Skip to content →

Renovate dependency manager

Introduction

Keeping dependencies up to date is crucial for maintaining software security. In medium to large projects, this can involve reviewing numerous external dependencies—from NuGet packages to Helm charts—making it challenging to keep pace. This blog post examines a centralized dependency update pattern and explores how a tool called Renovate can simplify the upgrade process.

Renovate

Renovate is an open-source automated dependency update tool from Mend. It scans repositories for dependencies, checks for updates, and automatically creates pull requests when newer versions are available. Renovate supports a wide range of package ecosystems, including npm, NuGet, Docker, Helm, and many others.

Renovate runs as a GitHub App, GitLab integration, or self-hosted solution.

Why not Dependabot?

I have previously used Dependabot instead of Renovate. However, it seems to have stagnated in development, leaving important sources unsupported, e.g., Helm Charts and ArgoCD Applications. Renovate has support for custom patterns and a wide range of dependency managers, making it suitable for ArgoCD Applications, for example: https://docs.renovatebot.com/modules/manager/argocd/#file-matching.

Sentral update pattern

I use the self-hosted version of Renovate, running it as a GitHub Action. The action runs in one repo that reaches out to multiple repositories. This centralized approach configures Renovate to scan multiple repositories from a cron job for dependencies from a single location, rather than setting up separate jobs in each repository. This strategy simplifies the process of adding new repositories and allows for centralized configuration of update policies, eliminating the need to modify settings in each repo.

I have installed a self-hosted GH App by following the Renovate guide at: https://docs.renovatebot.com/modules/platform/github/#running-as-a-github-app, which allows me complete control over what the Renovate GitHub Action has access to, and I avoid expiring access tokens.

Renovate enables us to augment the configuration for individual repositories. One example is for a GitOps repository with a lot of yaml in specific folders to use the  argocd manager with the following:

{
  "$schema": "<https://docs.renovatebot.com/renovate-schema.json>",
  "extends": [
    "config:recommended"
  ],
  "argocd": {
    "managerFilePatterns": ["/argocd/.+\\\\.yaml$/"]
  }
}

In short, the largest common denominator of configuration goes into the central repository, leaving the configuration in the monitored repository smaller and with configuration only specific to that individual repository. The central repo: https://github.com/fredrkl/dependency-updater, which monitors https://github.com/fredrkl/trying-out-template, showcases this pattern.

Renovate configuration

The largest common denominator automatically merges minor and bugfixes according to the semantic versioning scheme. Additionally, it uses the Renovate config:best-practices setting. Developers can manually trigger the GitHub action in addition to running it once a day using a cron expression.

I use the renovate CLI to validate my configuration. It comes as part of the renovate CLI.

renovate-config-validator renovate.json

Summary

This blog post has explored the centralized dependency update pattern using Renovate, a powerful automated tool that streamlines the process of keeping software dependencies up to date. By implementing a self-hosted version of Renovate as a GitHub or GitLab Action in a central repository, developers can efficiently manage dependencies across multiple projects from a single location. This approach offers several advantages:

  • Simplified management through a "set it and forget it" approach that continuously monitors dependencies
  • Extensive customization options to match specific project requirements
  • Support for numerous package ecosystems beyond what alternatives like Dependabot offer
  • Centralized configuration that reduces overhead when adding new repositories

By adopting this pattern, teams can maintain better security practices while reducing the manual effort required to keep dependencies current across their software ecosystem.

Published in cloud-native GitHub k8s kubernetes

Subscribe
Notify of
guest

0 Comments
Oldest
Newest Most Voted
Inline Feedbacks
View all comments
0
Would love your thoughts, please comment.x
()
x