From d239601b112a5ec34e78a265e183b8319dd51a79 Mon Sep 17 00:00:00 2001
From: Hector Martinez <hemartin@redhat.com>
Date: Mon, 22 Jun 2026 10:15:40 +0200
Subject: [PATCH] feat(#2479): enable Renovate via self-hosted GitHub App

Adds a GitHub Actions workflow that runs Renovate twice daily,
authenticating with a dedicated GitHub App (fullsend-renovate)
via actions/create-github-app-token. Adds gomodTidy post-update
and prHourlyLimit to renovate.json.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Signed-off-by: Hector Martinez <hemartin@redhat.com>
---
 .github/workflows/renovate.yml | 47 ++++++++++++++++++++++++++++++++++
 renovate.json                  |  2 ++
 2 files changed, 49 insertions(+)
 create mode 100644 .github/workflows/renovate.yml

diff --git a/.github/workflows/renovate.yml b/.github/workflows/renovate.yml
new file mode 100644
index 000000000..07bbce66a
--- /dev/null
+++ b/.github/workflows/renovate.yml
@@ -0,0 +1,47 @@
+# Renovate dependency update bot.
+#
+# Required setup:
+#   1. Create a GitHub App with permissions: contents:write,
+#      pull-requests:write, issues:read+write, checks:write.
+#   2. Install the App on the target org/repos.
+#   3. Set repository variable RENOVATE_APP_ID to the App ID.
+#   4. Set repository secret RENOVATE_PRIVATE_KEY to the App's PEM private key.
+#
+# See: https://docs.renovatebot.com/getting-started/running/#github-app
+name: Renovate
+
+on:
+  schedule:
+    - cron: "13 3,15 * * *"
+  workflow_dispatch:
+    inputs:
+      dry-run:
+        description: "Run Renovate in dry-run mode"
+        required: false
+        default: "false"
+        type: choice
+        options:
+          - "false"
+          - full
+
+permissions: {}
+
+jobs:
+  renovate:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v7
+
+      - uses: actions/create-github-app-token@v3
+        id: app-token
+        with:
+          app-id: ${{ vars.RENOVATE_APP_ID }}
+          private-key: ${{ secrets.RENOVATE_PRIVATE_KEY }}
+
+      - uses: renovatebot/github-action@v46
+        with:
+          token: ${{ steps.app-token.outputs.token }}
+          configurationFile: renovate.json
+        env:
+          LOG_LEVEL: info
+          RENOVATE_DRY_RUN: ${{ inputs.dry-run || 'false' }}
diff --git a/renovate.json b/renovate.json
index 431dd5adb..4de19b78e 100644
--- a/renovate.json
+++ b/renovate.json
@@ -1,6 +1,8 @@
 {
   "$schema": "https://docs.renovatebot.com/renovate-schema.json",
   "extends": ["config:recommended"],
+  "prHourlyLimit": 1,
+  "postUpdateOptions": ["gomodTidy"],
   "git-submodules": {
     "enabled": true
   },