Motivation

Motivation

Dependencies add reusable components

They increase productivity

Dependencies require updates

• New features
• Security fixes

Focus on new code

Dependency updates prevent this

What now?

Dev dependencies

…any many more!

Ops dependencies

The good…

…any many more!

The bad…

Required tools, e.g. downloaded from GitHub releases

And the ugly

Versions stored in variables in scripts

Enter Software Bill of Materials

Provides visibility

The world is on fire

Auditing is the last resort

Update dependencies quickly

(Be prepared to) ship fast

Drive adoption of new versions

Know about remaining vulnerabilities

Check options for mitigation

Outdated dependencies

All dependencies can an will introduce vulnerabilities

Younger version receive security updates

Updates can introduce breaking changes

Regular small updates over seldom large updates

Manual updates…

…are too slow

…prevent other tasks

…are ignored until necessary

Demo

Check repository

Can you spot possible updates?

Demo

Check repository

Can you spot possible updates?

Solution

Outdated GitHub actions without pinning

Base image without digest pinning

Outdated version variable

Outdated go.mod for hello world

Outdated requirements.txt for Python tools

Automated dependency updates

Enter Renovate

Open Source implemented in TypeScript

Commercial offering by Mend

How it works

Clones repository and loads configuration

Searches in numerous places for well-known dependencies

Proposes update in pull/merge requests

Renovate Features

Platforms: Azure DevOps (Server), BitBucket, AWS CodeCommit, Gitea/Forgjo, GitHub, GitLab

Datasources: crate, docker, git-tags, gitea-releases, github-releases, gitlab-releases, go, helm, maven, npm, nuget, pypi, rubygems (and dozens more)

Custom Managers for special use cases

Deployment options: GitHub App, Self-hosted

Powerful but complex

Initially many and/or breaking updates

Once settled in, smaller incremental updates

Merge Confidence supports merge decisions for many languages

Integration with GitHub and Dependabot to show updates addressing security alerts

Demo

Add renovate.json for onboarding

Check dashboard

Check pull requests

Check release notes

Check workflows

Automerge

Renovate can merge automatically

Requires opt-in through configuration

Requires successful automated tests

How to automerge

Identify updates with low impact, e.g. patches, well-tested packages

Create package rules for automerging

Demo

Add package rule for specific cases

Enable automerge for them

Custom Managers

Special use cases

Version must be injected into code, e.g.

FROM ubuntu:22.04

# renovate: datasource=github-releases depName=kubernetes/kubernetes extractVersion=^v(?<version>.+?)$
ARG KUBECTL_VERSION=1.28.2
RUN curl -sSfLO "https://dl.k8s.io/release/v${KUBECTL_VERSION}/bin/linux/amd64/kubectl"

Use predefined custom manager

Ships with regex to match comment above and configure Renovate

{
    "$schema": "https://docs.renovatebot.com/renovate-schema.json",
    "extends": [
      ":dockerfileVersions"
    ],
}

Alternatives

Dependabot

Now owned by GitHub

Tightly integrated but can run without GitHub

Detailed comparison

Other tools lack…

…focus on a single language

…broad support for languages

…is integrated in a specific platform

Case study: uniget

uni(versal)get installer and updater for (container) tools

Checkout uniget.dev

Offers 591 packages

Uses Renovate at scale

Since 2022-06-13

over 5.700 merged PRs

~9 PRs per day

90% merged after ~1min

98% merged after ~6min

Lessons learned

GitHub Secondary API rate limits

Prevent excessive concurrency

Mitigation: Custom implementation of automerge

Custom managers will break

Name changes in GitHub release asset

Found 50 times in 10 months

Stability issues of GitHub

Detector for GitHub glitches / outages

Acts as a status page for GitHub