We all know that keeping dependencies up to date is a tedious process. For way too long I have been doing this manually on many projects. It's a tedious process. You need to remember to periodically check all dependencies and see if there are any updates. If there are (there always are), you need to manually install and test them.
No longer. Thanks to Renovate I managed to automate most of this away. It will scan your dependencies and open pull requests for any new update. You might have heard of Dependabot by GitHub. Renovate is that but on steroids. It offers more customizations and features that allow for greater automation. This is particularly nice for those forgotten site projects that you no longer spent a lot of time but still need to be kept up to date.
Workflow
Here's what I want the tool to do for me
- Updates need to be grouped together and delivered every Monday morning. This prevents me from getting daily dependency updates which can be annoying. It also keeps infrastructure cost down by only running the CI/CD pipeline once instead of separately for every single package update.
- The earliest a package update should be installed is 7 days after its release. This minimizes the risk of bringing malicious code into the project before such attacks can be discovered.
- Non-breaking updates (patch and minor versions) should be automatically merged into
main
. Provided the tests on the pull request pass. - For major updates pull requests should be opened but not grouped and automatically merged. That's because reading the changelog and manually dealing with potential breaking changes for each package is required.
Setup
To get started, add their GitHub App to your profile. Then, chose which repositories you want to use it on.
Renovate will now automatically create a pull request for you that adds a renovate.json
file to your repository. You can also move this file to the .github/
subfolder if you like. However, to make Renovate behave the way we want the config must be extended.
Here’s how my renovate.json
file looks like. It implements the workflow I described above.
{
"extends": ["config:base"],
"stabilityDays": 7,
"prCreation": "not-pending",
"internalChecksFilter": "strict",
"updateNotScheduled": true,
"timezone": "Europe/Zurich",
"schedule": ["before 5am on Monday"],
"packageRules": [
{
"matchPackagePatterns": ["*"],
"matchUpdateTypes": ["minor", "patch"],
"groupName": "all non-major dependencies",
"groupSlug": "all-minor-patch",
"labels": ["dependencies"],
"automerge": true
},
{
"matchPackagePatterns": ["*"],
"matchUpdateTypes": ["major"],
"labels": ["dependencies", "breaking"],
"automerge": false
}
]
}
I don't enable automatic merge on important projects I actively work on. On those projects it's worth it for me to quickly go through non-breaking dependency updates and merge them manually if they're okay.
Conclusion
After commiting the updated renovate.json
settings, your automated dependency updater is complete.
Now we have an automated but worry-free approach to managing your project dependencies. That's how it looks like:
- Update for a package comes out
- Every Monday morning new updates get applied in a new pull request
- Your automated test suite for pull requests runs
- If all tests pass, non-breaking changes get automatically merged into
main
- The changes get automatically deployed to production
Top comments (2)
I'm trying it out right now. Thanks for posting.
What's your experience so far with the quality of the pull requests? How are they better than Dependabot's?
They're better because I have more control how they should be. For example, I group minor updates and have the option to automerge them if tests pass.