diff --git a/.woodpecker/renovate.yaml b/.woodpecker/renovate.yaml
new file mode 100644
index 0000000..a1e886b
--- /dev/null
+++ b/.woodpecker/renovate.yaml
@@ -0,0 +1,38 @@
+when:
+  - event: cron
+    cron: renovate # schedule on 0 2 * * *, set in ui
+
+skip_clone: true
+
+steps:
+  - name: Get renovate token from OpenBao
+    image: quay.io/openbao/openbao:2.5.2
+    environment:
+      VAULT_ADDR: https://openbao.lumpiasty.xyz:8200
+      ROLE_ID:
+        from_secret: renovate_role_id
+      SECRET_ID:
+        from_secret: renovate_secret_id
+    commands:
+      - bao write -field token auth/approle/login
+          role_id=$ROLE_ID
+          secret_id=$SECRET_ID > /woodpecker/.vault_id
+      - export VAULT_TOKEN=$(cat /woodpecker/.vault_id)
+      - bao kv get -mount secret -field RENOVATE_TOKEN renovate > /woodpecker/renovate_token
+  - name: Run Renovate
+    image: renovate/renovate:43.108.2-full
+    environment:
+      RENOVATE_AUTODISCOVER: "true"
+      RENOVATE_ENDPOINT: https://gitea.lumpiasty.xyz/api/v1
+      RENOVATE_PLATFORM: gitea
+      RENOVATE_GIT_AUTHOR: Renovate Bot <renovate@lumpiasty.xyz>
+    commands:
+      - export RENOVATE_TOKEN=$(cat /woodpecker/renovate_token)
+      - /usr/local/sbin/renovate-entrypoint.sh renovate
+  - name: Invalidate OpenBao token
+    image: quay.io/openbao/openbao:2.5.2
+    environment:
+      VAULT_ADDR: https://openbao.lumpiasty.xyz:8200
+    commands:
+      - export VAULT_TOKEN=$(cat /woodpecker/.vault_id)
+      - bao write -f auth/token/revoke-self
diff --git a/apps/kustomization.yaml b/apps/kustomization.yaml
index f9ade8f..293e409 100644
--- a/apps/kustomization.yaml
+++ b/apps/kustomization.yaml
@@ -5,7 +5,6 @@ resources:
   - crawl4ai-proxy
   - authentik
   - gitea
-  - renovate
   - frigate
   - llama
   - immich
diff --git a/apps/renovate/configmap.yaml b/apps/renovate/configmap.yaml
deleted file mode 100644
index 324e1ba..0000000
--- a/apps/renovate/configmap.yaml
+++ /dev/null
@@ -1,11 +0,0 @@
----
-apiVersion: v1
-kind: ConfigMap
-metadata:
-  namespace: renovate
-  name: renovate-config
-data:
-  RENOVATE_AUTODISCOVER: "true"
-  RENOVATE_ENDPOINT: https://gitea.lumpiasty.xyz/api/v1
-  RENOVATE_PLATFORM: gitea
-  RENOVATE_GIT_AUTHOR: Renovate Bot <renovate@lumpiasty.xyz>
diff --git a/apps/renovate/cronjob.yaml b/apps/renovate/cronjob.yaml
deleted file mode 100644
index 4a62cd2..0000000
--- a/apps/renovate/cronjob.yaml
+++ /dev/null
@@ -1,24 +0,0 @@
----
-apiVersion: batch/v1
-kind: CronJob
-metadata:
-  name: renovate
-  namespace: renovate
-spec:
-  schedule: "@daily"
-  concurrencyPolicy: Forbid
-  jobTemplate:
-    spec:
-      template:
-        spec:
-          containers:
-            - name: renovate
-              # Update this to the latest available and then enable Renovate on
-              # the manifest
-              image: renovate/renovate:43.108.2-full
-              envFrom:
-                - secretRef:
-                    name: renovate-gitea-token
-                - configMapRef:
-                    name: renovate-config
-          restartPolicy: Never
diff --git a/apps/renovate/kustomization.yaml b/apps/renovate/kustomization.yaml
deleted file mode 100644
index d9465a6..0000000
--- a/apps/renovate/kustomization.yaml
+++ /dev/null
@@ -1,7 +0,0 @@
-apiVersion: kustomize.config.k8s.io/v1beta1
-kind: Kustomization
-resources:
-  - namespace.yaml
-  - configmap.yaml
-  - secret.yaml
-  - cronjob.yaml
diff --git a/apps/renovate/namespace.yaml b/apps/renovate/namespace.yaml
deleted file mode 100644
index 4d1baf0..0000000
--- a/apps/renovate/namespace.yaml
+++ /dev/null
@@ -1,5 +0,0 @@
----
-apiVersion: v1
-kind: Namespace
-metadata:
-  name: renovate
diff --git a/apps/renovate/secret.yaml b/apps/renovate/secret.yaml
deleted file mode 100644
index aeb4e7f..0000000
--- a/apps/renovate/secret.yaml
+++ /dev/null
@@ -1,38 +0,0 @@
----
-apiVersion: v1
-kind: ServiceAccount
-metadata:
-  name: renovate
-  namespace: renovate
----
-apiVersion: secrets.hashicorp.com/v1beta1
-kind: VaultAuth
-metadata:
-  name: renovate
-  namespace: renovate
-spec:
-  method: kubernetes
-  mount: kubernetes
-  kubernetes:
-    role: renovate
-    serviceAccount: renovate
----
-apiVersion: secrets.hashicorp.com/v1beta1
-kind: VaultStaticSecret
-metadata:
-  name: renovate-gitea-token
-  namespace: renovate
-spec:
-  type: kv-v2
-
-  mount: secret
-  path: renovate
-
-  destination:
-    create: true
-    name: renovate-gitea-token
-    type: Opaque
-    transformation:
-      excludeRaw: true
-
-  vaultAuthRef: renovate
diff --git a/vault/approles/ci-renovate.yaml b/vault/approles/ci-renovate.yaml
new file mode 100644
index 0000000..8aaa977
--- /dev/null
+++ b/vault/approles/ci-renovate.yaml
@@ -0,0 +1,4 @@
+token_ttl: 20m
+token_max_ttl: 20m
+policies:
+  - renovate
\ No newline at end of file
diff --git a/vault/kubernetes-auth-roles/renovate.yaml b/vault/kubernetes-auth-roles/renovate.yaml
deleted file mode 100644
index f8cb9bc..0000000
--- a/vault/kubernetes-auth-roles/renovate.yaml
+++ /dev/null
@@ -1,6 +0,0 @@
-bound_service_account_names:
-  - renovate
-bound_service_account_namespaces:
-  - renovate
-token_policies:
-  - renovate