← Back to Engineering

Automating Dependency Management: A Guide to Implementing Renovate Bot in Your GitLab Organization

2024-04-1010 min readKameshvaran

Automating Dependency Management: A Guide to Implementing Renovate Bot in Your GitLab Organization

Understanding RenovateBot

Renovate Bot is an open-source automated dependency update tool that helps streamline the process of managing dependencies in software projects. It integrates with various version control platforms like GitHub, GitLab, Bitbucket, etc., to automatically monitor dependencies and create pull requests to update them whenever new versions are available.

Setting Up Renovate Bot Integration with GitLab

Step 1:

Create a GitLab repo dedicated to store Renovate Bot configs.

Step 2:

Create a new user in the organization GitLab for Renovate Bot. This will be the user that Renovate Bot uses for automated dependency update CI pipelines.

Step 3:

Prepare Renovate Bot global configuration file. In Renovate Bot, there are two configurations: one is the global config, which can be written in a JavaScript file config.js or passed as an environment variable.

module.exports = {
  onboardingConfig: {
    extends: ["config:recommended", "group:all"],
  },
  platform: "gitlab",
  autodiscover: true,
  allowPlugins: true,
  allowScripts: true,
  endpoint: process.env.CI_API_V4_URL,
};

Let's dive into the configuration:

  • extends: Provide the list of presets to be used by the global config.
  • platform: Platform where your project source code is stored; allowed values are azure, bitbucket, bitbucket-server, codecommit, gerrit, gitea, github, gitlab, local.
  • autodiscover: When you enable autodiscover, by default, Renovate runs on every repository that the bot account can access. You can limit which repositories Renovate can access by using the autodiscoverFilter config option.
  • allowPlugins: Set this to true if repositories are allowed to run install plugins.
  • allowScripts: Set this to true if repositories are allowed to run install scripts.
  • endpoint: Endpoint of the self-hosted GitLab.

Step 4:

Prepare custom presets. If you manage Renovate for many repositories, you should create a global preset configuration. Then, you extend the global preset in each repository. Below is an example of common presets named as common-presets.json:

{
  "$schema": "https://docs.renovatebot.com/renovate-schema.json",
  "prTitle": "RenovateBot dependencies update",
  "groupName": "dependencies-update",
  "draftPR": true,
  "hostRules": [
    {
      "matchHost": "<HOST>",
      "hostType": "docker",
      "username": "<USERNAME>",
      "password": "<PASSWORD>"
    }
  ],
  "gitAuthor": "RenovateBot <EMAIL>",
  "baseBranches": ["master"],
  "assignees": ["renovate_bot"]
}

Step 5:

Prepare repo configuration file which will be placed in the destination project repo where Renovate Bot performs dependency update. Below is an example repo config:

{
  "$schema": "https://docs.renovatebot.com/renovate-schema.json",
  "extends": [
    "local>devops/renovate-bot:common-presets"
  ],
  "enabledManagers": ["gitlabci", "gitlabci-include", "helmv3", "pip_requirements"],
  "reviewers": ["kameshvaran.v"]
}

This JSON configuration file should be present in each project repo where Renovate Bot performs the dependency update.

  • enabledManagers: A list of package managers to enable. Only managers on the list are enabled.
  • reviewers: Name of the reviewer for the merge request created by Renovate Bot.
  • local>devops/renovate-bot:common-presets: This is the custom preset which is provided above, we are extending this common presets into this repo configs.

Step 6:

Prepare .gitlab-ci.yml file for pipeline execution:

Renovate:Dep:Update:
  image: ${CI_DEPENDENCY_PROXY_GROUP_IMAGE_PREFIX}/renovate/renovate:${RENOVATE_BOT_IMAGE_TAG}
  stage: build
  script:
    - renovate
  rules:
    - if: '$CI_PIPELINE_SOURCE =~ /^(web|schedule|api|external|parent_pipeline|trigger|pipeline)$/'
    - if: '($CI_COMMIT_BRANCH == $CI_DEFAULT_BRANCH) || ($CI_COMMIT_BRANCH =~ /^.*\/master$/ && $CI_COMMIT_REF_PROTECTED == "true")'
      when: never
    - if: '($CI_PIPELINE_SOURCE == "merge_request_event" && $CI_MERGE_REQUEST_TARGET_BRANCH_NAME == $CI_DEFAULT_BRANCH) || ($CI_PIPELINE_SOURCE == "merge_request_event" && $CI_MERGE_REQUEST_TARGET_BRANCH_NAME =~ /^.*\/master$/ && $CI_COMMIT_REF_PROTECTED == "true")'
      when: never

Set the variable RENOVATE_TOKEN in GitLab CI/CD variables as a mask variable. This will be the access token of the Renovate Bot user.

Step 7:

Once .gitlab-ci.yml is created, create a scheduled pipeline in GitLab to run Renovate Bot automated dependency update for a specific time range.

Conclusion

Once all the above steps are done, Renovate Bot execution is scheduled for a specific time range. It runs the automated dependency update job on whichever project it has access to. After the dependency update is completed, Renovate Bot creates a merge request and assigns it to the reviewers. Then, you can review the Merge request and merge it.