Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Get Renovate bot running on this repository with a basic config #321

Closed
1 task done
HonkingGoose opened this issue Jan 9, 2023 · 11 comments · Fixed by #469
Closed
1 task done

Get Renovate bot running on this repository with a basic config #321

HonkingGoose opened this issue Jan 9, 2023 · 11 comments · Fixed by #469
Labels
enhancement New feature or request

Comments

@HonkingGoose
Copy link
Contributor

Have you checked for existing feature requests?

  • Completed

Summary

You have a Renovate bot configuration file, which is probably a left-over from the old Atom repository:

{
"schedule": ["every weekend"],
"labels": ["dependencies"],
"separateMajorMinor": "false",
"packageRules": [
{
"matchDepTypes": ["devDependencies"],
"matchUpdateTypes": ["major", "minor", "patch", "pin", "digest", "lockFileMaintenance", "rollback", "bump"],
"groupName": "devDependencies",
"semanticCommitType": "chore",
"automerge": true
},
{
"matchDepTypes": ["dependencies"],
"matchUpdateTypes": ["major", "minor", "patch", "pin", "digest", "lockFileMaintenance", "rollback", "bump"],
"groupName": "dependencies",
"semanticCommitType": "fix"
}
]
}

I recommend you use Renovate bot to get updates for your dependencies. I help maintain the documentation for Renovate, so obviously I like it best.

I can help you get Renovate bot running on this repository. 😉

What benefits does this feature provide?

Quote from the Renovate docs homepage: 1

Why use Renovate?

  • Get pull requests to update your dependencies and lock files
  • Reduce noise by scheduling when Renovate creates PRs
  • Renovate finds relevant package files automatically, including in monorepos
  • You can customize the bot's behavior with configuration files
  • Share your configuration with ESLint-like config presets
  • Get replacement PRs to migrate from a deprecated dependency to the community suggested replacement (npm packages only)
  • Open source

One big feature is you can use Renovate's Dependency Dashboard issue 2 to get an overview of all your dependencies and their pending/oopen updates.

Any alternatives?

If you don't want to use Renovate, you can check out Dependabot 3 or Depfu 4.

Other examples:

Here's the Renovate bot in action on the official Renovate repository:

Footnotes

  1. https://docs.renovatebot.com/

  2. https://docs.renovatebot.com/key-concepts/dashboard/

  3. https://docs.github.com/en/code-security/dependabot/dependabot-version-updates/about-dependabot-version-updates

  4. https://depfu.com/

@HonkingGoose HonkingGoose added the enhancement New feature or request label Jan 9, 2023
@confused-Techie
Copy link
Member

I personally am a huge fan of using this, (Sorry to say, but currently using DependaBot on the package-backend.)

The one concern I can really see here, and might end up being the case, is currently we have a lot of outdated dependencies, but even worse we have a lot of failing tests, and it can make it extremely difficult to trust tests when performing an upgrade to a dependency.

So I know personally when I see a bot updating on of the deps, I read through the ChangeLog, sometimes even the commit diff of the version, see if there's any API's I'm using or notes that look relevant and the tests.

But for us right now, some of the tests can be flaky (but we are working on that), and I don't think any one person would be able to look at a dep version bump and know if it affects any of the API's we use.

That isn't to say we shouldn't use it, just either it might be time before we do, or we would have to do the research first, and configure it in such a way to avoid any of our major dependencies at first.

@HonkingGoose
Copy link
Contributor Author

Dependabot is good as well. The biggest win is using a dependency management bot.

The one concern I can really see here, and might end up being the case, is currently we have a lot of outdated dependencies, but even worse we have a lot of failing tests, and it can make it extremely difficult to trust tests when performing an upgrade to a dependency.

Updating old dependencies with flaky or broken tests is tricky. How about this then:

  • Enable Renovate's Dependency Dashboard (it's on by default)
  • Require dashboard approval for all updates

You then have a special issue which lists all your dependencies and their updates. You can select a checkbox in the special issue to get an update PR from Renovate for that dependency. Renovate calls this "the Dependency Dashboard Approval workflow". 1

Once you've fixed your flaky/broken tests you can start automating dependency updates more:

  • Let Renovate create patch/minor update pull requests automatically
  • Keep requiring Dependency Dashboard approval for major updates
  • Optional: Allow Renovate to automerge dev dependencies like Prettier or ESLint if all tests pass

Dependabot must run at least once a month (interval=monthly) 2, and you don't get an dependency dashboard. So that's where Renovate is really different.

I'm happy to create a basic Renovate configuration with the Dependency Dashboard enabled, and the "Dependency Dashboard Approval Workflow".

Footnotes

  1. https://docs.renovatebot.com/key-concepts/dashboard/#dependency-dashboard-approval-workflow

  2. https://docs.github.com/en/code-security/dependabot/dependabot-version-updates/configuration-options-for-the-dependabot.yml-file#scheduleinterval

@confused-Techie
Copy link
Member

This sounds really cool, and appreciate you being open to assist in creating a configuration for it.

How about this, since this change will likely affect many of our core contributors and would change the workflow I'll make a poll on our Discord to see what everyone thinks, and if approved, then we can move forward with your plan.

Which thanks for laying it out like you have and helping find ways to work around our limitations, your contributions are appreciated!

@HonkingGoose
Copy link
Contributor Author

Did you manage to run the poll already? I'm curious what you guys voted. 😄

@confused-Techie
Copy link
Member

Did you manage to run the poll already? I'm curious what you guys voted. 😄

Sorry for not returning back to this one.

So the poll has been closed I believe with a vote of:

  • Yes: 7
  • No: 3

There are some very good points against it. Essentially wanting to result in not to much noise, and concerns over not missing important changes as they happen in dependencies.

It is something I've meant to take a look at. But do appreciate you getting the ball rolling here, since I've done this once or twice manually bumping several dependencies and testing, and it isn't a whole lot of fun

@HonkingGoose
Copy link
Contributor Author

I'm testing Renovate on my fork. You can see the Dependency Dashboard in action here:

This is the renovate.json file I'm using now:

{
  "extends": ["config:base", ":dependencyDashboardApproval"], // Default configuration + only get updates when requested via Dependency Dashboard
  "includeForks": true // You do not need this option, but I do, because I'm running Renovate on a fork :)
}

As you can see on my fork, Renovate has not created any PRs. That's because I need to select the updates I want from the Dependency Dashboard issue.

Let me know what you think! 😉

@Spiker985
Copy link
Member

Ironically enough, we probably do need the includeForks key, because a large portion of our repos are forked from Atom still

We need to contact GitHub (again?) to remove the upstream from quite a few of them

@confused-Techie
Copy link
Member

Yeah @HonkingGoose this looks fantastic! I love the fact that it's just an issue. Especially love that it's able to find all the dependencies from our core packages as well!

Only downside I can even find is that updating a dependency that's in the core and a core package looks like it'd update both by clicking the checkbox? But at the very least it reports it so you could update one manually if you ever needed. But that seems unlikely.

So with this, and considering the way our vote carried out, might just be time to implement this in a PR.

Appreciate all the effort and following up on this

@HonkingGoose
Copy link
Contributor Author

HonkingGoose commented Feb 20, 2023

Note
I edited this comment with new instructions based on feedback from one of the Renovate maintainers about includeForks=true:

Make sure to read the new instructions before starting! 😉

To get started with Renovate:

  1. Read the Installation instruction in the docs for a full overview.
  2. I recommend installing the GitHub-app for Renovate, that's easiest to start with.
  3. Select the pulsar-edit/pulsar repository. This way we don't need to set includeForks=true. The Renovate app basically sets includeForks=true behind our backs when you select the repository.
  4. Create a renovate.json file on the pulsar-edit/pulsar repository, put it in the root of the repository. Put this JSON in the file:
    {
      "extends": ["config:base", ":dependencyDashboardApproval"]
    }
  5. When Renovate runs it creates the Dependency Dashboard issue.
  6. Pin the Dependency Dashboard issue to your repository, so you can always find it. Read the GitHub Docs about pinning an issue to your repository to learn how.
  7. Now you can get updates from the Dependency Dashboard by selecting the checkbox for the updates.

If you get stuck, ask for help in this issue. 😉

@HonkingGoose
Copy link
Contributor Author

Only downside I can even find is that updating a dependency that's in the core and a core package looks like it'd update both by clicking the checkbox? But at the very least it reports it so you could update one manually if you ever needed. But that seems unlikely.

Are those core and core package files in different file paths? If yes, we can probably do something like this:

{
  "packageRules": [
    {
      "description": "Group all dependencies from the core directory",
      "matchPaths": ["core/**"],
      "groupName": "Core dependencies"
    },
    {
      "description": "Group all dependencies from the core-packages directory",
      "matchPaths": ["core-packages/**"],
      "groupName": "Core packages dependencies"
    },
  ]
}

Here I'm using the matchPaths 1 config option in a packageRules array to configure what happens based on the location of each dependency.

I still recommend starting with the simplest config first to see what happens. You can always tune things later. 😄

Footnotes

  1. https://docs.renovatebot.com/configuration-options/#matchpaths

@HonkingGoose HonkingGoose changed the title Get a Dependency management bot running Get Renovate bot running on this repository with a basic config Feb 20, 2023
@HonkingGoose
Copy link
Contributor Author

Hi @confused-Techie!

Congratulations on getting Renovate bot working! 🥳✨

I see Renovate already created some security PRs on this repository. Renovate always creates security PRs, even if you normally only get updates when requested from the Dependency Dashboard.

I hope you enjoy Renovate bot. 😄

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
enhancement New feature or request
Projects
None yet
Development

Successfully merging a pull request may close this issue.

3 participants