Renovate proposal

[lmilbaum]

Changes introduced with this PR

Please explain your changes here.

---

By contributing to this repository, I agree to the contribution guidelines.

[ghost]

Hi @lmilbaum thank you for the proposal. Maybe you could edit the proposal and highlight that this would replace Dependabot which is included with GitHub and currently in use? Also, it would be worth mentioning why we would pick this over Dependabot, and what the management overhead is (we need to allow an app, someone needs to go register an account with them or self-host, etc).

Thanks!

[lmilbaum]

Hi @lmilbaum thank you for the proposal. Maybe you could edit the proposal and highlight that this would replace Dependabot which is included with GitHub and currently in use? Also, it would be worth mentioning why we would pick this over Dependabot, and what the management overhead is (we need to allow an app, someone needs to go register an account with them or self-host, etc).

Thanks!

Thank you for your feedback. I've just noticed that the section which emphasizes the advantages was missing.

[sandrobonazzola]

Perhaps also add some link to renovate documentation

[lmilbaum]

Perhaps also add some link to renovate documentation

Done.

[HonkingGoose]

I help maintain Renovate bot's documentation, so obviously I like Renovate bot. 😉

Why pick Renovate?

Copy/paste from the Renovate docs homepage:

Why use Renovate?

• Get pull requests to update your dependencies and lock files
• Reduce noise by scheduling when Renovate creates PRs
• Renovate finds relevant package files automatically, including in monorepos
• You can customize the bot's behavior with configuration files
• Share your configuration with ESLint-like config presets
• Get replacement PRs to migrate from a deprecated dependency to the community suggested replacement (npm packages only)
• Open source

Killer features

• Dependency Dashboard to get an overview of all your pending/in-progress updates
  ¹
• Keep noise down by package grouping, and optionally automerging ²
• Dependency Dashboard Approval Workflow to only get updates when you select them from the Dashboard ³

Here's the Dependency Dashboard in action:

• Dependency Dashboard renovatebot/renovate#2958

Management overhead?

• we need to allow an app
• someone needs to go register an account with them
• or self-host

The overhead depends on how you're going to run Renovate. You can:

• use the GitHub-hosted app version of Renovate
• use the "Forking Renovate" app version (needs less permissions) ⁴
• self-host

Easiest way to get started

The easiest way to run the bot is by installing it as a GitHub-hosted app. ⁵ You can select what repositories you want Renovate to access after installing the app if you don't want Renovate to run on all your repositories.

Footnotes

1. https://docs.renovatebot.com/key-concepts/dashboard/ ↩

2. https://docs.renovatebot.com/noise-reduction/ ↩

3. https://docs.renovatebot.com/key-concepts/dashboard/#dependency-dashboard-approval-workflow ↩

4. https://docs.renovatebot.com/security-and-permissions/ ↩

5. https://docs.renovatebot.com/getting-started/installing-onboarding/#hosted-githubcom-app ↩

[HonkingGoose]

Some comments on the proposal text.

[HonkingGoose]

You can reduce the pull request overload by:

• setting a schedule for updates (say get foo updates on the first day of the week)
• using the Dependency Dashboard Approval Workflow, where you only get updates when you request them from the dashboard. I recommend you only use this to get you back up to date on your terms, once you're nearly/fully up to date, let Renovate create PRs again!
• using automerge to merge after tests pass, can be helpful for things like Prettier/ESLint/Standard
• setting a custom prConcurrentLimit ¹, the default is max 10 open PRs at once
• edit: Renovate also rate-limits creating PRs, the default is 2 PRs created per hour

Footnotes

1. https://docs.renovatebot.com/configuration-options/#prconcurrentlimit ↩

[HonkingGoose]

I recommend you start with config:base ¹ and tune things after getting some experience with the default behavior.

Footnotes

1. https://docs.renovatebot.com/presets-config/#configbase ↩

[HonkingGoose]

Use the Dependency Dashboard, and use packageRules to group "must update together packages" to get more control.

[HonkingGoose]

Do not run Dependabot and Renovate together, you'll end up with a mess of open PRs.

If you want to get vulnerabilityAlerts ¹ then you'll need to enable the "Dependency Graph" and "Dependabot Alerts". You still keep the "normal Dependabot" disabled though!

Footnotes

1. https://docs.renovatebot.com/configuration-options/#vulnerabilityalerts ↩

[ghost]

@lmilbaum thank you very much again for your presentation. As discussed, let's keep this proposal as a draft until we have a demo of running Renovate as a GitHub Actions periodic job.

[ghost]

@HonkingGoose thank you very much for your input, we'll hopefully move forward with this proposal in 2-3 weeks.

[ghost]

Hey folks, can you please remove my review request from this PR? It seems I don't have the ability to.

[jaredoconnell]

For the currently maintained projects, this seems to me to be extra work.

I think this would make sense as an option for projects, but not the default. But that could lead to more fragmentation.

This would make more sense if we switched off of GitHub.

[lmilbaum]

For the currently maintained projects, this seems to me to be extra work.

I think this would make sense as an option for projects, but not the default. But that could lead to more fragmentation.

This would make more sense if we switched off of GitHub.

I understand your concern. If that may help, my team (platform engineering) will own the on-boarding process and maintenance.

[dustinblack]

Per today's discussion, we are going to have a look at this functionality as a prototype using a repo or two from the Arcalot org. Seeing directly how this change affects our maintenance workflows and helps us will be useful to better inform the decision here.

[dustinblack]

We have implemented a prototype of this implementation with one plugin repo that has open dependabot PRs so that we can see a live comparison against Renovate. I invite the Round Table members to please have a look at the open PRs for this repo to see what Renovate offers us:

https://github.com/arcalot/arcaflow-plugin-aws-ec2-control/pulls

Implementing this required allowing the platform-engineering-bot write access to the repo, and a Renovate configuration file to be added:

https://github.com/arcalot/arcaflow-plugin-aws-ec2-control/blob/main/renovate.json

So the impact for implementation across the org is low, and we can do it in a phased way if this proposal is approved. I believe we would grant the platform-engineering-bot write access at the org level, and then add this config to each repo for which we want to enable Renovate.

Based on the conversations and this update, I am resetting the votes on this proposal and adjusting the voting period to 14 days, targeted to end on Wednesday, July 19, or when quorum is reached, whichever comes first.

[jdowni000]

I would def like to see this with all the build issues fixed manually before dependabot gives this a go. It seems we have had different breaks within the last week or so.

[dustinblack]

I would def like to see this with all the build issues fixed manually before dependabot gives this a go. It seems we have had different breaks within the last week or so.

I had the same thought. I'll try to fix the builds and then let the dependabot and renovate PRs rebase.

[dustinblack]

Merging as approved with a quorum of votes from the ART