Renovate is an open-source tool that helps you automate dependency upgrades, vulnerability patching, and security compliance in your software projects. Dependencies can be software libraries like NPM packages for JavaScript or PyPi packages for Python or modules for Terraform or also container images from container registries. If you store your code and Infrastructure as Code in Git repositories, Renovate can help you keep all of your software up to date and open Pull requests automatically.
Self Host
When you self-host renovate bot, you run the code with node (nodeJS) or as a container. Code is checked out to the filesystem where the container is.
Running renovate as container
Renovate is able to parse a Dockerfile to look for newer container images. This only works with either a sha256 digest or a version tag. Tags such as latest or some other arbitrary string will not work.
I tested running renovate as a docker container. Credentials can be used with environment variables within the container. If your code is in GitHub, you will need a valid API token and you need to add it to the current shell environment: export GITHUB_TOKEN=YOUR_TOKEN_HERE
1
2
3
4
|
docker run --rm -e RENOVATE_TOKEN=$GITHUB_TOKEN \
-e RENOVATE_PLATFORM=github \
-e RENOVATE_AUTODISCOVER=true \
docker.io/renovate/renovate
|
With autodiscover enabled, Renovate checked out all of the repos that the token had access to. Pull requests were opened in repositories that renovate detected with dependencies.
Here is an example of log output for a repo with only docker detected:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
|
INFO: Repository started (repository=acaylor/dockertest)
"renovateVersion": "37.108.1"
INFO: Branch created (repository=acaylor/dockertest, branch=renovate/configure)
"commit": "8a094b8c7e9ece2ad27091f5cce6c3dd66b81672",
"onboarding": true
INFO: Dependency extraction complete (repository=acaylor/dockertest, baseBranch=master)
"stats": {
"managers": {"dockerfile": {"fileCount": 1, "depCount": 1}},
"total": {"fileCount": 1, "depCount": 1}
}
INFO: Onboarding PR created (repository=acaylor/dockertest)
"pr": "Pull Request #1"
INFO: Repository finished (repository=acaylor/dockertest)
"cloned": true,
"durationMs": 5883
|
Here is an example of a PR that renovate will open to update a container image:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
|
Welcome to [Renovate](https://github.com/renovatebot/renovate)! This is an onboarding MR to help you understand and configure settings before regular Merge Requests begin.
🚦 To activate Renovate, merge this Merge Request. To disable Renovate, simply close this Merge Request unmerged.
---
### Detected Package Files
* `docker-compose.yml` (docker-compose)
* `Dockerfile` (dockerfile)
### What to Expect
With your current configuration, Renovate will create 1 Merge Request:
<details>
<summary>Update k8s.gcr.io/echoserver Docker tag to v1.10</summary>
- Schedule: ["at any time"]
- Branch name: `renovate/k8s.gcr.io-echoserver-1.x`
- Merge into: `main`
- Upgrade k8s.gcr.io/echoserver to `1.10`
</details>
---
❓ Got questions? Check out Renovate's [Docs](https://docs.renovatebot.com/), particularly the Getting Started section.
If you need any further assistance then you can also [request help here](https://github.com/renovatebot/renovate/discussions).
---
This MR has been generated by [Renovate Bot](https://github.com/renovatebot/renovate).
|
Check out that repo on my GitHub: https://github.com/acaylor/dockertest
Testing with python
Example log
Here is a log message for a python dependency
1
2
3
4
5
6
7
8
9
10
|
INFO: Repository started (repository=acaylor/to_do_list_py)
"renovateVersion": "37.108.1"
INFO: Dependency extraction complete (repository=acaylor/to_do_list_py, baseBranch=main)
"stats": {
"managers": {"pip_requirements": {"fileCount": 1, "depCount": 1}},
"total": {"fileCount": 1, "depCount": 1}
}
INFO: Repository finished (repository=acaylor/to_do_list_py)
"cloned": true,
"durationMs": 4620
|
Check out that python app on my GitHub repo: https://github.com/acaylor/to_do_list_py
Renovate with Gitea
In a previous post I set up a Gitea server in my home network. This is a private git server that you can self-host. Renovate supports Gitea so to use Renovate with a Gitea server, you need an API token and then supply that as an environment variable.
export GITEA_TOKEN=YOUR_TOKEN_HERE
1
2
3
4
5
|
docker run --rm -e RENOVATE_TOKEN=$GITEA_TOKEN \
-e RENOVATE_PLATFORM=gitea \
-e RENOVATE_AUTODISCOVER=true \
-e RENOVATE_ENDPOINT=https://gitea.example.com/api/v1/
docker.io/renovate/renovate
|
Example log
Here is the log from running on a self-hosted gitea instance.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
|
INFO: Autodiscovered repositories
"length": 3,
"repositories": ["aj/containers_alpha", "aj/containers_blackhole", "aj/containers_rigel"]
INFO: Repository started (repository=aj/containers_alpha)
"renovateVersion": "37.368.3"
INFO: Dependency extraction complete (repository=aj/containers_alpha, baseBranch=main)
"stats": {
"managers": {"docker-compose": {"fileCount": 18, "depCount": 24}},
"total": {"fileCount": 18, "depCount": 24}
}
INFO: Repository finished (repository=aj/containers_alpha)
"cloned": true,
"durationMs": 8922
INFO: Repository started (repository=aj/containers_blackhole)
"renovateVersion": "37.368.3"
INFO: Repository is empty - skipping (repository=aj/containers_blackhole)
INFO: Repository finished (repository=aj/containers_blackhole)
"cloned": true,
"durationMs": 106
INFO: Repository started (repository=aj/containers_rigel)
"renovateVersion": "37.368.3"
INFO: Dependency extraction complete (repository=aj/containers_rigel, baseBranch=main)
"stats": {
"managers": {"docker-compose": {"fileCount": 9, "depCount": 13}},
"total": {"fileCount": 9, "depCount": 13}
}
INFO: Repository finished (repository=aj/containers_rigel)
"cloned": true,
"durationMs": 4335
INFO: Renovate was run at log level "info". Set LOG_LEVEL=debug in environment variables to see extended debug logs.
|
Next steps
You can create a cron job to run this container every night. I will be using Renovate to keep my containers up to date mostly.
Here is an example cron job:
1
|
0 0 * * * docker run $command_here
|
This will run at midnight every day. You can edit your crontab with the command crontab -e. Editing the crontab is available on Linux and macOS.