It’s time to Renovate your dependencies

Introduction

In the discipline of software development, dependency management plays a pivotal role in project stability, security, and the overall maintainability. In this technical blog post, we’ll delve into the utilization of Mend Renovate, an open-source tool designed to automate and optimize the management of project dependencies. Mend Renovate is a dependency update tool that integrates seamlessly with version control platforms such as GitHub, GitLab, Bitbucket, Azure and AWS among others. Its core functionality revolves around automating the process of keeping dependencies up-to-date, with this alleviating the burden of manual intervention by the development team and enhancing the overall efficiency of the development workflow.

What problem does Renovate solve?

As a software engineer, you frequently battle with the challenge of balancing between priorities. And they are often in conflict, for instance one is ensuring the availability and security of your existing applications. But then you also have to introduce major, interesting and compelling features to the end users. Given the constraints of time and resources, the task of updating and supporting older projects with the latest software versions is often perceived as not really the top priority. This mostly leads to a postponement until a major framework or dependency reaches its end of life (EOL), and only then it becomes top priority for all stakeholders involved. Then there is the technical debt, major security vulnerabilities of dependencies, confidence levels of CI/CD knowledge. Unless all these updates can somehow be automated. Renovate analyzes the repository and it detects the used dependencies in the project. All this is achieved by using the dependency managers such as maven gradle, npm and hundreds of others which are supported. Then Renovate opens PRs for the available updates.

Setup

You can setup Renovate as:

• Mend Renovate App which is hosted by Mend.
• Open Source npm package
• pre-built Open Source image on Docker Hub

Below, we will focus on the Mend Renovate App.

If GitHub is your version control platform of choice, the setup process is a breeze—simply enable the GitHub Renovate app for your repository.

Initial Setup Steps

Login to github and fork the Mend Renovate App repository. Then select Install and proceed by configuring the Repository. For beginners, probably it is best if you go gradually and select to add Renovate only on a particular repository, not on all repositories of your organization. Once you build confidence and experience, this can be extended. If you managed to successfully link Renovate, you should now get access to the Developer portal.

Onboarding Process

The first Onboarding PR by Renovate will be raised automatically. The purpose of this one, is to help you understand the tool and check the default settings it provides before Renovate actually is set on some of your projects. It contains all package files detected, the default settings which are going to be applied, which dependency updates will it create, etc.

Here is an example of a basic, renovate.json configuration, which is present on the root folder of the project.

{
      "$schema": "https://docs.renovatebot.com/renovate-schema.json",
      "extends": [
           "config:base"
       ]
}

Understanding Renovate Updates

Review of Basic Concepts

Each update PR consists of information in context of the upcoming changes, what is the new version of the dependency. Then there are the confidence badges which at glance shows what you are about to update, if you approve the PR. The confidence badges consist of:

• AGE (age of the package)
• ADOPTION (percentage of users of Renovate which are also using this release
• PASSING (the percentage of updates for the package
• CONFIDENCE (the level of confidence for this update)

This feature is provided by Renovate by default, and if you don’t want to have a visual representation of these badges, they can be removed in the renovate config.by applying:

{
   "ignorePresets": ["mergeConfidence:all-badges"]
}

Dependency Dashboard

This feature is provided by Renovate for monitoring all Renovate based activities on the repository. It includes

• OPEN PR
• Rate Limited
• Pending Approvals
• Awaiting Schedule
• Pending Status Checks
• List of all detected dependencies and package managers

This becomes quite useful when for instance, there are major version updates, and we want to configure to manually approve such PR, and not let the tool create and merge such changes.

Running Renovate on GitLab

Setup and configuration

You have two options to initiate the process:

• Directly fork the https://gitlab.com/renovate-bot/renovate-runner repository
• Create a new project specifically to house a minimal subset of configuration

For the latter one, you will need to create a specific project in Gitlab, which is nothing more than a gitlab runner for Renovate. So again, this approach requires creating a separate gitlab project.

Implementation Steps

1. Create a new project to host the runner
2. Configure the credentials
3. Add Gitlab access token and RENOVATE_TOKEN to CI/CD variables
4. Create the yml file for the repository
5. Setup the scheduler in the CI/CD -> Schedules

include:
- project: 'renovate-bot/renovate-runner'
  file: '/templates/renovate.gitlab-ci.yml'

module.exports = {
  labels: ["dependencies"],
  hostRules: [
    {
      hostType: 'maven',
      matchHost: 'gitlab.com',
      token: process.env.RENOVATE_TOKEN
    }
  ],
  includeForks: true,
  platformAutomerge: true,
  packageRules: [
    {
      description: "Auto merge small changes as per https://docs.renovatebot.com/configuration-options/#automerge",
      matchUpdateTypes: ["patch", "pin", "digest"], 
      automerge: true
    }
  ]
};

According to the official Renovate documentation, it is recommended to “activate automerge for any dependency update that you would typically merge manually. ”Every time you select Merge on a Renovate PR without manually testing it, you should consider if you can enable automerge and save yourself the time in future.”

Other good practices include, Configure the prCreation option to “status-success.” Branches with unsuccessful tests will persist in Git and be updated as required. Renovate will initiate the creation of a pull request only after the successful completion of tests

Known limitations

Schedule Execution

When a user sets up a schedule in their repository configuration, there might be a misconception that this schedule directly dictates when Renovate executes. In reality, Renovate might run regularly but refrain from applying updates to the repository if the specified schedule conditions are not met. Moreover, the Renovate administrator could have established a separate schedule for the bot, or external factors such as a lengthy job queue might prevent Renovate from running within a particular scheduled time window for your repository.

Branch Merging

Renovate automatically merges a maximum single branch in each run.The restriction to merge only one branch per run comes from Renovate’s dependency and branch state being established at the commencement of the run, rooted in the content present in the base branch. If a branch is merged into the base branch during Renovate’s run, whether by other users or otherwise, it introduces the possibility of Git conflicts among the remaining Renovate branches. Additionally, this merging action renders Renovate’s understanding of dependencies in the base branch obsolete, potentially necessitating adjustments in other branches due to the impact of the merge.

Conclusion

As the volume of software within your organization increases, the pivotal strategy for sustaining software companies lies in investing in automation. Renovate can serve as one of the essential tools within your CI/CD toolchain, so try it out!