How use Renovate Bot on self-hosted GitLab

There is no built-in Renovate Bot on a self-hosted GitLab. What can we do to set it up and enjoy all the benefits of automatic dependency updates?

Renovate Bot is an automated tool designed to update software dependencies. It checks new versions of libraries and packages used in your project and automatically creates merge requests for their updates. This ensures a safer and up-to-date state of dependencies, minimizing the risks associated with vulnerabilities in old versions.

For self-hosted repositories of frontend applications, Renovate Bot offers the following options:

The first option is not suitable for us because it’s designed for the npm projects, and we would like a more universal approach. The last option is also not suitable because it would require maintaining a separate Renovate instance. We also do not want to maintain a separate runner, so we will use the Docker image that can be run on any existing runner.

#Step #1: Repository configuration

Create a file renovate.json in the root of your repository. I recommend adding the following options:

Final settings:

{
  "$schema": "https://docs.renovatebot.com/renovate-schema.json",
  "minimumReleaseAge": "3 days",
  "reviewers": ["andrepolischuk", "unicorn"],
  "prHourlyLimit": 0,
  "prConcurrentLimit": 0,
  "packageRules": [
    {
      "matchUpdateTypes": ["patch"],
      "addLabels": ["dependencies", "patch"]
    },
    {
      "matchUpdateTypes": ["minor"],
      "addLabels": ["dependencies", "minor"]
    },
    {
      "matchUpdateTypes": ["major"],
      "addLabels": ["dependencies", "major"]
    },
    {
      "matchUpdateTypes": ["patch", "minor"],
      "matchCurrentVersion": "!/^0/",
      "automerge": true
    }
  ]
}

If you use CODEOWNERS file to describe those responsible for your code, you don’t need to directly specify reviewers in the configuration, but instead use the reviewersFromCodeOwners setting to pull them from the file.

{
  "$schema": "https://docs.renovatebot.com/renovate-schema.json",
  "minimumReleaseAge": "3 days",
  "reviewersFromCodeOwners": true,
  ...
}

#Step #2: GitLab CI pipeline configuration

Add a stage to your pipeline that uses Renovate Bot Docker image. Also, add environment settings so that Renovate Bot can use the API of your self-hosted GitLab:

Final pipeline:

stages:
  ...
  - update

...

update deps:
  stage: update
  image: docker.io/renovate/renovate:37-slim
  variables:
    RENOVATE_PLATFORM: 'gitlab'
    RENOVATE_ENDPOINT: $GL_API_URL
    RENOVATE_TOKEN: $GL_TOKEN
    RENOVATE_AUTODISCOVER: 'true'
  script:
    - renovate

#Step #3: Creating a schedule

Dependency updates are released continuously. To reduce noise, add a schedule for running Renovate Bot, for example, once a week before the start of sprint. You will receive a list of updates and will be able to plan critical updates for the current sprint.

GitLab has scheduled pipelines where you can set up a schedule for checking updates. The schedule is set in crontab file format.

00 9 * * 1

Updates with this schedule will be run every Monday at 9 am.

Also, add a variable with the task type, for example, SCHEDULE_TYPE, so that it can be used to trigger updates on GitLab CI.

update deps:
  stage: update
  image: docker.io/renovate/renovate:37-slim
  variables:
    RENOVATE_PLATFORM: 'gitlab'
    RENOVATE_ENDPOINT: $GL_API_URL
    RENOVATE_TOKEN: $GL_TOKEN
    RENOVATE_AUTODISCOVER: 'true'
  rules:
    - if: '$SCHEDULE_TYPE == "weekly"'
  script:
    - renovate

#Bonus

This configuration is not dependent on language and can be used not for frontend projects with npm but also for the rest located on your GitLab.

For further reading, check the Renovate Bot documentation.