Post

Renovate - Plan A

Posted
Preview Image
By Neil Boyd
4 min read
Renovate - Plan A

Renovate - Plan A

Plan

Continuing from the previous post - try Renovate on a few repos:

nfield-odinparser-interfaces

Follow the installation instructions. Start with nfield-odinparser-interfaces. It created a PR and gave me a Renovate dashboard. There are no private dependencies here, so there’s no need to auth to private packages.

The description of the PR says that it will create 2 PRs to update SonarAnalyzer.CSharp and Microsoft.CodeAnalysis.NetAnalyzers. My first thought was “how is this different to dependabot”? A bit of googling suggests that they’re kinda similar, but Renovate wins on many fronts. Of course, Renovate has their own impartial comparison.

I wonder why it wants to create 2 PRs rather than grouping them into one PR :thinking:. The comparison says

Renovate comes with community-provided groupings of dependencies. So Renovate groups common dependencies into a single PR, out-of-the-box.

So maybe it’s just because these are in different groups?

I want the PRs to have a dependencies label, the same as dependabot PRs. There seems to be two ways of doing this:

  1. Add "labels": ["dependencies"] to the renovate.json config file
  2. Use a built-in preset

I chose the second option, updating it by creating a PR on the branch renovate/reconfigure to get it to validate the config.

That didn’t quite work, so I created this PR which fixes it, and also configures grouping with group:all.

Now it’s all good, and it seems to run pretty much immediately. So maybe it can work with our propagation train if it can quickly figure out what needs propagating. It’s also possible to trigger a scan for a repo from the dashboard.

nfield-odinparser

Now do the same for nfield-odinparser.

The app is already installed, so I need to go to the configuration page to add another repo. Doing so created the setup PR.

Putting all updates in one PR is a bad idea. I couldn’t find a nice grouping, so I just removed grouping, which falls back to the grouping defined in config:recommended.

Interesting note in the PR:

Branch creation will be limited to maximum 2 per hour, so it doesn’t swamp any CI resources or overwhelm the project. See docs for prhourlylimit for details.

Next I need to authenticate to the private packages. Create a PAT for the feed and add it as a secret in the organization settings. Then add the host rule.

nfield-interviewengine, nfield-interviewengine-interfaces and nfield-interviewing

Same again.

Engine PR
Interfaces PR
Interviewing PR

Interviewing wants to create 51 PRs, so I’ll ignore some dependencies along the lines of dependabot.yml.

Interviewing also wants to update a lot of Biceps. Maybe that’s good? :thinking:
I disabled it with

1

  "enabledManagers": ["nuget"]

ie, Infrastructure as Code is not in the list.
Now it’s “just” 32 PRs.

I excluded a load more, just to reduce the noise for now. Now it’s “just” 18 PRs!

Limit

It was busy doing its thing when I noticed this message in the log:

Duration: 1m 55s (of 30m limit)

So I’m going to hit that 30m limit soon.
nvm - there’s a limit of 30 minutes per job.

So it seems like the free version is fine.

Also, that page suggests that anyone can access the portal if they have access to the organization. I’ll need to ask someone else to check that. Yes :thumbsup:

Location

The default location of the config file is renovate.json in the root of the repo. Maybe I should move it to .github/renovate.json5 - json5 is an extension to json that allows comments, and it’s good to get it out of the way. That seemed like a good idea, but VS Code complained about comments in json5 files, and also json files. They say they support jsonc in json, and prefer that over json5 extension. I also prefer that, but VS Code complains, which is not nice. I did it anyway in the interviewing PR.

I moved it to .github/renovate.json in all repos.

Dashboard

If issues are enabled on the repo then you get a dashboard there, for example. So I enabled issues on all repos.

Also nice, on the dashboard it says which updates are pending due to rate-limiting (2 PRs per hour) :smiley:
And it tells you where all the dependencies are - Directory.Build.targets, project files, etc.

The same info is in the dashboard and the issue.
There’s also checkbox on the issue to run now.

Conclusion

I like it :smile:

I’m going to do package updates on these repos now. In the usual way, ie merging those branches into a ci- branch and doing it that way.

GitHub dotnet
This post is licensed under CC BY 4.0 by the author.