From 7be5ea3ec139d6cde105f50a43b4a91db01509f4 Mon Sep 17 00:00:00 2001 From: erezrokah Date: Wed, 18 Mar 2026 20:08:09 +0000 Subject: [PATCH 1/4] fix: fix Renovate cache permission errors in Docker container The renovatebot/github-action auto-sets RENOVATE_CACHE_DIR to a path under /home/runner which doesn't exist inside the Docker container. Additionally, cache files restored by actions/cache are owned by the runner user, not the container user (uid 1000). - Set RENOVATE_CACHE_DIR=/tmp/renovate/cache explicitly - Add step to create cache dir with world-writable permissions --- .github/workflows/renovate.yml | 18 ++++++++++-------- 1 file changed, 10 insertions(+), 8 deletions(-) diff --git a/.github/workflows/renovate.yml b/.github/workflows/renovate.yml index 046e474..425654a 100644 --- a/.github/workflows/renovate.yml +++ b/.github/workflows/renovate.yml @@ -21,13 +21,15 @@ jobs: steps: - name: Checkout uses: actions/checkout@v6 - # - name: Renovate cache - # uses: actions/cache@v5 - # with: - # path: ${{ github.workspace }}/.renovate-cache - # key: renovate-cache-${{ env.RENOVATE_VERSION }}-${{ github.run_id }} - # restore-keys: | - # renovate-cache-${{ env.RENOVATE_VERSION }}- + - name: Renovate cache + uses: actions/cache@v5 + with: + path: /tmp/renovate/cache + key: renovate-cache-${{ env.RENOVATE_VERSION }}-${{ github.run_id }} + restore-keys: | + renovate-cache-${{ env.RENOVATE_VERSION }}- + - name: Fix cache permissions + run: mkdir -p /tmp/renovate/cache && chmod -R 777 /tmp/renovate - name: Self-hosted Renovate uses: renovatebot/github-action@v46.1.4 with: @@ -37,5 +39,5 @@ jobs: env: RENOVATE_GITHUB_ACTOR: ${{ github.actor }} RENOVATE_GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - # RENOVATE_CACHE_DIR: ${{ github.workspace }}/.renovate-cache + RENOVATE_CACHE_DIR: /tmp/renovate/cache LOG_LEVEL: 'debug' From 5b9e5a2be120f6411292cc04dc034878eb9c775d Mon Sep 17 00:00:00 2001 From: erezrokah Date: Wed, 18 Mar 2026 20:21:20 +0000 Subject: [PATCH 2/4] fix: use chown to container uid instead of world-writable permissions Address review feedback: chown to uid 1000 (Renovate container user) instead of chmod 777 to avoid unnecessarily broad permissions. --- .github/workflows/renovate.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/renovate.yml b/.github/workflows/renovate.yml index 425654a..febe0c1 100644 --- a/.github/workflows/renovate.yml +++ b/.github/workflows/renovate.yml @@ -29,7 +29,7 @@ jobs: restore-keys: | renovate-cache-${{ env.RENOVATE_VERSION }}- - name: Fix cache permissions - run: mkdir -p /tmp/renovate/cache && chmod -R 777 /tmp/renovate + run: mkdir -p /tmp/renovate/cache && chown -R 1000:1000 /tmp/renovate - name: Self-hosted Renovate uses: renovatebot/github-action@v46.1.4 with: From c435525aaf64a18faa55fce91c31a432eac65510 Mon Sep 17 00:00:00 2001 From: erezrokah Date: Wed, 18 Mar 2026 20:26:39 +0000 Subject: [PATCH 3/4] fix: use correct Renovate container uid 12021 for cache ownership Per renovatebot/github-action#827, the Renovate Docker container runs as uid 12021, not 1000. Also add sudo since the runner user may not own /tmp/renovate after cache restore. --- .github/workflows/renovate.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/renovate.yml b/.github/workflows/renovate.yml index febe0c1..6433660 100644 --- a/.github/workflows/renovate.yml +++ b/.github/workflows/renovate.yml @@ -29,7 +29,7 @@ jobs: restore-keys: | renovate-cache-${{ env.RENOVATE_VERSION }}- - name: Fix cache permissions - run: mkdir -p /tmp/renovate/cache && chown -R 1000:1000 /tmp/renovate + run: sudo mkdir -p /tmp/renovate/cache && sudo chown -R 12021:0 /tmp/renovate - name: Self-hosted Renovate uses: renovatebot/github-action@v46.1.4 with: From 3f7a9cba4bed9f09b161ac61c2b43d228d13bc03 Mon Sep 17 00:00:00 2001 From: erezrokah Date: Wed, 18 Mar 2026 22:22:30 +0000 Subject: [PATCH 4/4] fix: fix Renovate cache permissions following official README example - Cache the specific repository cache dir /tmp/renovate/cache/renovate/repository - Use sudo chown -R 12021:0 to match Renovate container uid (per official docs) - Remove RENOVATE_CACHE_DIR override to avoid permission issues (per README warning) See https://github.com/renovatebot/github-action#persisting-the-repository-cache --- .github/workflows/renovate.yml | 10 +++++++--- 1 file changed, 7 insertions(+), 3 deletions(-) diff --git a/.github/workflows/renovate.yml b/.github/workflows/renovate.yml index 6433660..430d2c5 100644 --- a/.github/workflows/renovate.yml +++ b/.github/workflows/renovate.yml @@ -24,12 +24,17 @@ jobs: - name: Renovate cache uses: actions/cache@v5 with: - path: /tmp/renovate/cache + path: /tmp/renovate/cache/renovate/repository key: renovate-cache-${{ env.RENOVATE_VERSION }}-${{ github.run_id }} restore-keys: | renovate-cache-${{ env.RENOVATE_VERSION }}- - name: Fix cache permissions - run: sudo mkdir -p /tmp/renovate/cache && sudo chown -R 12021:0 /tmp/renovate + run: | + # The permissions expected within renovate's docker container (uid 12021) + # are different than the ones given after the cache is restored. + # See https://github.com/renovatebot/github-action#persisting-the-repository-cache + sudo mkdir -p /tmp/renovate/cache/renovate/repository + sudo chown -R 12021:0 /tmp/renovate/ - name: Self-hosted Renovate uses: renovatebot/github-action@v46.1.4 with: @@ -39,5 +44,4 @@ jobs: env: RENOVATE_GITHUB_ACTOR: ${{ github.actor }} RENOVATE_GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - RENOVATE_CACHE_DIR: /tmp/renovate/cache LOG_LEVEL: 'debug'