Clarify why the GITHUB_TOKEN can't be used to authenticate Renovate
AndersBennedsgaard opened this issue · 4 comments
According to the documentation:
Note that the GITHUB_TOKEN secret can't be used for authenticating Renovate.
However, it is not explained why this is the case.
Renovate should theoretically only need read-write access to the repository content and pull-requests in which the action is run, so why does it need more permissions than that?
If there is a simple explanation, the docs could probably be updated with it for future reference
You can either:
- Accept what it says, or
- Test it yourself if you don't accept it. If it works, share your experience!
I think what you'll find is that the GITHUB_TOKEN is more limited than you expect. For example IIRC actions tokens can't be used to trigger other actions, so any PRs you create with the token won't trigger your tests.
I was actually just curious of the reason "why" it was stated that the token can't be used, which I would guess that many other GH users also would be.
In my mind, the documentation would need an update. Either:
- the token really can't be used, there should be a reason why, since it's very counterintuitive
- it actually can, but has some limitations wrt. the limitations of the token, which should be stated in the docs
- there are no limitations, which means the line should be removed
I haven't had the time to test it (I was just reading on my phone earlier), but I will one of the next days.
I asked myself the same thing today. I would have sworn the GITHUB_TOKEN would be enough, but at least one blockeris as @rarkins cites: in most cases a PR created by a GITHUB_TOKEN will not trigger tests.
I agree with @AndersBennedsgaard though that having an extra sentence mentioning this and linking to the Github docs would be a great add to the readme. On first glance, this feels like a "surely this would work" sort of thing
PRs welcome