Renovate GITHUB_COM_TOKEN / RENOVATE_TOKEN rate-limit error in CI
Renovate reads release notes and changelogs from github.com even when the platform token is for another host. Without a GITHUB_COM_TOKEN, those lookups are unauthenticated and hit the low anonymous rate limit, causing 403 rate-limit errors.
What this error means
Renovate logs "Rate limit exceeded" or 403 responses from api.github.com while fetching release notes, often on self-hosted or GitHub Enterprise runs, and changelog data is missing from PRs.
WARN: GitHub failure: Rate limit exceeded
Consider setting GITHUB_COM_TOKEN to increase the rate limit
host: api.github.comCommon causes
Unauthenticated github.com API calls
Fetching public release notes without a token uses the anonymous rate limit, which is quickly exhausted across many repos.
The platform token is for a different host
On GitHub Enterprise or self-hosted runs, the main token targets your host, not github.com, so github.com lookups have no credential.
How to fix it
Set GITHUB_COM_TOKEN for github.com lookups
- Create a read-only PAT on github.com (public repo scope is enough for release notes).
- Expose it to Renovate as the GITHUB_COM_TOKEN environment variable.
- Re-run so github.com API calls are authenticated.
env:
GITHUB_COM_TOKEN: ${{ secrets.RENOVATE_GITHUB_COM_TOKEN }}Set the platform token separately
Keep RENOVATE_TOKEN for the platform Renovate manages, and GITHUB_COM_TOKEN only for github.com changelog lookups.
How to prevent it
- Always set GITHUB_COM_TOKEN for changelog lookups off github.com.
- Use a low-scope read-only PAT for release notes.
- Separate the platform token from the github.com token.