No repositories found" because it wasn't told which repo to manage. Set RENOVATE_REPOSITORIES to the current repo. See: https://github.com/databricks/cli/pull/4736 Error: "No repositories found - did you want to run with flag --autodiscover?" Co-Authored-By: Claude Opus 4.6 --- .github/workflows/renovate.yml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/.github/workflows/renovate.yml b/.github/workflows/renovate.yml index 79297515a1..51d2181f77 100644 --- a/.github/workflows/renovate.yml +++ b/.github/workflows/renovate.yml @@ -12,3 +12,5 @@ jobs: - uses: renovatebot/github-action@abd08c7549b2a864af5df4a2e369c43f035a6a9d # v46.1.5 with: token: ${{ secrets.GITHUB_TOKEN }} + env: + RENOVATE_REPOSITORIES: ${{ github.repository }} From 2b4fa2429d611c1507c3426e629eb2215b8b2a59 Mon Sep 17 00:00:00 2001 From: Denis Bilenko Date: Fri, 13 Mar 2026 17:48:57 +0100 Subject: [PATCH 2/5] Add explicit permissions for Renovate workflow GITHUB_TOKEN needs contents:write (to push branches) and pull-requests:write (to open PRs). Without these, Renovate fails with platform-unknown-error at initRepo. Co-Authored-By: Claude Opus 4.6 --- .github/workflows/renovate.yml | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/.github/workflows/renovate.yml b/.github/workflows/renovate.yml index 51d2181f77..a41440c11c 100644 --- a/.github/workflows/renovate.yml +++ b/.github/workflows/renovate.yml @@ -5,6 +5,10 @@ on: - cron: "0 0 * * 1" # Weekly on Monday at 00:00 UTC workflow_dispatch: +permissions: + contents: write + pull-requests: write + jobs: renovate: runs-on: ubuntu-latest From c7f933ec213abfae287cb8141534b5a8bb3c59a7 Mon Sep 17 00:00:00 2001 From: Denis Bilenko Date: Fri, 13 Mar 2026 17:54:44 +0100 Subject: [PATCH 3/5] Use GitHub App token for Renovate instead of GITHUB_TOKEN GITHUB_TOKEN cannot be used with Renovate (documented limitation). Use the existing DECO_WORKFLOW_TRIGGER GitHub App to generate a token, matching the pattern already used in push.yml and start-integration-tests.yml. Co-Authored-By: Claude Opus 4.6 --- .github/workflows/renovate.yml | 11 ++++++----- 1 file changed, 6 insertions(+), 5 deletions(-) diff --git a/.github/workflows/renovate.yml b/.github/workflows/renovate.yml index a41440c11c..f7e1fefc72 100644 --- a/.github/workflows/renovate.yml +++ b/.github/workflows/renovate.yml @@ -5,16 +5,17 @@ on: - cron: "0 0 * * 1" # Weekly on Monday at 00:00 UTC workflow_dispatch: -permissions: - contents: write - pull-requests: write - jobs: renovate: runs-on: ubuntu-latest steps: + - uses: actions/create-github-app-token@df432ceedc7162793a195dd1713ff69aefc7379e # v2.0.6 + id: app-token + with: + app-id: ${{ secrets.DECO_WORKFLOW_TRIGGER_APP_ID }} + private-key: ${{ secrets.DECO_WORKFLOW_TRIGGER_PRIVATE_KEY }} - uses: renovatebot/github-action@abd08c7549b2a864af5df4a2e369c43f035a6a9d # v46.1.5 with: - token: ${{ secrets.GITHUB_TOKEN }} + token: ${{ steps.app-token.outputs.token }} env: RENOVATE_REPOSITORIES: ${{ github.repository }} From 84a15f0d69e4e8cd67fe8fa894199de805337ad7 Mon Sep 17 00:00:00 2001 From: Denis Bilenko Date: Fri, 13 Mar 2026 18:02:32 +0100 Subject: [PATCH 4/5] Use test-trigger-is environment and deco runner for Renovate The DECO_WORKFLOW_TRIGGER secrets are scoped to the test-trigger-is environment and require the deco runner group, matching the pattern used in push.yml for integration-trigger. Co-Authored-By: Claude Opus 4.6 --- .github/workflows/renovate.yml | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/.github/workflows/renovate.yml b/.github/workflows/renovate.yml index f7e1fefc72..9b35c30d38 100644 --- a/.github/workflows/renovate.yml +++ b/.github/workflows/renovate.yml @@ -7,7 +7,10 @@ on: jobs: renovate: - runs-on: ubuntu-latest + runs-on: + group: databricks-deco-testing-runner-group + labels: ubuntu-latest-deco + environment: "test-trigger-is" steps: - uses: actions/create-github-app-token@df432ceedc7162793a195dd1713ff69aefc7379e # v2.0.6 id: app-token From 2484dbeb9de1f2e9f41b36d297a313b0ed63710f Mon Sep 17 00:00:00 2001 From: Denis Bilenko Date: Fri, 20 Mar 2026 17:33:17 +0100 Subject: [PATCH 5/5] Remove self-hosted Renovate workflow in favor of hosted Renovate App The self-hosted workflow had authentication issues with the GitHub App token. Using the hosted Mend Renovate App is simpler and requires only the renovate.json config already in the repo. Co-authored-by: Isaac --- .github/workflows/renovate.yml | 24 ------------------------ 1 file changed, 24 deletions(-) delete mode 100644 .github/workflows/renovate.yml diff --git a/.github/workflows/renovate.yml b/.github/workflows/renovate.yml deleted file mode 100644 index 9b35c30d38..0000000000 --- a/.github/workflows/renovate.yml +++ /dev/null @@ -1,24 +0,0 @@ -name: renovate - -on: - schedule: - - cron: "0 0 * * 1" # Weekly on Monday at 00:00 UTC - workflow_dispatch: - -jobs: - renovate: - runs-on: - group: databricks-deco-testing-runner-group - labels: ubuntu-latest-deco - environment: "test-trigger-is" - steps: - - uses: actions/create-github-app-token@df432ceedc7162793a195dd1713ff69aefc7379e # v2.0.6 - id: app-token - with: - app-id: ${{ secrets.DECO_WORKFLOW_TRIGGER_APP_ID }} - private-key: ${{ secrets.DECO_WORKFLOW_TRIGGER_PRIVATE_KEY }} - - uses: renovatebot/github-action@abd08c7549b2a864af5df4a2e369c43f035a6a9d # v46.1.5 - with: - token: ${{ steps.app-token.outputs.token }} - env: - RENOVATE_REPOSITORIES: ${{ github.repository }}