Motivation

Motivation

Dependencies add reusable components

They increase productivity

Dependencies require updates

• New features
• Security fixes

Focus on new code

Dependency updates prevent this

What now?

Dev dependencies

…any many more!

Ops dependencies

The good…

…any many more!

The bad…

Required tools, e.g. downloaded from GitHub releases

And the ugly

Versions stored in variables in scripts

Enter Software Bill of Materials

SBOM is an inventory of dependencies

Provides visibility

Can be matched against known vulnerabilities

Evaluation is the last resort

Choose dependencies wisely

• scorecard , OSSF

Update dependencies quickly

(Be prepared to) ship fast

Drive adoption of new versions

Know about remaining vulnerabilities

Check options for mitigation

Outdated dependencies

All dependencies can and will introduce vulnerabilities

Younger version receive security updates

Updates can introduce breaking changes

Regular small updates over seldom large updates

Manual updates…

…are too slow

…prevent other tasks

…are ignored until necessary

Demo

Check repository

Can you spot possible updates?

Demo

Check repository

Can you spot possible updates?

Solution

Outdated GitHub actions without pinning

Base image without digest pinning

Outdated version variable

Outdated go.mod for hello world

Outdated requirements.txt for Python tools

Automated dependency updates

Enter Renovate

Open Source implemented in TypeScript

Commercial offering by Mend

How it works

Clones repository and loads configuration

Searches in numerous places for dependencies

Proposes update in pull/merge requests

Renovate Features

Platforms: Azure DevOps (Server), BitBucket, AWS CodeCommit, Gitea/Forgejo, GitHub, GitLab

Datasources: crate, docker, git-tags, gitea-releases, github-releases, gitlab-releases, go, helm, maven, npm, nuget, pypi, rubygems (and dozens more)

Custom Managers for special use cases

Deployment options: GitHub App, Self-hosted

Implications

Powerful but complex

Initially many and/or breaking updates

Once settled in, smaller incremental updates

Demo

Add renovate.json for onboarding

Check dashboard

Check pull requests

Check release notes

Check workflows

Automerge

Renovate can merge automatically

Requires opt-in through configuration

Requires successful automated tests

How to automerge

Identify updates with low impact, e.g. patches, well-tested packages

Create package rules for automerging

Demo

Add package rule for specific cases

Enable automerge for them

Monitoring

Nothing out-of-the-box

Operations

Filter log for errors / failures for…

• Configuration errors
• Permission issues
• Rate limits

Check for failed pipelines

Check for failed automerges

Up-to-dateness / Security

Failures will show in the log

Create and analyze SBOM

Custom Managers

Special use cases

Version must be injected into code, e.g.

FROM ubuntu:22.04

# renovate: datasource=github-releases depName=kubernetes/kubernetes extractVersion=^v(?<version>.+?)$
ARG KUBECTL_VERSION=1.28.2
RUN curl -sSfLO "https://dl.k8s.io/release/v${KUBECTL_VERSION}/bin/linux/amd64/kubectl"

Use predefined custom manager

Ships with regex to match comment above and configure Renovate

{
    "$schema": "https://docs.renovatebot.com/renovate-schema.json",
    "extends": [
      ":dockerfileVersions"
    ],
}

Merge Confidence

Merge Confidence supports merge decisions

Based on data collect from countless PRs on GitHub

Supported ecosystems: Go, JavaScript, Java, Python, .NET, PHP, Ruby

Information provided

Age of the package

Adoption percentage for other Renovate users with this release

Passing percentage of updates with successful checks

Confidence calculated by proprietary algorithm

Vulnerability Alerts

Show updates addressing security alerts

Requires GitHub and Dependabot

Requirements

Enable GitHub Dependency Graph

Enable alert from Dependabot

Testing the Renovate configuration

Configuration changes will break Renovate

Isolate the change

Factor out the change

Test in a separate repository

(Optionally) run Renovate manually for speed

Test locally

Do not commit changes

Run Renovate locally using --platform=local

Alternatives

Dependabot

Now owned by GitHub

Tightly integrated but can run without GitHub

Detailed comparison

Other tools lack…

…broad support for languages

…is integrated in a specific platform

Case study: uniget

Installer and updater for (container) tools

Checkout uniget.dev

Offers 632 packages

Uses Renovate at scale

2022-06-13 – 2024-01-22

over 6.725 merged PRs

~9 PRs per day

90% merged after ~1min (6.050 PRs)

95% merged after ~3min (6.390 PRs)

98% merged after ~10min (6.590 PRs)

Lessons learned

GitHub Secondary API rate limits

Prevent excessive concurrency

Mitigation: Custom implementation of automerge

Custom managers will break

Name changes in GitHub release asset

Found 70 times in 12 months

Stability issues of GitHub

Detector for GitHub glitches / outages

Acts as a status page for GitHub