Managing a Puppet control repository with a growing list of dependencies can quickly become a challenge.
Keeping everything up to date manually?
That’s not just tedious — it’s also error-prone.
Modules are updated frequently, sometimes daily.
With a long list of dependencies, it’s easy to miss important updates.
And let’s be honest: humans are not exactly known for perfect consistency when it comes to repetitive tasks.
So why not let a bot handle it?
Why Renovate?
Renovate is designed to take over exactly this kind of work.
It continuously scans your repositories, detects dependency updates, and automatically creates merge requests for you — including changelogs.
Instead of manually checking versions, you simply review and merge PRs.
Much cleaner.
Much safer.
Assumptions
Before we get started, this setup assumes:
- Your repositories are hosted on GitLab
- You are using GitLab CI with runners
- You can run container-based jobs
Setting Up Renovate
Create a Renovate Runner Repository
Create a dedicated repository in GitLab, for example: renovate-runner
Inside this repository, create a config.js file:
module.exports = {
autodiscover: false,
dependencyDashboard: true,
// We only enable the puppet manager here
// see all managers: https://docs.renovatebot.com/modules/manager/
enabledManagers: ['puppet'],
// GitLab API - update with your instance URL
endpoint: 'https://gitlab.example.com/api/v4/',
extends: ['config:base', ':semanticCommits', ':semanticCommitTypeAll(chore)'],
labels: ['renovate', 'dependencies'],
platform: 'gitlab',
prCreation: "immediate",
prHourlyLimit: 20,
repositories: ['puppet/control-repo'],
requireConfig: true,
reviewers: ['@rwaffen'],
token: process.env.RENOVATE_TOKEN
};
This configuration will create one merge request per dependency update.
If you prefer grouped updates, you can extend it like this:
packageRules: [
{
matchManagers: ["puppet"],
groupName: "{{manager}}",
}
]
Add GitLab CI Configuration
Create a .gitlab-ci.yml:
---
run_renovate:
image:
name: ghcr.io/voxpupuli/renovate:latest
entrypoint: [""]
resource_group: production
script:
- renovate $RENOVATE_EXTRA_FLAGS
only:
- schedules
- triggers
- web
# variables:
# LOG_LEVEL: debug
Running Renovate
With everything in place, you can trigger a pipeline in your renovate-runner repository.
Once started, Renovate will take over and handle the full update cycle for you:
- It launches the Renovate container
- Authenticates using your configured token
- Scans the defined repositories
- Detects dependency files such as
Puppetfile - Resolves current versions and checks for new releases or tags
- Creates merge requests whenever updates are available
At this point, your role shifts from maintainer to reviewer:
you simply go through the generated merge requests and decide what to merge.
To make this process truly hands-off, you should also configure a scheduled pipeline in GitLab.
This ensures Renovate runs regularly and keeps your dependencies continuously up to date — without any manual triggering.
Authentication: RENOVATE_TOKEN
Renovate requires a Personal Access Token (RENOVATE_TOKEN) to interact with your repositories.
Required permissions:
- api
- write_repository
It is highly recommended to create this as a group access token, so Renovate can access all relevant repositories — especially important if your Puppetfile includes Git-based modules.
Choosing the Right Container Image
Renovate provides official container images, but they come with some trade-offs:
- Large size
- Based on Ubuntu
- Higher number of known vulnerabilities (CVEs)
Vox Pupuli provides a leaner alternative:
- Smaller footprint
- Based on Alpine
- Significantly fewer vulnerabilities
IMAGE ID DISK USAGE CONTENT SIZE EXTRA
ghcr.io/renovatebot/renovate:latest 0334065a0093 1.87GB 416MB
ghcr.io/voxpupuli/renovate:latest e354b2af781c 726MB 132MB
Vulnerability Scan (grype)
grype ghcr.io/renovatebot/renovate:latest
✔ Scanned for vulnerabilities [297 vulnerability matches]
├── by severity: 1 critical, 10 high, 971 medium, 137 low, 15 negligible
└── by status: 14 fixed, 1120 not-fixed, 837 ignored
grype ghcr.io/voxpupuli/renovate:latest
✔ Scanned for vulnerabilities [19 vulnerability matches]
├── by severity: 0 critical, 15 high, 4 medium, 0 low, 0 negligible
└── by status: 13 fixed, 6 not-fixed, 0 ignored
Final Thoughts
With Renovate in place, dependency management becomes predictable and automated.
Instead of chasing updates manually, you get a steady stream of structured merge requests — complete with context and changelogs.
In other words: less chaos, more control.
Top comments (0)