If you want to have a single configuration for all your applications / microservices / projects, you’ve come to the right place. Let me show you how to do it with GitLab and Renovate.
Renovate, a tool to keep your dependencies up to date
Renovate is a tool that automatically upgrade the dependencies of any project, by creating Merge Request (MR) on GitLab (Pull Request on GitHub). It works with several languages (NodeJs, Go, Rust, Python) and on all major Git platforms (GitLab, GitHub, Bitbucket, Gitea). It has a lot of configuration options where you can get totally lost, such as creating MRs according to a schedule, automatic merging, discovering projects from a GitLab account, choosing which dependencies to update, etc…
Renovate works with two main components:
- a worker (CI, Docker, CLI)
- projects you want to keep up to date via a config file
renovate.jsonat the root of each Git repository.
Why we need Renovate
We, at MONI, have a lot of microservice, something like 50+, with some private dependencies to share configurations and enums.
For instance, when you switch to another project and do npm install, each time you get this line 2 moderate severity vulnerabilities, and sometimes 16 vulnerabilities (12 moderate, 1 high, 3 critical). It is scary.
Now, my manager said to me “we need to find a tool to keep up to date all our dependencies to avoid security vulnerabilities”. We also wanted to avoid having a configuration for each microservices because all our microservice are similar (NodeJs and pretty much the same dependencies). Having a Renovate config every where is too much maintenance.
Setup Renovate for GitLab
Create a new project Renovate to use as a worker for all your Git repositories.
Renovate can be used on GitLab by using their template CI, available here.
Our .gitlab-ci.yml from Renovate looks like this at this stage.
include:
- project: 'renovate-bot/renovate-runner'
file: '/templates/renovate.gitlab-ci.yml'
Another thing to do is set up CI variables RENOVATE_TOKEN with a Personal token or Group token with scopes read_user, api and write_repository.
We need to override renovate job to help the worker to find our projects hosted on GitLab and disable onboarding because we don’t want to have a renovate.json in each of our services. Another thing to note is the need to manually trigger the renovate job or start it via a cron.
include:
- project: 'renovate-bot/renovate-runner'
file: '/templates/renovate.gitlab-ci.yml'
renovate:
variables:
RENOVATE_ONBOARDING: "false"
RENOVATE_AUTODISCOVER: "true"
RENOVATE_AUTODISCOVER_FILTER: microservices/svc-test
rules:
- if: '$CI_PIPELINE_SOURCE == "schedule"'
- when: manual
It’s working but it opens a lot of MR, one for each outdated dependency. That’s not exactly what we want. Let’s go deeper.
Define the Universalis configuration
default.json in any public Git repository like here.
{
"$schema": "https://docs.renovatebot.com/renovate-schema.json",
"extends": ["config:recommended"],
"prConcurrentLimit": 4,
"branchPrefix": "fix/TE-000-",
"commitMessagePrefix": "fix: ⬆️ TE-000 ",
"groupName": "all",
"packageRules": [
{
"packagePatterns": ["*"],
"enabled": false
}
],
"osvVulnerabilityAlerts": true,
"vulnerabilityAlerts": {
"enabled": true
}
}
This config:
- extends the recommended one
- limit to 4 MR by services
- set a git branch prefix
- set a commit message (MR title depends on this too)
- group upgrade dependencies in one MR (only used if more than one dependency need a upgrade)
- disable all dependencies upgrade
- enable all dependencies upgrade for security issue only
Setup Renovate to manage one configuration to rules them all
The first thing I discovered was the possibility of using Global Extends to use a default configuration for all my projects BUT it has to be hosted on a public Git repository.
The second thing is Require Config, it is an option to disable the check of local renovate.json of each project scanned by Renovate.
Let’s try it.
include:
- project: 'renovate-bot/renovate-runner'
file: '/templates/renovate.gitlab-ci.yml'
renovate:
variables:
RENOVATE_ONBOARDING: "false"
RENOVATE_AUTODISCOVER: "true"
RENOVATE_AUTODISCOVER_FILTER: microservices/svc-test
RENOVATE_REQUIRE_CONFIG: ignored
RENOVATE_GLOBAL_EXTENDS: gitlab>renovate-bot/renovate-runner
rules:
- if: '$CI_PIPELINE_SOURCE == "schedule"'
- when: manual
Wow, it’s working but unfortunately, it does not solve all npm audit security issues.
Little note about security vulnerabilities by Renovate
This configuration will not solve all the problems of the npm audit output, as Renovate’s database security is limited to OSV database.
Debug Renovate config
It’s a real nightmare to detect why your Global Extend Config changes don’t affect Renovate worker’s run. You have to disable the cache to apply the new Global Extend Config… Nightmare.
I’ve added the LOG_LEVEL variable to help you debug your configuration.
include:
- project: 'renovate-bot/renovate-runner'
file: '/templates/renovate.gitlab-ci.yml'
renovate:
variables:
RENOVATE_ONBOARDING: "false"
RENOVATE_AUTODISCOVER: "true"
RENOVATE_AUTODISCOVER_FILTER: microservices/svc-test
RENOVATE_REQUIRE_CONFIG: ignored
RENOVATE_GLOBAL_EXTENDS: gitlab>renovate-bot/renovate-runner
RENOVATE_REPOSITORY_CACHE: disabled
LOG_LEVEL: debug
rules:
- if: '$CI_PIPELINE_SOURCE == "schedule"'
- when: manual