Renovate is a great tool to know about. For Go, you can keep modules updated automatically, but still leverage a pull request review process to allow automated checks to run before allowing the update.
This is particularly useful with Terraform dependencies, which I consider notoriously difficult to keep updated. Instead of needing to use ranges for modules, you can start specifying exact versions and this GitHub app will automatically check for updates periodically and submit version bumps.
Why? You can have a Terraform plan previewed and checked for any errors on a new version update with no work. This means your blast radius on updates would be reduced as you are staying up to date and previewing each update as it's available.
No more 5 months of updates and figuring out what went wrong π
Here's an example json config that shows how to allow automerging, while respecting minor/major version updates not enabling automerge.
Note that you'd want to install the auto-approver app they document in the marketplace if you have pull request reviews required.
In addition, if you use CODEOWNERS file, this will still block automerge. Consider removing that if you aren't really leveraging it.
| --- | |
| name: renovate-$(Build.Reason)-$(SourceBranchName)-$(Date:yyyyMMdd)-$(Rev:.r) | |
| pool: | |
| name: Azure Pipelines | |
| vmImage: ubuntu-latest | |
| trigger: none | |
| schedules: | |
| - cron: 0 07 * * Mon,Wed,Fri # Build every Monday, Wednesday, and Friday at 7am | |
| displayName: MonWedFri7am # friendly name given to a specific schedule | |
| branches: | |
| include: [main] # [ string ] # which branches the schedule applies to | |
| # exclude: [ string ] # which branches to exclude from the schedule | |
| always: true # whether to always run the pipeline or only if there have been source code changes since the last successful scheduled run. The default is false. | |
| variables: | |
| - name: LOG_LEVEL | |
| value: debug | |
| - name: System.Debug | |
| value: true | |
| - group: renovate # configure a library group and include `GITHUB_COM_TOKEN` in it. This needs _NO_ permissions as it's just using the public api for queries and auth avoids api token issues | |
| steps: | |
| - task: geeklearningio.gl-vsts-tasks-yarn.yarn-installer-task.YarnInstaller@3 | |
| displayName: Use Yarn 1.x | |
| - task: NodeTool@0 | |
| displayName: Use Node 14.15.4 | |
| inputs: | |
| versionSpec: 14.15.4 | |
| # install this task from: https://marketplace.visualstudio.com/items?itemName=jyc.vsts-extensions-renovate-me | |
| - task: RenovateMe@0 | |
| displayName: Renovate | |
| inputs: | |
| renovateOptionsVersion: latest | |
| renovateOptionsArgs: --host-rules="[{\"domainName\":\"github.com\",\"token\":\"$(GITHUB_COM_TOKEN)\"}]" | |
| env: | |
| GITHUB_COM_TOKEN: $(GITHUB_COM_TOKEN) |
| { | |
| "dependencyDashboard": true, | |
| "dependencyDashboardAutoclose": true, | |
| "assignAutomerge": true, | |
| "reviewersFromCodeOwners": true, | |
| "semanticCommitType": true, | |
| "rebaseWhen": "behind-base-branch", | |
| "prCreation": "not-pending", | |
| "stabilityDays": 14, | |
| "gomod": { | |
| "enabled": true | |
| }, | |
| "docker": { | |
| "enabled": true | |
| }, | |
| "vulnerabilityAlerts": { | |
| "enabled": true, | |
| "labels": [ | |
| "security" | |
| ] | |
| }, | |
| "extends": [ | |
| "schedule:earlyMondays" | |
| ], | |
| "packageRules": [ | |
| { | |
| "updateTypes": [ | |
| "patch" | |
| ], | |
| "automerge": true | |
| } | |
| ], | |
| "assignees": [ | |
| "sheldonhull" | |
| ] | |
| } |
Top comments (0)