Renovate permission issues

Hi there!

I’m having issues configuring renovate with gitea.
When renovate-bot tries to lookup git-tags on my gitea instance itself, it runs into permission issues:

DEBUG: Datasource unknown error (repository=user/renovate-test)
       "datasource": "git-tags",
       "packageName": "https://git.domain.tld/user/tag-test",
       "err": {
         "task": {
           "commands": ["ls-remote", "https://git.domain.tld/user/tag-test"],
           "format": "utf-8",
           "parser": "[function]"
         },
        "message": "remote: User permission denied\nfatal: unable to access 'https://git.domain.tld/user/tag-test/': The requested URL returned error: 403\n",
        "stack": "Error: remote: User permission denied\nfatal: unable to access 'https://**redacted**@3.24.0/node_modules/simple-git/src/lib/plugins/error-detection.plugin.ts:42:29)\n    at PluginStore.exec (/usr/local/renovate/node_modules/.pnpm/simple-git@3.24.0/node_modules/simple-git/src/lib/plugins/plugin-store.ts:54:29)\n    at /usr/local/renovate/node_modules/.pnpm/simple-git@3.24.0/node_modules/simple-git/src/lib/runners/git-executor-chain.ts:124:42\n    at new Promise (<anonymous>)\n    at GitExecutorChain.handleTaskData (/usr/local/renovate/node_modules/.pnpm/simple-git@3.24.0/node_modules/simple-git/src/lib/runners/git-executor-chain.ts:121:14)\n    at GitExecutorChain.<anonymous> (/usr/local/renovate/node_modules/.pnpm/simple-git@3.24.0/node_modules/simple-git/src/lib/runners/git-executor-chain.ts:97:40)\n    at Generator.next (<anonymous>)\n    at fulfilled (/usr/local/renovate/node_modules/.pnpm/simple-git@3.24.0/node_modules/simple-git/dist/cjs/index.js:52:24)\n    at processTicksAndRejections (node:internal/process/task_queues:95:5)"
       }

My action config:

name: renovate

on:
  schedule:
    - cron: '0 0 * * *'
  push:
    branches:
      - main

jobs:
  renovate:
    runs-on: "self-hosted"
    container: 
      image: renovate/renovate:37
    steps:
      - uses: actions/checkout@v4
      - run: renovate
        env:
          RENOVATE_CONFIG_FILE: "/workspace/${{ github.repository }}/config.js"
          RENOVATE_TOKEN: ${{ secrets.RENOVATE_TOKEN }}
          LOG_LEVEL: "debug"

renovate config.js:

module.exports = {
	endpoint: "https://git.domain.tls/api/v1/",
	gitAuthor: "Renovate Bot <renovate@domain.tld>",
	username: 'renovate-bot',
	platform: "gitea",
	token: process.env.RENOVATE_TOKEN,
	autodiscover: true,
	hostRules: [
		{
		  matchHost: "git.domain.tld",
		  hostType: "gitea",
		  username: "renovate-bot",
		  password: process.env.RENOVATE_TOKEN
		}
	]
}

That’s funny because running renovate locally or in a container on my act_runner host, everything works as intended. So this is NOT a permission issue per se.

I added the hostRules because I thought that there might be a problem, but that didn’t help.

So, what might be different from running the container manually to running it via gitea actions?

I have spent days trying to debug this. Any help is appreciated!