DEV Community

Julien Tanay
Julien Tanay

Posted on • Originally published at julientanay.com

4 1

Keep your dependencies up to date with Renovate and Github Actions

With a little help from Renovate and the powerful Github Actions, it's becoming really easy to keep your dependencies up-to-date automatically. Let's see how we can easily setup an automated workflow to handle this for us for free!

Renovate all the things

In a few words : Renovate automatically keeps your dependencies up to date by regularly checking for available updates and opening PRs on your repository, using all your already available CI mechanisms.

Seems great, right ? Let's see how it works :

The first time you run it, it will try to detect which language you use, or if you have a Dockerfile, and so on. It will then create a PR with an initial configuration (in a renovate.json) so you can get started quickly.

Then, it will open PRs with updated dependencies. If you have some CI system testing your PRs, you will quickly see if the proposed changes passes the tests or not. If everything is green, you can safely merge the PR ! You can even tell Renovate to automatically merge the PR, if all tests pass the next time it scans your repository.

Example of Renovate PR

Of course, you can fine tune Renovate's behavior, e.g. to auto-merge patch updates only, or to completely ignore major updates, etc... But we won't cover that now :).

Rolling... Actions!

GitHub Actions is a great tool to automate repetitive tasks on your repository, like PR triage or small review tasks -- it can also act like a complete CI solution (that's what we do at Dior.com!). Plus, it comes with a generous free plan!

First, we need to give Renovate some permissions to "scan" your repository.

Go to Settings > Developer settings > Personal access tokens and Create a Personal Acces Token (PAT) with the repo scope.

Create a Token

Now, add it to your repository's secrets.

Add your token as a Secret

Now, simply create a file in .github/workflows :

on:
  schedule:
    - cron: "0 8 * * *"
name: Daily Jobs
jobs:
  renovate:
    name: Renovate
    runs-on: ubuntu-latest
    steps:
      - name: Checkout
        uses: actions/checkout@master
      - name: Run Renovate
        uses: docker://renovate/renovate:19.133-slim
        env:
          RENOVATE_REPOSITORIES: <owner/repository-name>
          RENOVATE_TOKEN: ${{ secrets.RENOVATE_TOKEN }}
          RENOVATE_AUTOMERGE: true # optional, see below

Here we are defining a simple workflow triggered periodically by Github Actions. It contains one job which does the following actions :

  1. Clone your repository
  2. Run Renovate

Simple, right ? We are just passing your newly created PAT and your repository's name. Remember to always pin the versions (tags, actually) of the Docker images you use, specially if it's a public one. You really want to avoid bad surprises if something gets broken some day.

You can add as many environment variables as you want; check the Renovate Self-Hosted Configuration Docs for the complete variables list.

Now, Github Actions will take care of running this job every day at 08 AM (feel free to customize the schedule option at will).

That was quick, right ? What do you think ?

Image of Timescale

🚀 pgai Vectorizer: SQLAlchemy and LiteLLM Make Vector Search Simple

We built pgai Vectorizer to simplify embedding management for AI applications—without needing a separate database or complex infrastructure. Since launch, developers have created over 3,000 vectorizers on Timescale Cloud, with many more self-hosted.

Read full post →

Top comments (2)

Collapse
 
fifn2 profile image
Finn Wright

How does renovate stack up against its competitors, eg Debendabot?

Collapse
 
djiit profile image
Julien Tanay

Renovate can be used for all your dependencies updates, not just security-impacted ones

Image of Docusign

🛠️ Bring your solution into Docusign. Reach over 1.6M customers.

Docusign is now extensible. Overcome challenges with disconnected products and inaccessible data by bringing your solutions into Docusign and publishing to 1.6M customers in the App Center.

Learn more

👋 Kindness is contagious

Please leave a ❤️ or a friendly comment on this post if you found it helpful!

Okay