Automating Dependency Management

Patrick J. Roddy

2023-11-14

Introduction

Dependencies Are Inevitable

xkcd:2347

Automation Saves Time?

xkcd:1319

We’ve All Done This At Some Point

What About Security Updates?

Why Should I Update?

xkcd:2224

Renovate

Why Use Renovate?

• Get automated Pull Requests to update your dependencies
  • Reduce noise by running Renovate on a schedule, for example:
    • on weekends
    • outside of working hours
    • each week
    • each month
• Relevant package files are discovered automatically

Why Use Renovate?

• Supports monorepo architectures with workspaces with no extra configuration
• Bot behavior is customisable via configuration files (config as code)
• Use ESLint-like shared config presets for ease of use and simplifying configuration (JSON format only)
• Lock files are supported and updated in the same commit, including immediately resolving conflicts whenever PRs are merged

Why Use Renovate?

• Get replacement PRs to migrate from a deprecated dependency to the community suggested replacement, works with most managers, see issue 14149 for exceptions
• Open source (installable via npm/Yarn or Docker Hub) so can be self-hosted or used via the Mend Renovate App

Open Source Projects

• https://github.com/paddyroddy/talks
• https://github.com/renovatebot/renovate
• https://github.com/astro-informatics/sleplet
• https://github.com/microsoft/lage
• https://github.com/loopbackio/loopback-next
• https://github.com/ampproject/amphtml
• …

How to Setup

Install the Application

https://github.com/apps/renovate

Example Config

{
  $schema: "https://docs.renovatebot.com/renovate-schema.json",
  extends: [
    "config:best-practices",
    "schedule:weekdays",
    ":assignAndReview(paddyroddy)",
    ":automergeBranch",
    ":automergeDigest",
    ":automergeMinor",
    ":automergePatch",
    ":disableDependencyDashboard",
    ":enablePreCommit",
    ":label(renovate)",
    ":maintainLockFilesMonthly",
    ":noUnscheduledUpdates",
  ],
  commitMessageAction: "Renovate:",
  "git-submodules": {
    enabled: true,
  },
  packageRules: [
    {
      description: "Only allow major updates",
      enabled: false,
      matchDepNames: ["renovatebot/pre-commit-hooks"],
      matchUpdateTypes: ["minor", "patch", "pin"],
    },
    {
      description: "Combine updates together",
      groupName: "paddyroddy/.github",
      matchDepNames: ["paddyroddy/.github"],
    },
    {
      description: "Shorten commit titles",
      commitMessageTopic: "{{depName}}",
      matchManagers: ["github-actions", "pre-commit"],
    },
  ],
}

Config is Reusable!

{
  $schema: "https://docs.renovatebot.com/renovate-schema.json",
  extends: [
    "github>paddyroddy/.github//renovate/default-config.json5",
    "schedule:monthly",
  ],
  "pre-commit": {
    fileMatch: [
      "precommit/general/general-hooks.yaml",
      "precommit/latex/latex-hooks.yaml",
      "precommit/python/python-hooks.yaml",
    ],
  },
}

Automerging

The GitHub automerge setting is required

It is highly recommended to ensure you have tests that will operate on the Renovate branches.

on:
  push:
    branches:
      - main
      - "renovate/**"
  pull_request:

Rulesets - Status Checks

Rulesets - Pull Requests

Monitoring

Conclusions

Summary

• Renovate is massively flexible
• Maintainers respond incredibly quickly
• Renovate is widely used
• If you think it can be automated, it probably can
• Be careful with CI use in private projects (ask MIRSG 😉)
• Embrace automerging (if you like inbox zero)
• Renovate renovates itself very frequently
• There’s always more to learn!

Demo Time

https://developer.mend.io