github-app-token-updater

Self-Hosted Renovate can use GitHub App Installation Tokens, which are more secure than personal access tokens. However, these tokens expire every hour and need to be refreshed. Self-Hosted Renovate does not handle this for you. See - https://docs.renovatebot.com/modules/platform/github/#running-as-a-github-app

There are some solutions for refreshing the tokens.

• The official GitHub sdk
• There is a GitHub action which can rotate the tokens as seen here -> https://github.com/renovatebot/github-action?tab=readme-ov-file#example-with-github-app
• There are also 3rd party applications and docker containers which can do this.
• There are some bash scripts which can do this -> https://docs.github.com/en/apps/creating-github-apps/authenticating-with-a-github-app/generating-a-json-web-token-jwt-for-a-github-app#example-using-bash-to-generate-a-jwt

The challenge is wiring up those solutions to self-hosted renovate.

The goal of this application is to provide a simple way to refresh the token and expose it to renovate.

• Given a private key and a GitHub Application ID and Installation ID, it will generate a new token and write it to a kubernetes secret
• It will leverage the official renovate helm chart and run as an init container
• You can simply point your self-hosted renovate bot at the secret to automatically use the new token

Configuration

Ensure a renovate secret exists

apiVersion: v1
kind: Secret
metadata:
  name: YOUR_RENOVATE_SECRET_NAME
  namespace: renovate
stringData:
  RENOVATE_TOKEN: TO_BE_AUTOGENERATED_BY_INIT_CONTAINER

Add a kubernetes Role and RoleBinding for the init-container

---
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
  name: renovate
rules:
  - apiGroups:
      - ""
    resources:
      - secrets
    verbs: ["patch"]
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
  name: renovate
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: Role
  name: renovate
subjects:
  - kind: ServiceAccount
    name: renovate
    namespace: {{ .Release.Namespace }}

Create a secret named kubectl create secret generic github-app-token-updater --from-file=private-key.pem=path/to/id_rsa

Configure the renovate helm chart to use the init container See - https://github.com/renovatebot/helm-charts/tree/main/charts/renovate

renovate:
  extraVolumes:
    - name: github-app-token-updater
      secret:
        secretName: github-app-token-updater
  cronjob:
    initContainers:
      - name: github-app-token-updater
        env:
          - name: GITHUB_APP_ID
            value: "1234567"
          - name: GITHUB_INSTALLATION_ID
            value: "123456789"
          - name: SECRET_NAMESPACE
            valueFrom:
              fieldRef:
                fieldPath: metadata.namespace
          - name: SECRET_NAME
            value: renovate
          - name: SECRET_KEY
            value: RENOVATE_TOKEN
        image: your-docker-registry/github-app-token-updater:latest
        imagePullPolicy: IfNotPresent
        volumeMounts:
          - mountPath: /tmp/private-key.pem
            name: github-app-token-updater
            readOnly: true
            subPath: private-key.pem

The init container will run before the renovate container and will ensure whenever the pod launches it will have a fresh token that will be good for 1 hour.