I found the docs and error output quite unclear, to be honest - perhaps because the first result referred to a Github token, and I wasn't using Github at all. Turned out (I think) the Github token is required for reading package changelogs ... OK then.
GITHUB_COM_TOKEN=<token from github> RENOVATE_TOKEN=<token for your project>
The Gitlab token can be a project token with API access, rather than a user token, so I'd recommend that; then the MRs appear to come from the bot rather than your user.
The tool acts on the remote repository, not your local codebase. I spent a while trying
renovate . and wondering why it didn't see the renovate config ... cos that config wasn't in the repo.