Automating Dependency Management: A Guide to Implementing Renovate Bot in Your GitLab Organization blog banner image

Automating Dependency Management: A Guide to Implementing Renovate Bot in Your GitLab Organization

Understanding RenovateBot

Renovate Bot is an open-source automated dependency update tool that helps streamline the process of managing dependencies in software projects. It integrates with various version control platforms like GitHub, GitLab, Bitbucket, etc., to automatically monitor dependencies and create pull requests to update them whenever new versions are available.

Setting Up Renovate Bot Integration with Gitlab

Step 1:

Create a GitLab repo dedicated to store Renovate Bot configs.

Step 2:

Create a new user in the organization GitLab for Renovate Bot. This will be the user that Renovate Bot uses for automated dependency update CI pipelines.

Step 3:

Prepare Renovate Bot global configuration file. In Renovate Bot, there are two configurations: one is the global config, which can be written in a JavaScript file config.js or passed as an environment variable. (Ref: Renovate Documentation)

   module.exports = {
      onboardingConfig: {
        extends: ["config:recommended", "group:all"],
      platform: "gitlab",
      autodiscover: true,
      allowPlugins: true,
      allowScripts: true,
      endpoint: process.env.CI_API_V4_URL

Let's dive into the configuration present in the above piece of code:

extends: Provide the list of presets to be used by the global config. platform: Platform where your project source code is stored; allowed values are azure, bitbucket, bitbucket-server, codecommit, gerrit, gitea, github, gitlab, local. autodiscover: When you enable autodiscover, by default, Renovate runs on every repository that the bot account can access. You can limit which repositories Renovate can access by using the autodiscoverFilter config option. Allowed values are true or false. allowPlugins: Set this to true if repositories are allowed to run install plugins. allowScripts: Set this to true if repositories are allowed to run install scripts. endpoint: Endpoint of the self-hosted GitLab.

Step 4:

Prepare custom presets. If you manage Renovate for many repositories, you should create a global preset configuration. Then, you extend the global preset in each repository. This way, you have all global configuration in a single file, in a single repository. (Ref: Renovate Documentation). Below is an example of common presets named as common-presets.json, which can be used as a common config template across multiple repositories:

    "$schema": "",
    "prTitle": "RenovateBot dependencies update",
    "groupName": "dependencies-update",
    "draftPR": true,
    "hostRules": [
        "matchHost": "<HOST>",
        "hostType": "docker",
        "username": "<USERNAME>",
        "password": "<PASSWORD>"
    "gitAuthor": "RenovateBot <EMAIL>",
    "baseBranches": ["master"],
    "assignees": ["renovate_bot"]

Step 5:

Prepare repo configuration file which will be placed in the destination project repo where Renovate Bot performs dependency update. It can be written in a JSON file and the supported filenames are renovate.json, renovate.json5, .github/renovate.json, .github/renovate.json5, .gitlab/renovate.json, .gitlab/renovate.json5, .renovaterc, .renovaterc.json, .renovaterc.json5 (Ref: Renovate Documentation). Below is the example global config, place it in the root path of Renovate Bot repo with filename as config.js. Set this variable RENOVATE_TOKEN in GitLab CI/CD variables as a mask variable. This will be the access token of the Renovate Bot user.

    "$schema": "",
    "extends": [
    "enabledManagers": ["gitlabci", "gitlabci-include", "helmv3", "pip_requirements"],
    "reviewers": ["kameshvaran.v"]

This JSON configuration file should be present in each project repo where Renovate Bot performs the dependency update.

enabledManagers: A list of package managers to enable. Only managers on the list are enabled. (Ref: Renovate Documentation) reviewers: Name of the reviewer for the merge request created by Renovate Bot local>devops/renovate-bot:common-presets: This is the custom preset which is provided above, we are extending this common presets into this repo configs. Renovate Bot presets have a certain naming convention while extending (Ref this documentation- Renovate Documentation)

Step 6:

Prepare .gitlab-ci.yml file for pipeline execution. Below is the example GitLab CI file:

    stage: build
        - renovate
        - if: '$CI_PIPELINE_SOURCE =~ /^(web|schedule|api|external|parent_pipeline|trigger|pipeline)$/'
        - if: '($CI_COMMIT_BRANCH == $CI_DEFAULT_BRANCH) || ($CI_COMMIT_BRANCH =~ /^.*\/master$/ && $CI_COMMIT_REF_PROTECTED == "true")'
        when: never
        - if: '($CI_PIPELINE_SOURCE == "merge_request_event" && $CI_MERGE_REQUEST_TARGET_BRANCH_NAME == $CI_DEFAULT_BRANCH) || ($CI_PIPELINE_SOURCE ==   "merge_request_event" && $CI_MERGE_REQUEST_TARGET_BRANCH_NAME =~ /^.*\/master$/ && $CI_COMMIT_REF_PROTECTED == "true")'
        when: never

Step 7:

Once .gitlab-ci.yml is created, create a scheduled pipeline in GitLab to run Renovate Bot automated dependency update for a specific time range.


Once all the above steps are done, Renovate Bot execution is scheduled for a specific time range. It runs the automated dependency update job on whichever project it has access to. After the dependency update is completed, Renovate Bot creates a merge request and assigns it to the reviewers. Then, you can review the Merge request and merge it.