Open in app

Sign in

Write

Sign in

Renovate Bot

Automated dependency Updates

youssef elhayani
5 min readDec 20, 2020

Generally when we are going to start a new project, we will use the last dependencies, but over time these dependencies will become outdated. if we do nothing, and we leave them on outdated version, we will go through several things:
- Security issues fixe
- New feature
- Performance improvement …

All this because we have not updated our dependencies, the day we will realize it will be difficult to catch up .
In fact, doing updates manually is a bit boring and it takes us a lot of time, one of the solutions is to use Renovate Bot, and this is the subject of our Article, this tool will allow us to automate the process of updating our dependencies.

How we can use it ?

Renovate offers us two possibilities to install it, we can install it directly on our repository as a plugin or we can install it in our machines in self hosting mode.
In this article we will talk about renovate in plugin mode, if you want to install it directly in your machine this link should help you https://docs.renovatebot.com/self-hosting/ .

Use Renovate in github (this is valid for gitlab, bitbucket ...)

As we have just said, we can use renovate as a plugin, we will find it in github marketplace, by clicking on the renovate plugin, we will be taken to the description page which contains the installation link and the configuration access.

Github Marketplace

After the installation, we will have to be configure our bot , at the beginning you have to choose the repository which we want to activate renovate, after this step, you will receive a “Configure Renovate” Pull Request for each repository for which you have activated renovate, you should to merge this PL, in order to activate Renovate, and that’s all you need to work with Renovate.

How does this tool work ?

Now that we have installed Renovate, it’s time to understand how it works, In fact it’s really easy, this diagram will summarize the workflow of Renovate

Renovate workflow

Firstly, renovate will launch a job which will scan our dependencies, in case it finds an obsolete dependency, it will systematically create a branch with the name of the dependency to update, then it will update this dependency and will create a Pull Request.

Update by Renovate Bot

If the PR is approved, Renovate will remove the orphan branch, this is Basically how Renovate works, there is another type of Pull request created by Renvoate called pin dependencies, this PR should be merged at the beginning , pin dependencies is a global update of all dependencies.

The question running through your mind now is: “everything you just said is great but is it enough to automate the process of updating our dependencies?” is the answer is not really, in fact what is being done at this point does not allow end-to-end automation.

We have activated Renovate with the default configuration, and as we saw in Renovate workflow there is always human intervention to approve the pull requestion.

How can we optimize Renovate's workflow so that it can be automated from end to end?

Well to do that we can we can overload the default configuration through the renovate.json configuration file, this file is created during the “Configure Renovate” pull request, at the beginning it will look like this:

renovate.json file

There is so much we can do with this config file, We have the possibility of authorizing the automerge on minor version, patch … there is even a way to make automerge on marjeur version but it will be a little “dangerous” to do that, here is an example of a renovate configuration which allows to do that:

configuration to automerge update forminor/patch version of a dependency

Through this configuration, we can say that we have taken a step towards our goal of automation, but this is just for the minor and patch version, as we said for the other versions it is still “dangerous” to allow automerge but it’s possible by carrying out controls on the PRs we will see how, we can also configure Renovate to launch jobs in a specific schedule.

this configuration will allow us to tell Renovate to launch the jobs between 10 p.m. and 5 a.m., and every weekend for 24 hours.

Run checks for each Pull Request before doing automerge:

This is the best part, we can create a job (with gitlab, Travis CI, Jenkins) which will trigger automated tests after each renovate pull request or build our project, we can go even further, we can configure your renovate.json file so that it allows automerge on the Pull Requests that have passed our check of our CI job.

Renovate workflow after the CI Job

By doing this, we can say that we have automate the process of updating our dependencies, in case the checks do not pass, it is necessary to change things in our source code and these things Renovate cannot do it unfortunately.

Conclusion:

In my opinion working with a tool like Renovate bot for the automation of the update process, should become necessary, this will prevent us from wasting our time doing this manually and especially avoid making migrations each time.
If you are wondering what else you are able to do and automate with the GitHub apps and actions just have a look at its Marketplace.
I hope you liked it,if you’ve got any questions, suggestions, or feedback in general, don’t hesitate to reach out on any of the social networks or by mail.

Dependencies
Github
Git
Updates
Bots

--

--

youssef elhayani

Written by youssef elhayani

9 Followers

It is not enough to do your best: you must KNOW what to do, and THEN do your best.

Help

Status

About

Careers

Blog

Privacy

Terms

Text to speech

Teams