From dbf6b2ff148aa14b74d3f2543d199a16f352878e Mon Sep 17 00:00:00 2001
From: GitHub Actions <actions@github.com>
Date: Mon, 8 Dec 2025 06:42:14 +0000
Subject: [PATCH] fix: Improve token selection logic in Renovate workflow for
 better clarity and error handling

---
 .github/workflows/renovate.yml | 13 ++++++++++++-
 1 file changed, 12 insertions(+), 1 deletion(-)

diff --git a/.github/workflows/renovate.yml b/.github/workflows/renovate.yml
index f1270680..9a379cee 100644
--- a/.github/workflows/renovate.yml
+++ b/.github/workflows/renovate.yml
@@ -20,12 +20,23 @@ jobs:
           fetch-depth: 1
       - name: Choose Renovate Token
         run: |
+          # Prefer explicit tokens (CHARON_TOKEN > CPMP_TOKEN) if provided; otherwise use the default GITHUB_TOKEN
           if [ -n "${{ secrets.CHARON_TOKEN }}" ]; then
             echo "Using CHARON_TOKEN" >&2
             echo "GITHUB_TOKEN=${{ secrets.CHARON_TOKEN }}" >> $GITHUB_ENV
-          else
+          elif [ -n "${{ secrets.CPMP_TOKEN }}" ]; then
             echo "Using CPMP_TOKEN fallback" >&2
             echo "GITHUB_TOKEN=${{ secrets.CPMP_TOKEN }}" >> $GITHUB_ENV
+          else
+            echo "Using default GITHUB_TOKEN from Actions" >&2
+            echo "GITHUB_TOKEN=${{ secrets.GITHUB_TOKEN }}" >> $GITHUB_ENV
+          fi
+
+      - name: Fail-fast if token not set
+        run: |
+          if [ -z "${{ env.GITHUB_TOKEN }}" ]; then
+            echo "ERROR: No Renovate token provided. Set CHARON_TOKEN, CPMP_TOKEN, or rely on default GITHUB_TOKEN." >&2
+            exit 1
           fi
 
       - name: Run Renovate