Dependency management automation with Renovate
Modern IT systems are built on top of dozens of software applications and programming languages.
These systems often depend on third-party components, which help developers avoid reinventing the wheel. These components, mostly libraries or frameworks, have their own lifecycles, allowing for the addition of new features and the patching of security issues.
The dependency loop
Let's take a look to a Go project as example, the AWS Terraform provider. This provider rely on the AWS SDK Go:
module github.com/hashicorp/terraform-provider-aws
go 1.22.2
require (
github.com/ProtonMail/go-crypto v1.1.0-alpha.2
github.com/YakDriver/go-version v0.1.0
github.com/YakDriver/regexache v0.23.0
github.com/aws/aws-sdk-go v1.53.18
github.com/aws/aws-sdk-go-v2 v1.27.1
github.com/aws/aws-sdk-go-v2/config v1.27.17
github.com/aws/aws-sdk-go-v2/credentials v1.17.17
github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.16.4
github.com/aws/aws-sdk-go-v2/feature/s3/manager v1.16.23
github.com/aws/aws-sdk-go-v2/service/accessanalyzer v1.29.7
github.com/aws/aws-sdk-go-v2/service/account v1.17.0
github.com/aws/aws-sdk-go-v2/service/acm v1.26.1
github.com/aws/aws-sdk-go-v2/service/acmpca v1.30.2
...
When AWS releases a new version of the AWS SDK Go, the provider must update it to include the latest bug and CVE fixes, as well as new services and functionalities.
As you can see, this simple project has a large number of external dependencies, and each of these dependencies also has its own sub-dependencies. Looking at the AWS SDK Go project, here are its dependencies:
module github.com/aws/aws-sdk-go
go 1.19
require (
github.com/jmespath/go-jmespath v0.4.0
golang.org/x/net v0.17.0
)
require golang.org/x/text v0.13.0 // indirect
Automate dependency management
Manually upgrading each individual dependency is not realistic.
This is why automation is necessary, and Mend Renovate is an ideal tool for the job. It is capable to scans your project, identifies outdated dependencies, and automatically creates pull requests to update them.
When a pull request is opened, it triggers the project pipeline, allowing you to run acceptance tests automatically on the new version of the dependency. Renovate is compatible with major source control managers such as GitHub, GitLab, Bitbucket, and more.
Using Renovate
I'm using a Gitlab project named "Renovate" in my organization, which contains the following configuration.
Gitlab CI
# File: .gitlab-ci.yml
variables:
RENOVATE_TOKEN: [...]
renovate:
image: [...]
timeout: 1h
parallel:
matrix:
- RENOVATE_CONFIG_FILE: "./config/terraform.js"
- RENOVATE_CONFIG_FILE: "./config/docker.js"
As Renovate clones each repository in the directory of your choice, it requires a token (specified by the RENOVATE_TOKEN
environment variable). This token allows Renovate to open and close merge requests and manage branches - The documentation specifies the minimum rights needed for the token.
Mend no longer offers a Docker image for Renovate, so you must use your own.
Renovate core configuration
This configuration file is design to instruct Renovate what to do:
# File: .config/terraform.js
module.exports = {
"extends": [
"config:recommended",
":disableDependencyDashboard",
":semanticCommitTypeAll(chore)"
],
"platform": "gitlab",
"endpoint": "https://scm.acme.com/api/v4/",
"token": process.env.RENOVATE_TOKEN,
"reviewersFromCodeOwners": true,
"branchPrefix": "chore/",
"commitMessageAction": "update",
"commitMessagePrefix": "chore:",
"dependencyDashboard": false,
"branchConcurrentLimit": 10,
"gitAuthor": "...",
"labels": ["automated", "triage"],
"rebaseWhen": "behind-base-branch",
"recreateWhen": "auto",
"autodiscover": true,
"autodiscoverFilter": [
"acme/modules/terraform/**"
]
};
This simple configuration will instruct Renovate to:
- Loop scan every repository under directory
acme/modules/terraform/
, recursively. - Create a branch using prefix
chore
, following Conventional Commit best practices - Create a Merge Request and assign the project Code Owners as reviewers.
Auto-trigger Renovate
Your Renovate setup is now ready to manage your dependencies. The final step is to automate the scan trigger by creating a new GitLab pipeline schedule 🚀