Renovate is a tool to automate dependency updates. This component allows you to run Renovate in a GitLab CI pipeline and update dependencies in your projects.
Also see lint-renovate
Concept
Security Model
Variables
| Name | required | Hints |
|---|---|---|
| GITLAB_TOKEN | yes | Permissions api, read_api, read_registry |
| GITHUB_TOKEN | optional | deprecated, see below |
| RENOVATE_NODE_ARGS | optional | Custom configuration for the NodeJS process Renovate runs in, see Configure memory usage below |
Setup
- Create a service account called
renovateor a user calledrenovate - Create a repository called
renovate-runner - Populate variable GITLAB_TOKEN with a token of
renovate - Create the pipeline configuration for the repository
renovate-runner - Create the pipeline schedule e.g. once a day starting after
0:00for the repositoryrenovate-runner. The schedule must match the renovate presets-schedule.
spec:
inputs:
extra-flags:
description: 'Extra flags to pass to renovate. --autodiscover-filter="xrow-public/example-project" or --autodiscover-namespaces="xrow-public,xrow-shared"'
default: ""
type: string
log-level:
default: info
type: string
options: [debug, info, warn, error, fatal]
---
include:
- component: $CI_SERVER_FQDN/xrow-public/ci-tools/common@stable
- component: $CI_SERVER_FQDN/xrow-public/ci-tools/renovate-runner@stable
inputs:
onboarding-config: '{"$$schema": "https://docs.renovatebot.com/renovate-schema.json", "extends": ["local>mygroup/renovate-config"] }'
extra-flags: '$[[ inputs.extra-flags ]]'
log-level: '$[[ inputs.log-level ]]'
repository-cache: enabled
or
...
- component: $CI_SERVER_FQDN/xrow-public/ci-tools/renovate-runner@stable
inputs:
...
extra-flags: "--autodiscover-namespaces=mygroup/*"
- Create a repository called
renovate-configwith presets according to the documentation.
renovate-config example
You can see renovate-config as an example.
The basic renovate workflow of renovate-config
- Do not interfere when developers work.
- Renovate will run once a day.
- Renovate will try to merge minor and patch updates on weekends.
- Accept major updates via the dependency dashboard in your project.
Project onboarding
- Add the
renovatebot as a maintainer to the root groups. If you want to excluderenovatefromautomerge, degrade it to the role developer. - Configure a
renovate.jsonor accept the onboarding ticket. Each new project will have an onboarding merge requestConfigure Renovate. - The setup is now complete and you will receive a
Dependency Dashboardand updates from therenovatebot.
Upgrading arbitrary software dependencies
The renovate-config includes some rules for upgrading arbitrary software dependencies. Here are examples on how to use them.
Containerfile example:
# renovate: datasource=gitlab-releases depName=gitlab-org/cli
ARG GLAB_VERSION=1.82.0
RUN dnf install -y https://gitlab.com/gitlab-org/cli/-/releases/v${GLAB_VERSION}/downloads/glab_${GLAB_VERSION}_linux_amd64.rpm
GitLab CI example:
# renovate: datasource=gitlab-releases depName=gitlab-org/cli
variables:
GLAB_VERSION: 1.82.0
Project offboarding
- Remove the
renovatebot from your group or project.
Configure access to GitHub dependencies
- Add variable
GITHUB_TOKEN
include:
- component: $CI_SERVER_FQDN/xrow-public/ci-tools/common@stable
- component: $CI_SERVER_FQDN/xrow-public/ci-tools/renovate-runner@stable
inputs:
host-rules:
...
- matchHost: github.com
token: "${GITHUB_TOKEN}"
Configure access to your private registry
- Add variable
MY_REGISTRY_USERNAME - Add variable
MY_REGISTRY_PASSWORD
include:
- component: $CI_SERVER_FQDN/xrow-public/ci-tools/common@stable
- component: $CI_SERVER_FQDN/xrow-public/ci-tools/renovate-runner@stable
inputs:
host-rules:
...
- matchHost: registry.example.com
username: "${MY_REGISTRY_USERNAME}"
password: "${MY_REGISTRY_PASSWORD}"
- matchHost: registry.redhat.io
username: "${RH_REGISTRY_USERNAME}"
password: "${RH_REGISTRY_PASSWORD}"
Example: Configure permission a Harbor read all user.
Add the following permissions for all projects:
- Artifact: List, Read
- Repository: List, Pull, Read
- Tag: List
GitLab package registry access
The default Renovate configuration authenticates against the current GitLab instance for the
package registry types commonly hosted by GitLab. The component configures host rules for the
GitLab platform, container registry, and package registry access for Maven, npm, NuGet, PyPI,
Helm, Terraform modules, Ruby gems, and Go packages automatically. Use host-rules only when a project needs
different credentials or an additional external registry.
Configure memory usage
Sometimes Renovate fails with 'Out of Memory' errors. For example, see Renovate OOM issues on Kubernetes. When this happens, provide more memory with the following at the beginning of your pipeline configuration:
variables:
RENOVATE_NODE_ARGS: "--max-old-space-size=4096"
KUBERNETES_MEMORY_REQUEST: "4Gi"
KUBERNETES_MEMORY_LIMIT: "8Gi"
Optimize the values according to your needs. The CI/CD variables KUBERNETES_MEMORY_REQUEST and KUBERNETES_MEMORY_LIMIT are a standard way to overwrite container resources in the GitLab runner.
Local debugging of renovate
npm i -g renovate
export LOG_LEVEL=debug
export RENOVATE_GITHUB_COM_TOKEN='XXX'
npx renovate --platform=local --repository-cache=reset
Debug renovate
- Look in the pipeline runs of the runner project.
- Look at the dashboard of your renovated project, see the open PRs and the dependency status.
- Turn on the Debug flag
Inputs
| Name | Description | Default | Type |
| --- | --- | --- | --- |
| autodiscover | Whether to enable autodiscovery for Renovate | true | string |
| ca-certs-path | The path to the CA certificates file | string | |
| config | Configuration to configure Renovate | string | |
| config-file | Path to the configuration file for Renovate | config.js | string |
| extra-flags | Extra flags to pass to Renovate such as --autodiscover-filter=group/* or --autodiscover-namespaces=group1,group2 | string | |
| host-rules | Global host rules to configure Renovate for private registries | [] | array |
| ignore-pr-author | Whether to ignore the author of the pull request | false | boolean |
| log-file-level | The log level to use for Renovate in the log file | debug | string |
| log-level | The log level to use for Renovate | info | string |
| name | The name of the job to create | renovate | string |
| needs | The jobs that this job depends on. | [] | array |
| onboarding-config | Contents of the Renovate onboarding configuration file | {"$$schema": "https://docs.renovatebot.com/renovate-schema.json", "extends": ["config:recommended"] } | string |
| repository-cache | Decide if Renovate uses a JSON cache to speed up extractions. See https://docs.renovatebot.com/self-hosted-configuration/#repositorycache | disabled | string |
| rules | The jobs that this job depends on. | [{"if":"($CI_PIPELINE_SOURCE == \"web\" \|\| $CI_PIPELINE_SOURCE == \"schedule\")","when":"on_success"},{"when":"never"}] | array |
| stage | The stage to run the job in | build | string |
| timeout | Timeout for the Renovate job | 2h | string |