Skip to main content

Automated dependency updates

Renovate is a tool that automates dependency updates in your project. It can save you time by automatically creating pull requests to update your dependencies.

Here’s how to set it up:

renovate.json or .github/renovate.json:

{
  "$schema": "https://docs.renovatebot.com/renovate-schema.json",
  "extends": [
    "local>hmcts/.github:renovate-config"
  ]
}

This configuration will use the default configuration for most options, and will label pull requests with the “dependencies” label.

It will only run in the morning to minimise disruption to your day and to also create the pull requests while the non production environments are running.

You can see all the configured options in hmcts/.github:renovate-config.json.

Minimising work for your team

It’s great that renovate is keeping your dependencies up to date, but it can take a lot of time to manage it.

We have provided two presets that will automerge pull requests for you if their CI checks are passing.

Depending on your project’s test coverage, you can use one of the following presets:

automerge-minor:

{
  "$schema": "https://docs.renovatebot.com/renovate-schema.json",
  "extends": [
    "local>hmcts/.github:renovate-config",
    "local>hmcts/.github//renovate/automerge-minor"
  ]
}

automerge-all:

{
  "$schema": "https://docs.renovatebot.com/renovate-schema.json",
  "extends": [
    "local>hmcts/.github:renovate-config",
    "local>hmcts/.github//renovate/automerge-all"
  ]
}

renovate-approve will automatically approve pull requests from renovate, so you don’t need to worry about approving them.

Make sure you enable auto-merge on the repository settings:

Auto-merge settings

Codeowners

If you have codeowners setup in your repository renovate won’t be able to merge the pull requests automatically unless you remove the dependency files from CODEOWNERS.

For Java:

# https://help.github.com/en/articles/about-code-owners

* @hmcts/$team-name

# Renovate files
gradle/wrapper/gradle-wrapper.jar
gradle/wrapper/gradle-wrapper.properties
Dockerfile
build.gradle
charts/**/Chart.yaml
infrastructure/state.tf # or whichever file you use for terraform provider version sometimes provider.tf
.github/workflows/*.yaml

For NodeJS:

# https://help.github.com/en/articles/about-code-owners

* @hmcts/$team-name

# Renovate
.pnp.cjs
.yarn/**
package.json
yarn.lock
charts/**/Chart.yaml
.github/workflows/*.yaml

Grouping pull requests

Renovate will create a pull request for each dependency update, which can be a lot of pull requests.

If you are subscribed to the whole repository you will get a notification for each pull request. The above section on CODEOWNERS would help with this as you can unsubscribe from the repository and then won’t get requested for review.

If you group the pull requests it will reduce the number of pull requests you get from renovate.

Below are a couple of examples on how to accomplish this:

For more information, see the Renovate documentation.

Dependabot vs Renovate

We do not recommend using dependabot.

It is nowhere near as powerful as renovate.

Features missing:

  • Centralised configuration
  • Flexible scheduling
  • Automerge
  • Grouping pull requests
  • Regex support for dependency files
  • Many missing package managers - gradle wrapper, helm, terraform, nodejs version manager, etc
This page was last reviewed on 20 September 2024. It needs to be reviewed again on 20 December 2024 by the page owner platops-build-notices .
This page was set to be reviewed before 20 December 2024 by the page owner platops-build-notices. This might mean the content is out of date.