Renovate is a bot/app for (not only) github that can take care of tons of languages and package/dependency managers that point to external dependencies in your repository and keep them updated, while still being very flexible in how to exactly do that.
To not repeat all the same configuration options including packageRules that we prefer to use in all our repositories, this repo provides a shared config presets.
- Head over to https://github.com/bettermarks/renovate-config/actions/workflows/init.yml
- click "Run workflow" and fill in the questions:
- keep the
mainbranch, it's for the files in this repository - enter the name of the repo you want to configure
- pick the other options according to the needs of your repository
- consider your automerge strategy
- click on the green "Run workflow" button (you might need to scroll)
- keep the
- count to 5 and the new workflow run will appear on the screen
- wait for it to finish
- it will produce a summary that provides you a link to a PR with the config added
renovate.jsonthe config file for the GitHub Apprenovate-config-validator.ymla GitHub workflow that validatesrenovate.jsonwhenever it is changed (like in the PR that was just created).npmrcin case thejavascriptoption was selected, to save exact versions inpackage.jsonfiles
- you can now tweak the PR if you like (even by rerunning the workflow with different options, if you enable "override files")
- Once it has been approved and merged, renovate will
- Create the dependency dashboard GitHub issue (where you can check a box to create any update PR right away)
- start creating dependency PRs (only outside of office hours)
-
Add the repo to be configured for the renovate integration (That page contains helpful information, and you need to scroll to the bottom of the page to configure the repositories.)
-
Wait for the onboarding PR to be created.
If your repository is part of the github bettermarks org, thedefaultconfig in this repo will be applied automatically. You can add any of the more language specific presets (e.g. by adding:javascriptor:python).If you previously used a different bot or tool to update dependencies, you can also use this PR to drop related config files or documentation.
-
Using the onboarding PR to tweak your
renovate.jsonconfig file in that branch by adding specificpackageRulesor configurations is very convenient, since it will update the PR description to give you a preview of what it will do. For more help read the docs -
Merge the onboarding pr once the provided preview matches your expectations.
-
(Optionally) Visit the dependency dashboard issue and check if there are any dependencies that you want to already update right away by clicking the related checkbox.
In the renovate.json of your repository add the preset you want to apply:
{
"$schema": "https://docs.renovatebot.com/renovate-schema.json",
"extends": ["github>bettermarks/renovate-config:PRESET"]
}where PRESET is the name of one of the presets (.json files without an extension) in this repository.
Remember that you can still customize your configuration when some defaults don't work for you by either adding more presets to extends or configuring/adding packageRules afterwards.
To make sure config changes do not only fail when landing on the default branch, you have two options:
-
By using the init workflow, (even if you have already configured Renovate), it will copy the renovate-config-validator workflow into you repository so every config change will be validated.
-
Check out this repository and run the
validate.shscript locally (requires nvm):- either from this repository:
./validate.sh path/to/renovate.json - or from the repository you care about containing
renovate.json:../renovate-config/validate.sh
- either from this repository:
For dependency updates that have automerge enabled, renovate will enable (GitHub) automerge for a PR.
PRs that are created by renovate and are have automerge enabled might be approved automatically!
Which means that when all checks pass and there is a approving review, the PR will land right away. (If it is outdated, Renovate will update it outside office hours, and it will be merged when the checks still pass.) It is of course possible to manually enable automerge on any GitHub PR.
If a repository doesn't have enough checks in place to verify dependency updates, you should not enable to automerge option.
It contains only language independent defaults that we want to apply to all repositories.
To change this config coordinate and announce them with @bettermarks/dev!
It is the only preset that doesn't need to be named when using it:
{
"extends": ["github>bettermarks/renovate-config"]
}It includes the following presets:
config:recommended
just making the defaults explicit::automergeDisabled
it is only known in a repository, what to enable automerge for:ignoreUnstable
only update unstable dependencies but do not update from stable to unstable:prImmediately
create branch and PR at the same time, we usually do not run any checks on a branch without a PR:separateMajorReleases(from minor releases):separateMultipleMajorReleaseswhen there are multiple, we can decide to go one by one or all at oncetimezonesets it to our Berlin timezone
and it configures the following:
{
"dependencyDashboard": true,
"dependencyDashboardTitle": "Dependencies Dashboard (Renovate Bot)",
"dependencyDashboardHeader": "points to the used shared config file documentation",
"dependencyDashboardOSVVulnerabilitySummary": "unresolved"
}Rules for reducing noise:
Only automatically create one PR per hour and only during office hours (8-20 Berlin time), to make sure all checks should be able to pass. Create the PR right away instead of only creating branches. Create up to 3 security updates in parallel during working hours. All major version bumps need to be triggered manually from the dependency dashboard.
{
"internalChecksFilter": "strict",
"prConcurrentLimit": 1,
"prHourlyLimit": 1,
"updateNotScheduled": false,
"vulnerabilityAlerts": {
"labels": ["security"],
"schedule": ["* 8-20 * * 1-5"],
"prConcurrentLimit": 3
},
"packageRules": [
{
"matchUpdateTypes": ["major"],
"dependencyDashboardApproval": true
}
],
"timezone": "Europe/Berlin",
"schedule": ["* 8-20 * * 1-5"]
}By default, committing to a branch created by renovate will mark the PR as "manually edited" which disables automatic updates by renovate.
In order to apply patches or do some other post-renovate updates we can push commits with bmdevops@bettermarks.com to the branch without entering this mode.
Example: Running pnpm install --no-frozen-lockfile in order to restore the pnpmfileChecksum in pnpm-lock.yaml which is stripped out by renovate updates.
{
"gitIgnoredAuthors": ["bmdevops@bettermarks.com"]
}Adds some rules we generally apply in javascript related repositories.
{
"extends": ["github>bettermarks/renovate-config:javascript"]
}It includes the following presets:
- the default config from this repository
:pinAllExceptPeerDependencies:maintainLockFilesMonthly
and it configures the following:
- PRs to pin versions have the highest priority(10).
- Disable updates for major NodeJS versions and the
@types/nodepackage and prevent pinning to a specific NodeJS version - configure
minimumReleaseAgeof 3 days for regular updates of npm packages, while still allowing immediate PR creation (docs, related discussion thread) - keep semver ranges in the
resolutionsfield used by yarn,overridesandengines. - Update packages from the
@bettermarks/scope or that start withbm-with higher priority(5) than other dependencies, without waiting for 3 days and on automerge and allow 3 of them per hour. - Group packages from bettermarks monorepos that publish multiple packages into a single PR
- Update the
typescriptdependency with higher priority(2) than other dependencies. Create separate PRs for patch and minor and multiple minor version upgrades, since they introduce breaking changes in minor versions. - Keep the major version of
@types/jestin sync with the major version ofjest. - group infra as code packages (aws, cdk8s, cdktf, hashicorp) int a single group and schedule their updates during working hours with a priority of 1.
- Update packages from the
@types/*scope with lower priority(-5) than other dependencies and disablenpm:unpublishSafe. - link to this section in the readme from the dependency dashboard, mentioning that PR might be merged automatically if configured that way.
Be aware that there are the config presets for config:js-app which you will not need, since it's already part of this one, but you might want to use config:js-lib or just apply :pinOnlyDevDependencies after this preset.
A very common thing is to add :autoMergePatch to extends, but this needs to happen on the repository level, since we cannot be sure that test coverage is good enough in every repo. And since GitHub now offers the option to enable automerge per PR when it's ready, there might not even be a need for it.
There is currently only limited / "alpha level" support for python using pip-compile.
This configuration is currently only used in a small number of python projects, so it may need modifications. You can test it in bettermarks/renovate-config-test-pip-compile by modifying the dependency files and the renovate config in order to see what updates renovate produces.
{
"extends": ["github>bettermarks/renovate-config:python"]
}It includes the following presets:
- the default config from this repository
and it configures the following:
- Enables pip-compile manager (and disables pip_requirements and pip_setup managers since we don't use those)
If you found a config that works for you, please consider updating this one after testing it in bettermarks/renovate-config-test-pip-compile.
you can override all of this per repo!
It is very likely (especially for uv pip compile, which doesn't include the python version in the header) that you want to specify the python version in the config:
"constraints": {
"python": "==3.9"
},