In today's fast-paced technology landscape, keeping your software up to date is essential. Whether it's updating your backend applications or your frontend application software updates can improve performance, enhance security, and provide new features.

However, manually managing software updates can be a tedious and time-consuming task, especially when you have to deal with multiple packages and dependencies.

This is where Renovate comes in - an automated software update tool that simplifies the process of managing software updates and helps developers stay up-to-date with the latest releases.

Automating boring stuff like package updates can help developers save time and reduce the risk of errors caused by manual intervention. By using automated update tools, developers can focus on more important tasks like writing code and improving functionality.

Gitlab use case

Unfortunately, GitLab users have been left out in the cold when it comes to dependable automation tools like Dependabot, which is only available on GitHub. There are some libraries built on top of dependabot-core but the release cycle doesn't seem reliable. This is where Renovate comes in as a great alternative.

Support for many packages managers and tools

Renovate is a reliable and feature-packed tool that automates software updates across multiple package managers, including npm, Docker, and Git submodules. It supports multiple languages and tools like pre-commit, Docker, and Docker Compose, and is highly configurable to suit your specific needs. The tool is designed to be highly customizable, allowing you to configure updates for specific packages, control update frequency, and apply custom version ranges.

Community and support

One of the best things about Renovate is the frequency of its releases. The tool is updated weekly with new features and bug fixes, ensuring that it stays up-to-date with the latest software releases. Additionally, the tool has an active community of developers who contribute to its development and support, providing a reliable and responsive support system for users.

Running Renovate from a Docker image

Renovate also offers a Docker image, making it easy to run as a container in your GitLab environment. By running Renovate as a Docker image, you can automatically create merge requests in GitLab, reducing the manual work required to manage software updates. The tool can be configured to run on a schedule or triggered by changes to your codebase, ensuring that your software is always up-to-date.

Gitlab Token setup

To use Renovate with GitLab, you'll need to create a GitLab group token with developer access that you can use to authenticate with Renovate. Here's how you can create a GitLab group token with developer access:

1. Log in to your GitLab account and navigate to the group or sub-group that you want to use with Renovate.

2. Click on the Settings button in the sidebar menu, and then click on Access Tokens under the Access Control section.

3. Click on the Create a token button to create a new token.

4. Enter a name and expiration date for the token, and then select the scopes that you want to grant the token. In this case, you'll want to grant the token the "API", "read_repository", and "write_repository" scopes.

5. Make sure that the "Developer" role is selected for the token's "Role" field.

6. Click on the Create personal access token button to create the token.

7. Copy the token that GitLab generates and store it somewhere secure, as you won't be able to access it again once you leave the page.

Now that you have created a GitLab group token with the necessary scopes and roles, you can use it with Renovate to automate software updates in your GitLab environment. Remember to set the token as an environment variable called RENOVATE_TOKEN when running Renovate as a Docker container, as described in the previous answer.

GitHub token // Yes also when using Gitlab

Renovate supports fetching release notes from GitHub for some package managers and languages, such as Node.js and Python. To fetch release notes, Renovate requires a GitHub personal access token with the read_only scope, which allows access to public repositories.

Here's how you can set up a GitHub token to be used only for fetching release notes:

1. Log in to your GitHub account and navigate to the "Settings" page.

2. Click on "Developer settings" in the sidebar menu, and then click on "Personal access tokens."

3. Click on the "Generate new token" button to create a new token.

4. Enter a name for the token in the "Token description" field.

5. Under the "Select scopes" section, click on the "repo" dropdown menu and select "public_repo."

6. Click on the "Generate token" button to create the token.

7. Copy the token that GitHub generates and store it somewhere secure, as you won't be able to access it again once you leave the page.

Now that you have created a GitHub token with the public_repo scope, you can use it with Renovate to fetch release notes for packages. To use the token with Renovate, you'll need to set it as an environment variable called GITHUB_TOKEN when running Renovate as a Docker container or via other deployment methods.

Running with Docker

docker run -it --rm \
  -e RENOVATE_TOKEN=${RENOVATE_TOKEN} \
  -e GITHUB_COM_TOKEN=${GITHUB_TOKEN}
  -e RENOVATE_REPOSITORIES=mygitlabgroup/gitlab-repo
  -e RENOVATE_PLATFORM=gitlab \
  renovate/renovate:latest

In the first run, Renovate will create an onboarding merge request which will create renovate.json config file.

For details about the possible configuration check out the documentation.

An example of renovate.json

{
    "$schema": "https://docs.renovatebot.com/renovate-schema.json",
    "labels": [
        "dependencies",
        "renovate"
    ],
    "separateMajorMinor": true,
    "pre-commit": {
        "enabled": true
    }
}

You can customize Renovate with such config, for example, to create a single MR for dev dependencies, to auto-merge specific changes, to exclude some packages by default or to assign a specific person.

To run Renovate for all repositories to which the GitLab token has access, you can run this instead of the previous command:

docker run -it --rm \
  -e RENOVATE_TOKEN=${RENOVATE_TOKEN} \
  -e GITHUB_COM_TOKEN=${GITHUB_TOKEN}
  -e RENOVATE_AUTODISCOVER=true
  -e RENOVATE_PLATFORM=gitlab \
  renovate/renovate:latest

You can run such a script in a cronjob or set it up properly in your Kubernetes cluster.

Worth mentioning

The full version of the Renovate Docker image is typically easier to use than the slim version, as it includes support for Node and uses a sidecar to provide other necessary components. You can find more information on this topic in the Running Renovate section of the official documentation.

If you have many projects and expect to Renovate to make a large number of calls, it's important to be aware of Dockerhub's rate limit, as this could impact your Dockerhub usage.

In general, running Renovate every week should be sufficient for most use cases.

If you have multiple outdated repositories, it may be easier to update them manually before starting any experimentation with Renovate.

This can help prevent an overwhelming number of Merge requests from being created, which can be difficult to manage and review. Maybe start each project type at a time until you find the best configuration (React app, Python Backend, Java application etc...)

Conclusion

In conclusion, Renovate is an excellent tool for automating software updates and keeping your software up-to-date with the latest releases.

Its support for multiple package managers, languages, and tools, along with its frequent updates and active community, make it a reliable and flexible solution for developers. By using Renovate, you can save time and reduce the risk of errors caused by manual intervention, ensuring that your software remains performant, secure, and up-to-date.