Renovate requires app write access for code? #29362
-
What would you like help with?I would like help with my configuration How are you running Renovate?Mend Renovate hosted app on github.com If you're self-hosting Renovate, tell us which platform (GitHub, GitLab, etc) and which version of Renovate.No response Please tell us more about your question or problemHi there 👋 I work on a security sensitive public open source Rust repository. We're looking at adopting Renovate to replace Dependabot, but it appears like installing the Renovate GitHub application requires write access to code.
Can someone help me understand why this is required? In our ideal deployment model Renovate would only open pull requests and wouldn't require write access to code. Thanks! Logs (if relevant)Logs |
Beta Was this translation helpful? Give feedback.
Replies: 2 comments 1 reply
-
|
Write access is needed to create branches, branches are needed to create Pull Requests. My primary advice is that GitHub's branch protections are excellent and if used correctly it means Renovate having write access should be no threat (it does not need write access to main unless you want to automerge). If you have just a general fear of write access or an inability to use branch protections then there's a workaround - to use a sister app called "Forking Renovate" which does some tricks in order to be able to submit PRs from forks for public repositories |
Beta Was this translation helpful? Give feedback.
-
|
@cpu please also read the Renovate docs, Security and Permissions to learn about this topic in more detail. |
Beta Was this translation helpful? Give feedback.
-
|
Thank you both for the quick replies. Much appreciated 🙇
Aha, that does make sense.
That sounds like an interesting option. I'll check it out.
Thank you for the pointer! |
Beta Was this translation helpful? Give feedback.
Write access is needed to create branches, branches are needed to create Pull Requests.
My primary advice is that GitHub's branch protections are excellent and if used correctly it means Renovate having write access should be no threat (it does not need write access to main unless you want to automerge).
If you have just a general fear of write access or an inability to use branch protections then there's a workaround - to use a sister app called "Forking Renovate" which does some tricks in order to be able to submit PRs from forks for public repositories