This repo illustrates how to run Renovate Bot using a GitLab CI runner, which is useful if you are on GitLab.com or a self-hosted GitLab instance, where you are obliged to run/operate the Renovate bot yourself!
It is based on the renovate-runner GitLab.com project maintained by WhiteSource, which (IMO) applies several unsuitable defaults.
Applied changes (in relation to the renovate-runner repo):
- Got rid of publishing releases for this GitLab project (it serves no purpose...)
- Thus, there is no
.releaserc.json
orpackage[-lock].json
in this repo anymore
- Thus, there is no
renovate.json
changes:- Migrate to JSON5 to be able to add comments, and to avoid that trailing commas cause problems
- Don't extend from
"github>renovatebot/.github"
(which defines some rules which are non-sensical to us) - instead, we just extend from"config:base"
. - Slim down the
packageRules
section considerably (now only covering"renovate/renovate"
), and configure that minor and patch updates are fully automatically merged, without creating a PR/MR (to avoid email spam) - No longer pin digests (i.e., no longer put the
renovate/renovate
Docker image's SHA-256 hash intemplates/renovate.gitlab-ci.yml
). This makes no sense here, because the Renovate Bot team releases a new version (with a new version tag, of type minor or patch) about three times per day!! You would only use version pinning if you expect that a Docker image's version tag stays stable for a long time, but is still being rebuilt regularly.
.gitlab-ci.yml
changes:- Use
rules
instead ofonly
to have more flexibility (also affectstemplates/_common.gitlab-ci.yml
) - Make sure no pipeline is run for merge-request branches created by the bot (we don't have any tests, and CI variables are not defined for such unprotected branches)
- Use
templates/_common.gitlab-ci.yml
changes:- Require onboarding
- Remove the
RENOVATE_EXTENDS
setting - I don't understand what it does, given that this not a "self-hosted" configuration variable, but a repository-specific variable! - Enable autodiscovery mode (
RENOVATE_AUTODISCOVER: 'true'
) - Configure the bot to create a
renovate.json5
file (instead of the defaultrenovate.json
) during onboarding of a developer's repository, so that the developers can use JSON comments
To make use of this repository, you have to:
- Create a GitLab user for the bot, e.g.
renovatebot
- Create a personal access token for that
renovatebot
account (scopes:read_user
,api
andwrite_repository
), and also create a personal GitHub.com access token - In GitLab, in Settings -> CI/CD -> Variables, set the
GITHUB_COM_TOKEN
andRENOVATE_TOKEN
- Invite the
renovatebot
account into this project, and make sure that it has permissions to merge into the (usually protected) main/master branch. This can happen in different ways:- Option 1: invite
renovatebot
as Developer role, but then, under Settings -> Repository -> Protected branches, the main/master branch must allow "Maintainers + Developers" to do merges - Option 2: invite
renovatebot
as Maintainer role
- Option 1: invite
- Set up a schedule (CI/CD -> Schedules) to run the CI pipeline every hour (cron syntax:
0 * * * *
), or however often you think it makes sense