Skip to main content

Renovate is a tool to automate dependency updates. This component allows you to run Renovate in a GitLab CI pipeline and update dependencies in your projects.

Also see lint-renovate

Concept

Security Model

Variables

NamerequiredHints
GITLAB_TOKENyesPermissions api, read_api, read_registry
GITHUB_TOKENoptionaldeprecated, see below

Setup

  • Create a service account called renovate or a user called renovate
  • Create a repository called renovate-runner
  • Populate variable GITLAB_TOKEN with a token of renovate
  • Create the pipeline configuration for the repository renovate-runner
  • Create the pipeline schedule e.g. once a day starting after 0:00 for the repository renovate-runner. The schedule must match the renovate presets-schedule.
spec:
inputs:
extra-flags:
description: 'Extra flags to pass to renovate. --autodiscover-filter="xrow-public/example-project" or --autodiscover-namespaces="xrow-public,xrow-shared"'
default: ""
type: string
log-level:
default: warn
type: string
options: [debug, info, warn, error, fatal]

---

include:
- component: $CI_SERVER_FQDN/xrow-public/ci-tools/common@stable
- component: $CI_SERVER_FQDN/xrow-public/ci-tools/renovate-runner@stable
inputs:
onboarding-config: '{"$$schema": "https://docs.renovatebot.com/renovate-schema.json", "extends": ["local>mygroup/renovate-config"] }'
extra-flags: '$[[ inputs.extra-flags ]]'
log-level: '$[[ inputs.log-level ]]'
repository-cache: enabled

or

...
- component: $CI_SERVER_FQDN/xrow-public/ci-tools/renovate-runner@stable
inputs:
...
extra-flags: "--autodiscover-namespaces=mygroup/*"
  • Create a repository called renovate-config with presets according to the documentation.

renovate-config example

You can see renovate-config as an example.

The basic renovate workflow of renovate-config

  • Do not interfere when developers work.
  • Renovate will run once a day.
  • Renovate will try to merge minor and patch updates on weekends.
  • Accept major updates via the dependency dashboard in your project.

Project onboarding

  • Add the renovate bot as a maintainer to the root groups. If you want to exclude renovate from automerge, degrade it to the role developer.
  • Configure a renovate.json or accept the onboarding ticket. Each new project will have an onboarding merge request Configure Renovate.
  • The setup is now complete and you will receive a Dependency Dashboard and updates from the renovate bot.

Project offboarding

  • Remove the renovate bot from your group or project.

Configure access to GitHub dependencies

  • Add variable GITHUB_TOKEN
include:
- component: $CI_SERVER_FQDN/xrow-public/ci-tools/common@stable
- component: $CI_SERVER_FQDN/xrow-public/ci-tools/renovate-runner@stable
inputs:
host-rules:
...
- matchHost: github.com
token: "${GITHUB_TOKEN}"

Configure access to your private registry

  • Add variable MY_REGISTRY_USERNAME
  • Add variable MY_REGISTRY_PASSWORD
include:
- component: $CI_SERVER_FQDN/xrow-public/ci-tools/common@stable
- component: $CI_SERVER_FQDN/xrow-public/ci-tools/renovate-runner@stable
inputs:
host-rules:
...
- matchHost: registry.example.com
username: "${MY_REGISTRY_USERNAME}"
password: "${MY_REGISTRY_PASSWORD}"

Example: Configure permission a Harbor read all user.

Add the following permissions for all projects:

  • Artifact: List, Read
  • Repository: List, Pull, Read
  • Tag: List

Local debugging of renovate

npm i -g renovate
export LOG_LEVEL=debug
export RENOVATE_GITHUB_COM_TOKEN='XXX'
npx renovate --platform=local --repository-cache=reset

Debug renovate

  • Look in the pipeline runs of the runner project.
  • Look at the dashboard of your renovated project, see the open PRs and the dependency status.
  • Turn on the Debug flag

Inputs

NameDescriptionDefaultType
------------
autodiscoverWhether to enable autodiscovery for Renovatetruestring
ca-certs-pathThe path to the CA certificates filestring
configConfiguration to configure Renovatestring
extra-flagsExtra flags to pass to Renovate such as --autodiscover-filter=group/* or --autodiscover-namespaces=group1,group2string
host-rulesGlobal host rules to configure Renovate for private registries[]array
ignore-pr-authorWhether to ignore the author of the pull requestfalseboolean
log-file-levelThe log level to use for Renovate in the log filedebugstring
log-levelThe log level to use for Renovateinfostring
nameThe name of the job to createrenovatestring
needsThe jobs that this job depends on.[]array
onboarding-configContents of the Renovate onboarding configuration file{"$$schema": "https://docs.renovatebot.com/renovate-schema.json", "extends": ["config:recommended"] }string
repository-cacheDecide if Renovate uses a JSON cache to speed up extractions. See https://docs.renovatebot.com/self-hosted-configuration/#repositorycachedisabledstring
rulesThe jobs that this job depends on.[{"if":"$CI_COMMIT_BRANCH == $CI_DEFAULT_BRANCH && ($CI_PIPELINE_SOURCE == \"web\" \|\| $CI_PIPELINE_SOURCE == \"schedule\")","when":"on_success"},{"when":"never"}]array
stageThe stage to run the job inbuildstring
timeoutTimeout for the Renovate job2hstring