Automatic Dependency Updates with renovate
Problem to solve
It would be great if gitlab users could simply check a box to enable automatic updates of their dependencies.
Coming from the Java world, a lot of developers either spend a lot of time on dependency management or spend no time on it at all.
Often Developers don't even know that a new version of a dependency has been released.
Especially large Enterprises it happens frequently that you skip 2-4 Major Versions before updating your dependencies again.
Simply because no one spends time to regularly check for updates.
Bots like renovate or dependabot try to solve this by creating a new MR as soon as a new version of a dependency has been released.
Unfortunately these bots are not that well known yet and can be tricky to configure.
Imho this is a good opportunity for gitlab to provide this and make it really easy to set up.
Since it's already possible to use these bots with gitlab now and since it will be most useful for enterprises, I think this feature should be in one of the EE tiers.
Intended users
Developer
Further details
Rather than implementing automatic dependency updates ourselves, we should use existing open source projects and integrate them really well into the UI.
Similar to what we do with license management.
I believe that Automatic dependency updates would be a really great feature to have in the enterprise edition.
Proposal
I suggest integrating renovatebot into gitlab.
It is an open source bot that will create an MR as soon as a dependency becomes available.
At gitlab this bot is already in use in the frontend team to keep dependencies up to date.
Currently, it supports dependencies for:
- Bazel
- Docker
- Golang
- Java
- Javascript
- Node.js Versions
- Nuget
- PHP
- Python
- Ruby
While it is already possible to use the bot with gitlab now, It would be awesome to integrate the setup in the GUI as an official gitlab feature.
The bot would then be called in a scheduled CI job with a command like this:
docker run -e GITLAB_TOKEN="$GITLAB_TOKEN" -e GITHUB_TOKEN="$GITHUB_TOKEN" -v $PWD/config.js:/usr/src/app/config.js renovate/renovate:13 $(cat repositories.txt | xargs)
It requires 2 Inputs:
- A gitlab access token of the user account that should be used to create the MRs
- A github access token with the scope public to get changelog information from github
I think both inputs could be preconfigured.
Add a few config settings in a config file like changing the default MR template to whatever we want and you get a feature that users can turn on via selecting one checkbox.
Permissions and Security
I think Project Owners and Maintainers would make the most sense to keep it consistent with other project settings.
Documentation
https://medium.com/@mikebarkmin/renovate-your-gitlab-projects-automatically-bbba188669b5
Testing
Not sure yet, depends on the Integration.