Skip to content
Latchkey

Renovate GITHUB_COM_TOKEN / RENOVATE_TOKEN rate-limit error in CI

Renovate reads release notes and changelogs from github.com even when the platform token is for another host. Without a GITHUB_COM_TOKEN, those lookups are unauthenticated and hit the low anonymous rate limit, causing 403 rate-limit errors.

What this error means

Renovate logs "Rate limit exceeded" or 403 responses from api.github.com while fetching release notes, often on self-hosted or GitHub Enterprise runs, and changelog data is missing from PRs.

Renovate
WARN: GitHub failure: Rate limit exceeded
  Consider setting GITHUB_COM_TOKEN to increase the rate limit
  host: api.github.com

Common causes

Unauthenticated github.com API calls

Fetching public release notes without a token uses the anonymous rate limit, which is quickly exhausted across many repos.

The platform token is for a different host

On GitHub Enterprise or self-hosted runs, the main token targets your host, not github.com, so github.com lookups have no credential.

How to fix it

Set GITHUB_COM_TOKEN for github.com lookups

  1. Create a read-only PAT on github.com (public repo scope is enough for release notes).
  2. Expose it to Renovate as the GITHUB_COM_TOKEN environment variable.
  3. Re-run so github.com API calls are authenticated.
.github/workflows/renovate.yml
env:
  GITHUB_COM_TOKEN: ${{ secrets.RENOVATE_GITHUB_COM_TOKEN }}

Set the platform token separately

Keep RENOVATE_TOKEN for the platform Renovate manages, and GITHUB_COM_TOKEN only for github.com changelog lookups.

How to prevent it

  • Always set GITHUB_COM_TOKEN for changelog lookups off github.com.
  • Use a low-scope read-only PAT for release notes.
  • Separate the platform token from the github.com token.

Related guides

Run this faster and cheaper on Latchkey managed runners. Start free →