Shunsuke Suzuki

Posted on Sep 25, 2021 • Edited on Sep 26, 2021

Tips about Renovate

#renovate

In this post, I introduce some tips about Renovate.

Assign reviewers

https://docs.renovatebot.com/configuration-options/#reviewers

It's good to assign reviewers to prevent pull requests from being left.
You can assign GitHub Users and Teams.
On the other hand, if pull requests would be merged automatically, it is not good to assign reviewers because it is noisy.

Restrict targets

By default, all Managers are enabled.
If you want to update only specific packages, you have to configure enableManagers.
And if you want to update only specific files, includePaths would be useful.
If you want to exclude some files, ignorePaths is also useful.
Especially if you want to update packages for the specific service in Monorepo, this would be helpful.

Automerge

automerge drastically decreases the burden of handling pull requests by Renovate.
You should use automerge actively.
On the other hand, in some cases automerge isn't desirable so you have to restrict targets of automerge.
For example, it is good to exclude the major update.

    {
      "matchUpdateTypes": ["major"],
      "automerge": false
    }

renovate-approve app

If at least one approval is required to merge pull requests, the GitHub App renovate-approve would be useful.

Automerge safely

In case of Terraform CI/CD, it would be dangerous to merge pull requests automatically even if CI passes,
because unexpected changes may be applied.
By making CI failed if the pull request author is renovate[bot] and the exit code of terraform plan -detailed-exitcode is two, you can prevent unexpected changes.

Regex Manager

Renovate supports various Managers, but sometimes you want to update packages which aren't supported by any Managers.
In that case, Regex Manager would be helpful.
For example, if you download tools from GitHub Releases in shell scripts, you can update tools with Regex Managers.

version=v0.7.2 # renovate: depName=suzuki-shunsuke/aqua
URL=https://github.com/suzuki-shunsuke/aqua/releases/download/${version}/aqua_linux_amd64.tar.gz
curl --fail -L "$URL" -o aqua_linux_amd64.tar.gz

{
  "regexManagers": [
    {
      "fileMatch": ["^.*\\.sh"],
      "matchStrings": ["version=(?<currentValue>.*?) # renovate: depName=(?<depName>.*?)\\n"],
      "datasourceTemplate": "github-releases"
    }
  ]
}

For detail of Regex Manger, please see the document.

https://docs.renovatebot.com/modules/manager/regex/

renovate-config-validator

When Renovate Configuration is updated, it should be validated with renovate-config-validator.
GitHub Actions is useful for it.

e.g. https://github.com/suzuki-shunsuke/aqua/blob/v0.7.2/.github/workflows/renovate-config-validator.yaml

Split pull requests by `additionalBranchPrefix`

If the same package is used in multiple services in Monorepo,
by default Renovate updates them in the same pull request.
If you want to split pull requests per service,
additionalBranchPrefix and commitMessageSuffix are useful.

For example, in case of Monorepo of Terraform,
by the following configuration you can update Terraform Providers per service.

{
  "packageRules": [
    {
      "managers": ["terraform"],
      "additionalBranchPrefix": "{{baseDir}}-",
      "packagePatterns": [".*"],
      "commitMessageSuffix": "({{baseDir}})"
    }
  ]
}

About the template variables, please see https://docs.renovatebot.com/templates/

JSON5

Renovate Configuration supports JSON and JSON5.
If you want to write code comments, JSON5 is useful.
On the other hand, the support of JSON5 by tools like editor, IDE, formatter, and linter is poorer than JSON.

Test Configuration in test repository

When you change Renovate Configuration, you can validate it with renovate-config-validator but it is difficult to test it in CI.

I created some repositories for testing Renovate Configuration.

It is good to test Renovate Configuration before sending pull requests.

For example, please see the pull request https://github.com/renovatebot/github-action/pull/557 .
Before sending this pull request, I tested the Configuration in a test repository and described it in the pull request description.

Restrict

If you are tired to handle pull requests by Renovate, it maybe good to restrict pull requests.

Add links to pull requests

Using prBodyNotes, you can add helpful links to pull requests.

For example, in case of the package ingress-nginx, I added the following links.

e.g.

    {
      "matchManagers": ["helmfile"],
      "matchPackageNames": ["ingress-nginx"],
      "prBodyNotes": [
        "[compare](https://github.com/kubernetes/ingress-nginx/compare/helm-chart-{{currentVersion}}...helm-chart-{{newVersion}}), [Changelog](https://github.com/kubernetes/ingress-nginx/blob/main/charts/ingress-nginx/CHANGELOG.md), [Artifact Hub](https://artifacthub.io/packages/helm/ingress-nginx/ingress-nginx?modal=changelog)"
      ]
    }

It is bothersome that you have to configure links per package, but it is helpful to review the pull request.

Debug

If Renovate doesn't work as expected, there are some ways for debug.
If you use GitHub App of Renovate, you can check the log with Renovate Dashboard.
You can also run Renovate at localhost.

$ npm i -g renovate
$ export RENOVATE_TOKEN=xxx # GitHub Access Token
$ LOG_LEVEL=debug renovate --dry-run=true <repository>

Dependency Dashboard is also useful to find the problem.

Decrease the priority of the specific package for other packages

prPriority

If the package A is updated so frequently that other packages aren't updated,
maybe it may be good to decrease the priority of the package A.

Top comments (6)

Joshua O. • Jul 11

Hi Shunsuke thanks for this, have Renovate on a repo with test python packages where I'm trying to add auto merge after passing checks on PR. Noticed few things.

Renovate takes configs from the default branch(main) and runs again, even though I'm editing the renovate.json file on my branch. Set the updateBranchConfig to merge, but it still takes configs from the base branch.
Set renovate to bypass PR reviews, checks etc, or use the renovate-approve-app which one is better? I noticed it doesn't auto merge, the repo has reviewers.

Shunsuke Suzuki • Aug 10

@toni744

Hi Joshua, sorry for late reply.

In my understanding, Renovate always taskes configs from the default branch. What's updateBranchConfig? I searched docs.renovatebot.com/ with the keyword updateBranchConfig, but I can't find anything.
This is a difficult problem. If approvals from codeowners aren't required, renovate-approve-app is helpful. But if approvals from codeowners are required, renovate-approve-app isn't helpful. Bypass PR reviews, checks etc may be dangerous in terms of security, another option is to approve Renovate PRs by CI using codeowner's personal access token (PAT). To manage PAT securely, I've developed the action github.com/csm-actions/approve-pr-... .

About Renovate, the official discussion is also helpful.
github.com/renovatebot/renovate/di...

Joshua O. • Aug 10

Thanks for your response Shunsuke,

Sorry I meant useBaseBranchConfig. You're right it always does, I find that a pain in the ass to deal with for testing.
Oh that seems like a useful feature, will definitely check it out. There's also a similar renovate auto-approve bot I was looking at here github.com/renovatebot/renovate-ap... Is it any different?
How do you get renovate to stop running on PRs it created itself? Running into issues with it creating unending loops.

Shunsuke Suzuki • Aug 11

github.com/renovatebot/renovate-ap... is renovate-approve-app. This is a GitHub App, and a GitHub App can't be a codeowner. So if approvals from codeowners are required to merge pull requests, renovate-approve-app isn't helpful. github.com/csm-actions/approve-pr-... is a GitHub Action approving pull requests using PAT. It uses PAT, so pull requests can be merged by approving them if the owner of PAT is a codeowner. PAT must be managed securely. Otherwise, it can be abused. github.com/csm-actions/approve-pr-... allows you to manage PAT securely by Client/Server Model. For more details, please see github.com/csm-actions/approve-pr-... and github.com/csm-actions/docs
Sorry, could you explain more detail? Why does Renovate create PRs repeatably?

José Díaz • Aug 10 '22 • Edited

Hi Shunsuke, thanks for your post.

I have some private repositories in this account: github.com/quadimai

Many repositories depend on : github.com/quadimai/Quadim-Typelib (private repository)

By default renovate only generate PR of public dependencies. How to can I use renovate to indicate in the othe repositories when a new version exists in Quadim-Typelib.

All are java projects.

Thanks in advance for your response.

Jose