Service bots¶
code.modernleft.org runs three service bots. They act on your repositories as collaborators. You grant access to a bot. You never receive credentials from one. Their tokens and signing keys live in a secrets manager and are pulled by the central CI at run time, so nothing secret ever lands in your repository or your workflow logs.
renovate-bot¶
Opens dependency-update pull requests on a fixed whitelist of repositories, every six hours. PRs are commit-signed by the bot (look for the Verified badge).
Getting your repo added: access is by request. Ask the instance admin over Matrix or email. Two things then happen:
- Your repository is added to the bot's central repository list.
- You add
renovate-botas a collaborator with write access on your repository (Settings → Collaborators).
Optionally add a .forgejo/renovate.json to your repo to customize behavior.
It extends the house preset automatically.
commitizen-bot¶
Powers automated version bumps and changelogs via the commitizen-ci image. Bump commits and tags are signed by the bot.
Available to everyone: use conventional commits (feat:, fix:, …) and wire
the commitizen-ci image into your pipeline. The bot's signing key is
not shared to consuming repositories. If your repo runs the bump step
itself, your bumps run unsigned or with your own key. Signed bumps happen via
the central service.
system¶
The instance service account. It owns the container-registry credential used by central CI image builds and signs web-interface merge commits (that's the Verified signature on squash-merges you make in the UI).
You generally don't interact with it directly.