Max Lerebourg News
If you want to have a single configuration for all your applications / microservices / projects, you've come to the right place. Let me show you how to do it with GitLab and Renovate.
Renovate is a tool that automatically upgrade the dependencies of any project, by creating Merge Request (MR) on GitLab (Pull Request on GitHub). It works with several languages (NodeJs, Go, Rust, Python) and on all major Git platforms (GitLab, GitHub, Bitbucket, Gitea). It has a lot of configuration options where you can get totally lost, such as creating MRs according to a schedule, automatic merging, discovering projects from a GitLab account, choosing which dependencies to update, etc...
Renovate works with two main components:
renovate.json at the root of each Git repository.We, at MONI, have a lot of microservice, something like 50+, with some private dependencies to share configurations and enums.
For instance, when you switch to another project and do npm install, each time you get this line 2 moderate severity vulnerabilities, and sometimes 16 vulnerabilities (12 moderate, 1 high, 3 critical). It is scary.
Now, my manager said to me "we need to find a tool to keep up to date all our dependencies to avoid security vulnerabilities". We also wanted to avoid having a configuration for each microservices because all our microservice are similar (NodeJs and pretty much the same dependencies). Having a Renovate config every where is too much maintenance.
Create a new project Renovate to use as a worker for all your Git repositories.
Renovate can be used on GitLab by using their template CI.
Our .gitlab-ci.yml from Renovate looks like this at this stage.
include:
- project: 'renovate-bot/renovate-runner'
file: '/templates/renovate.gitlab-ci.yml'
Another thing to do is set up CI variables RENOVATE_TOKEN with a Personal token or Group token with scopes read_user, api and write_repository.
We need to override renovate job to help the worker to find our projects hosted on GitLab and disable onboarding because we don't want to have a renovate.json in each of our services. Another thing to note is the need to manually trigger the renovate job or start it via a cron.
include:
- project: 'renovate-bot/renovate-runner'
file: '/templates/renovate.gitlab-ci.yml'
renovate:
variables:
RENOVATE_ONBOARDING: "false"
RENOVATE_AUTODISCOVER: "true"
RENOVATE_AUTODISCOVER_FILTER: microservices/svc-test
rules:
- if: '$CI_PIPELINE_SOURCE == "schedule"'
- when: manual
It's working but it opens a lot of MR, one for each outdated dependency. That's not exactly what we want. Let's go deeper.
default.json in any public Git repository like here.
{
"$schema": "https://docs.renovatebot.com/renovate-schema.json",
"extends": ["config:recommended"],
"prConcurrentLimit": 4,
"branchPrefix": "fix/TE-000-",
"commitMessagePrefix": "fix: ⬆️ TE-000 ",
"groupName": "all",
"packageRules": [
{
"packagePatterns": ["*"],
"enabled": false
}
],
"osvVulnerabilityAlerts": true,
"vulnerabilityAlerts": {
"enabled": true
}
}
This config:
The first thing I discovered was the possibility of using Global Extends to use a default configuration for all my projects BUT it has to be hosted on a public Git repository.
The second thing is Require Config, it is an option to disable the check of local renovate.json of each project scanned by Renovate.
Let's try it.
include:
- project: 'renovate-bot/renovate-runner'
file: '/templates/renovate.gitlab-ci.yml'
renovate:
variables:
RENOVATE_ONBOARDING: "false"
RENOVATE_AUTODISCOVER: "true"
RENOVATE_AUTODISCOVER_FILTER: microservices/svc-test
RENOVATE_REQUIRE_CONFIG: ignored
RENOVATE_GLOBAL_EXTENDS: gitlab>renovate-bot/renovate-runner
rules:
- if: '$CI_PIPELINE_SOURCE == "schedule"'
- when: manual
Wow, it's working but unfortunately, it does not solve all npm audit security issues.
This configuration will not solve all the problems of the npm audit output, as Renovate's database security is limited to OSV database.
It's a real nightmare to detect why your Global Extend Config changes don't affect Renovate worker's run. You have to disable the cache to apply the new Global Extend Config... Nightmare.
I've added the LOG_LEVEL variable to help you debug your configuration.
include:
- project: 'renovate-bot/renovate-runner'
file: '/templates/renovate.gitlab-ci.yml'
renovate:
variables:
RENOVATE_ONBOARDING: "false"
RENOVATE_AUTODISCOVER: "true"
RENOVATE_AUTODISCOVER_FILTER: microservices/svc-test
RENOVATE_REQUIRE_CONFIG: ignored
RENOVATE_GLOBAL_EXTENDS: gitlab>renovate-bot/renovate-runner
RENOVATE_REPOSITORY_CACHE: disabled
LOG_LEVEL: debug
rules:
- if: '$CI_PIPELINE_SOURCE == "schedule"'
- when: manual