Using Renovate to maintain NuGet, Docker and other dependencies
TL;DR - Renovate automatically checks if there are new versions of your NuGet & Docker dependencies and helps to keep them up to date via automatic pull requests
Recently The Changelog #289 introduced me to Rhys Arkins who is the creator of Renovate.
Renovate saves you time and reduces risk in software projects by automating the tedious process of updating dependencies. This is fully automated and its behavior is fully customizable to fit your needs.
Renovate supports a variety of languages :
NuGet support was only recently added by my colleague Sam Neirinck - Thank you Sam!
Onboarding Renovate
Onboarding Renovate is super easy and currently supports GitHub, GitLab, VSTS with Bitbucket on the way. You can choose between using the GitHub App or running a self-hosted version via a Docker image available on Docker Hub.
Once you've added that to your Git repository it will send you an onboarding PR that will explain what it will do:
In case you'd like to tweak its behavior a bit, you can fully configure how it will contribute via renovate.json
(docs)
Dependency Updates
Once configured, Renovate will periodically check your dependencies.
If it finds a new version it will automatically create a new pull request with the latest version:
When your dependency is keeping track of release notes it will also include all the notes of the versions you are behind. This information is coming from all the GitHub Releases that were made.
If you would like to check less often, have less PRs or only update minor versions you can tweak this in the renovate.json
file.
Streamlined Automation
It is highly recommended to only use Renovate if you have automated builds when pull requests are created that verify the code changes and runs all your tests. This will prevent you from merging in bad updates.
In this example, Renovate wants to upgrade Swashbuckle.AspNetCore
which introducing breaking changes given it's a major version increase but Travis CI made me aware of this and was able to fix it before merging it in.
This is another good example of why you should always run automated builds when a pull request is created.
It should verify as much as it can ranging from building code, running automated tests, building Dockerfiles, scanning for security vulnerabilities with Snyk.io and more.
Better safe than sorry and automate as much as possible.
A note to package maintainers
When I started using Renovate it became clear that package maintainers are an important factor and can improve the process by doing a few small tweaks.
The importance of GitHub releases
Using Renovate was also an eye-opener on the importance of having good GitHub releases. These really help consumers of products to get a good understanding of what changed and what to expect when updating. Having these in the update pull requests is really nice.
This was the main driver for automatically adding GitHub releases on what I'm doing and providing context on what changed. An example is v0.0.2-preview for Arcus.EventGrid.
Well-document your Nuspec
In order to achieve automatic release notes with NuGet, a well-documented Nuspec
is required which specifies the URL to the GitHub repository in the following sections:
- Specify in
PackageProjectUrl
such as Swashbuckle.AspNetCore
<PackageProjectUrl>https://github.com/domaindrivendev/Swashbuckle.AspNetCore</PackageProjectUrl>
repository
such as YamlDotNet
<repository type="git" url="https://github.com/aaubry/YamlDotNet.git" />
Conclusion
When I started using Renovate on Promitor I was really amazed by all the work that was done by Rhys and how streamlined Renovate is.
Renovate is really cool and this certainly helps me keep my applications up to date and do all the chores for me. It's free for open-source projects so give it a spin!
A very big thank you to Rhys Arkins for building this tooling and also thank you Sam Neirinck for adding NuGet support! All the credit goes to them, not me.
Want to learn more about Renovate? Listen to the episode of The Changelog.
Thanks for reading,
Tom.
Thank you Mike Martin for reviewing.