Automated dependency updates
Renovate is a tool that automates dependency updates in your project. It can save you time by automatically creating pull requests to update your dependencies.
Here’s how to set it up:
renovate.json or .github/renovate.json:
{
"$schema": "https://docs.renovatebot.com/renovate-schema.json",
"extends": [
"local>hmcts/.github:renovate-config"
]
}
This configuration will use the default configuration for most options, and will label pull requests with the “dependencies” label.
It will only run in the morning to minimise disruption to your day and to also create the pull requests while the non production environments are running.
You can see all the configured options in hmcts/.github:renovate-config.json.
Minimising work for your team
It’s great that renovate is keeping your dependencies up to date, but it can take a lot of time to manage it.
We have provided two presets that will automerge pull requests for you if their CI checks are passing.
Depending on your project’s test coverage, you can use one of the following presets:
{
"$schema": "https://docs.renovatebot.com/renovate-schema.json",
"extends": [
"local>hmcts/.github:renovate-config",
"local>hmcts/.github//renovate/automerge-minor"
]
}
{
"$schema": "https://docs.renovatebot.com/renovate-schema.json",
"extends": [
"local>hmcts/.github:renovate-config",
"local>hmcts/.github//renovate/automerge-all"
]
}
renovate-approve will automatically approve pull requests from renovate, so you don’t need to worry about approving them.
Make sure you enable auto-merge on the repository settings:
Codeowners
If you have codeowners setup in your repository renovate won’t be able to merge the pull requests automatically unless you remove the dependency files from CODEOWNERS.
For Java:
# https://help.github.com/en/articles/about-code-owners
* @hmcts/$team-name
# Renovate files
gradle/wrapper/gradle-wrapper.jar
gradle/wrapper/gradle-wrapper.properties
Dockerfile
build.gradle
charts/**/Chart.yaml
infrastructure/state.tf # or whichever file you use for terraform provider version sometimes provider.tf
.github/workflows/*.yaml
For NodeJS:
# https://help.github.com/en/articles/about-code-owners
* @hmcts/$team-name
# Renovate
.pnp.cjs
.yarn/**
package.json
yarn.lock
charts/**/Chart.yaml
.github/workflows/*.yaml
Grouping pull requests
Renovate will create a pull request for each dependency update, which can be a lot of pull requests.
If you are subscribed to the whole repository you will get a notification for each pull request.
The above section on CODEOWNERS would help with this as you can unsubscribe from the repository and then won’t get requested for review.
If you group the pull requests it will reduce the number of pull requests you get from renovate.
Below are a couple of examples on how to accomplish this:
For more information, see the Renovate documentation.
Dependabot vs Renovate
We do not recommend using dependabot.
It is nowhere near as powerful as renovate.
Features missing:
- Centralised configuration
- Flexible scheduling
- Automerge
- Grouping pull requests
- Regex support for dependency files
- Many missing package managers - gradle wrapper, helm, terraform, nodejs version manager, etc