Renovate is a bot/app for (not only) github that can take care of tons of languages and package/dependency managers that point to external dependencies in your repository and keep them updated, while still being very flexible in how to exactly do that.
To not repeat all the same configuration options including packageRules that we prefer to use in all our repositories, this repo provides a shared config presets.
- Head over to https://github.com/bettermarks/renovate-config/actions/workflows/init.yml
- click "Run workflow" and fill in the questions:
- keep the
main
branch, it's for the files in this repository - enter the name of the repo you want to configure
- pick the other options according to the needs of your repository
- consider your automerge strategy
- click on the green "Run workflow" button (you might need to scroll)
- keep the
- count to 5 and the new workflow run will appear on the screen
- wait for it to finish
- it will produce a summary that provides you a link to a PR with the config added
renovate.json
the config file for the GitHub Apprenovate-config-validator.yml
a GitHub workflow that validatesrenovate.json
whenever it is changed (like in the PR that was just created).npmrc
in case thejavascript
option was selected, to save exact versions inpackage.json
files
- you can now tweak the PR if you like (even by rerunning the workflow with different options, if you enable "override files")
- Once it has been approved and merged, renovate will
- Create the dependency dashboard GitHub issue (where you can check a box to create any update PR right away)
- start creating dependency PRs (only outside of office hours)
-
Add the repo to be configured for the renovate integration (That page contains helpful information, and you need to scroll to the bottom of the page to configure the repositories.)
-
Wait for the onboarding PR to be created.
If your repository is part of the github bettermarks org, thedefault
config in this repo will be applied automatically. You can add any of the more language specific presets (e.g. by adding:javascript
or:python
).If you previously used a different bot or tool to update dependencies, you can also use this PR to drop related config files or documentation.
-
Using the onboarding PR to tweak your
renovate.json
config file in that branch by adding specificpackageRules
or configurations is very convenient, since it will update the PR description to give you a preview of what it will do.For more help read the docs
-
Merge the onboarding pr once the provided preview matches your expectations.
-
(Optionally) Visit the dependency dashboard issue and check if there are any dependencies that you want to already update right away by clicking the related checkbox.
In the renovate.json
of your repository add the preset you want to apply:
{
"$schema": "https://docs.renovatebot.com/renovate-schema.json",
"extends": ["github>bettermarks/renovate-config:PRESET"]
}
where PRESET
is the name of one of the presets (.json
files without an extension) in this repository.
Remember that you can still customize your configuration when some defaults don't work for you by either adding more presets to extends
or configuring/adding packageRules
afterwards.
To make sure config changes do not only fail when landing on the default branch, you have two options:
-
By using the init workflow, (even if you have already configured Renovate), it will copy the renovate-config-validator workflow into you repository so every config change will be validated.
-
Check out this repository and run the
validate.sh
script locally (requires nvm):- either from this repository:
./validate.sh path/to/renovate.json
- or from the repository you care about containing
renovate.json
:../renovate-config/validate.sh
- either from this repository:
For dependency updates that have automerge
enabled, renovate will enable (GitHub) automerge for a PR.
PRs that are created by renovate and are have automerge enabled might be approved automatically!
Which means that when all checks pass and there is a approving review, the PR will land right away. (If it is outdated, Renovate will update it outside office hours, and it will be merged when the checks still pass.) It is of course possible to manually enable automerge on any GitHub PR.
If a repository doesn't have enough checks in place to verify dependency updates, you should not enable to automerge option.
It contains only language independent defaults that we want to apply to all repositories.
To change this config coordinate and announce them with @bettermarks/dev!
It is the only preset that doesn't need to be named when using it:
{
"extends": ["github>bettermarks/renovate-config"]
}
It includes the following presets:
config:recommended
just making the defaults explicit::automergeDisabled
it is only known in a repository, what to enable automerge for:ignoreUnstable
only update unstable dependencies but do not update from stable to unstable:prImmediately
create branch and PR at the same time, we usually do not run any checks on a branch without a PR:separateMajorReleases
(from minor releases):separateMultipleMajorReleases
when there are multiple, we can decide to go one by one or all at once
and it configures the following:
{
"dependencyDashboard": true,
"dependencyDashboardTitle": "Dependencies Dashboard (Renovate Bot)",
"dependencyDashboardHeader": "points to the used shared config file documentation",
"dependencyDashboardOSVVulnerabilitySummary": "unresolved"
}
Rules for reducing noise:
Only automatically create one PR at a time and only create/update PRs in the morning and evening,
which is related to the start and end of working days.
Create the PR right away when checks done by renovate (like npm:unpublishSafe
) pass
and only up to six times per hour (every 10 min).
All major version bumps need to be triggered manually from the dependency dashboard.
{
"internalChecksFilter": "strict",
"prConcurrentLimit": 1,
"prHourlyLimit": 6,
"updateNotScheduled": false,
"packageRules": [
{
"matchUpdateTypes": ["major"],
"dependencyDashboardApproval": true
}
],
"schedule": ["* 8,18-19 * * 1-5"]
}
Adds some rules we generally apply in javascript related repositories.
{
"extends": ["github>bettermarks/renovate-config:javascript"]
}
It includes the following presets:
- the default config from this repository
:pinAllExceptPeerDependencies
helpers:disableTypesNodeMajor
See further notes regarding NodeJs versions belownpm:unpublishSafe
:maintainLockFilesMonthly
and it configures the following:
- PRs to pin versions have the highest priority(10).
- Disable updates for major node versions and prevent pinning to a specific node version
- Keep semver ranges in the
resolutions
field used by yarn. - Update packages from the
@bettermarks/
scope or that start withbm-
with higher priority(5) than other dependencies and disablenpm:unpublishSafe
. - Update the
typescript
dependency with higher priority(2) than other dependencies and disablenpm:unpublishSafe
. Create separate PRs for patch and minor and multiple minor version upgrades, since they introduce breaking changes in minor versions. - Keep the major version of
@types/jest
in sync with the major version ofjest
. - Update packages from the
@types/*
scope with lower priority(-5) than other dependencies and disablenpm:unpublishSafe
.
Be aware that there are the config presets for config:js-app
which you will not need, since it's already part of this one, but you might want to use config:js-lib
or just apply :pinOnlyDevDependencies
after this preset.
A very common thing is to add :autoMergePatch
to extends
, but this needs to happen on the repository level, since we cannot be sure that test coverage is good enough in every repo. And since GitHub now offers the option to enable automerge per PR when it's ready, there might not even be a need for it.
There is currently only limited / "alpha level" support for python using pip-compile
.
This configuration has not been used with python projects for a while, it most certainly needs changes.
{
"extends": ["github>bettermarks/renovate-config:python"]
}
It includes the following presets:
- the default config from this repository
and it configures the following:
- constraints python to 3.6
- Enables pip-compile manager (and disables pip_requirements and pip_setup managers since they seem to be conflicting?)
you can override all of this per repo! if you found a config that works for you, please consider to update this one.