From c73a2545bf8e7755d6d82d22d06ba6e40d185e4a Mon Sep 17 00:00:00 2001
From: Denis Bilenko <denis.bilenko@databricks.com>
Date: Fri, 13 Mar 2026 17:41:29 +0100
Subject: [PATCH 1/4] Fix Renovate Bot: set RENOVATE_REPOSITORIES

Renovate failed with "No repositories found" because it wasn't told
which repo to manage. Set RENOVATE_REPOSITORIES to the current repo.

See: https://github.com/databricks/cli/pull/4736
Error: "No repositories found - did you want to run with flag --autodiscover?"

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
---
 .github/workflows/renovate.yml | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/.github/workflows/renovate.yml b/.github/workflows/renovate.yml
index 9ab406d2e7..d8d3c5f537 100644
--- a/.github/workflows/renovate.yml
+++ b/.github/workflows/renovate.yml
@@ -12,3 +12,5 @@ jobs:
       - uses: renovatebot/github-action@0b17c4eb901eca44d018fb25744a50a74b2042df # v46.1.4
         with:
           token: ${{ secrets.GITHUB_TOKEN }}
+        env:
+          RENOVATE_REPOSITORIES: ${{ github.repository }}

From 94fc60f298ab62bb63ed42e916259cc3933747f5 Mon Sep 17 00:00:00 2001
From: Denis Bilenko <denis.bilenko@databricks.com>
Date: Fri, 13 Mar 2026 17:48:57 +0100
Subject: [PATCH 2/4] Add explicit permissions for Renovate workflow

GITHUB_TOKEN needs contents:write (to push branches) and
pull-requests:write (to open PRs). Without these, Renovate fails
with platform-unknown-error at initRepo.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
---
 .github/workflows/renovate.yml | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/.github/workflows/renovate.yml b/.github/workflows/renovate.yml
index d8d3c5f537..62a7488f41 100644
--- a/.github/workflows/renovate.yml
+++ b/.github/workflows/renovate.yml
@@ -5,6 +5,10 @@ on:
     - cron: "0 0 * * 1" # Weekly on Monday at 00:00 UTC
   workflow_dispatch:
 
+permissions:
+  contents: write
+  pull-requests: write
+
 jobs:
   renovate:
     runs-on: ubuntu-latest

From daa588c95f498d5eff344add0c2f4068a6477f3c Mon Sep 17 00:00:00 2001
From: Denis Bilenko <denis.bilenko@databricks.com>
Date: Fri, 13 Mar 2026 17:54:44 +0100
Subject: [PATCH 3/4] Use GitHub App token for Renovate instead of GITHUB_TOKEN

GITHUB_TOKEN cannot be used with Renovate (documented limitation).
Use the existing DECO_WORKFLOW_TRIGGER GitHub App to generate a token,
matching the pattern already used in push.yml and start-integration-tests.yml.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
---
 .github/workflows/renovate.yml | 11 ++++++-----
 1 file changed, 6 insertions(+), 5 deletions(-)

diff --git a/.github/workflows/renovate.yml b/.github/workflows/renovate.yml
index 62a7488f41..9953df300c 100644
--- a/.github/workflows/renovate.yml
+++ b/.github/workflows/renovate.yml
@@ -5,16 +5,17 @@ on:
     - cron: "0 0 * * 1" # Weekly on Monday at 00:00 UTC
   workflow_dispatch:
 
-permissions:
-  contents: write
-  pull-requests: write
-
 jobs:
   renovate:
     runs-on: ubuntu-latest
     steps:
+      - uses: actions/create-github-app-token@df432ceedc7162793a195dd1713ff69aefc7379e # v2.0.6
+        id: app-token
+        with:
+          app-id: ${{ secrets.DECO_WORKFLOW_TRIGGER_APP_ID }}
+          private-key: ${{ secrets.DECO_WORKFLOW_TRIGGER_PRIVATE_KEY }}
       - uses: renovatebot/github-action@0b17c4eb901eca44d018fb25744a50a74b2042df # v46.1.4
         with:
-          token: ${{ secrets.GITHUB_TOKEN }}
+          token: ${{ steps.app-token.outputs.token }}
         env:
           RENOVATE_REPOSITORIES: ${{ github.repository }}

From 519c785403c7489d647e2a10b21387f93f005b8c Mon Sep 17 00:00:00 2001
From: Denis Bilenko <denis.bilenko@databricks.com>
Date: Fri, 13 Mar 2026 18:02:32 +0100
Subject: [PATCH 4/4] Use test-trigger-is environment and deco runner for
 Renovate

The DECO_WORKFLOW_TRIGGER secrets are scoped to the test-trigger-is
environment and require the deco runner group, matching the pattern
used in push.yml for integration-trigger.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
---
 .github/workflows/renovate.yml | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/.github/workflows/renovate.yml b/.github/workflows/renovate.yml
index 9953df300c..25db8dbed1 100644
--- a/.github/workflows/renovate.yml
+++ b/.github/workflows/renovate.yml
@@ -7,7 +7,10 @@ on:
 
 jobs:
   renovate:
-    runs-on: ubuntu-latest
+    runs-on:
+      group: databricks-deco-testing-runner-group
+      labels: ubuntu-latest-deco
+    environment: "test-trigger-is"
     steps:
       - uses: actions/create-github-app-token@df432ceedc7162793a195dd1713ff69aefc7379e # v2.0.6
         id: app-token