Skip to content

Latest commit

 

History

History
210 lines (175 loc) · 10.7 KB

RENOVATE.md

File metadata and controls

210 lines (175 loc) · 10.7 KB
Raw

Renovate

This repository contains the following shared configurations for Renovate, a tool to automate dependency updates which would be available as a shareable preset.

  • A default renovate-config.json file for general use in all repositories.
  • A renovate-config-security-updates-only.json file for use in Laminas repositories marked "security-updates-only".

Default Configuration

By calling the file renovate-config.json and placing it in this repository, we can take advantage of Renovate detecting this, allowing easy onboarding for repositories.

Goals

The default configuration has the following goals for a shared preset:

  • a single PR for anything non-major that doesn't fit the current version constraints. (e.g. coding standards)
  • a PR for any new majors grouped by org.
  • otherwise, the lockfile is updated and automatically merged once tests pass, opening a PR only if those fail.

Next steps for downstream maintainers

Once the Mend Renovate GitHub app is enabled for a repository, a new Configure Renovate PR will be opened containing a basic renovate.json file with the following contents:

{
    "extends": [
        "local>laminas/.github:renovate-config"
    ]
}

In order to be fully compatible with this Renovate configuration, you must ensure the following criteria are met:

  1. CI actions are enabled for push events on branches with the prefix renovate/*.
  2. The lockfile must have been generated using Composer with a version >=2.2.
  3. Lastly, for Renovate to detect the correct version of PHP to use for lockfile maintenance, the PHP version must be set in composer.json under the key config.platform.php.

Presets

Using primarily the inbuilt shared presets, this allows us to somewhat overcome the need to upgrade our configuration as often when Renovate updates a major version. Take for example: ":automergeDisabled", this will add the configuration "automerge": false. Should Renovate update this in a major version bump, they will also update the preset. So where possible presets have been chosen.

"extends": [
    ":dependencyDashboard",
    ":ignoreModulesAndTests",
    ":automergeMinor",
    ":automergeBranch",
    ":rebaseStalePrs",
    ":semanticCommitsDisabled",
    ":separateMajorReleases",
    ":combinePatchMinorReleases",
    ":enableVulnerabilityAlerts",
    ":timezone(UTC)",
    ":gitSignOff",
    ":label(renovate)",
    "group:allNonMajor"
],
  • :dependencyDashboard - This will open a persistent issue in each repository to allow easy tracking of all Renovate updates.
  • :ignoreModulesAndTests - This ensures Renovate does not try to update composer.json inside tests/, vendor/ etc.
  • :automergeMinor - Automatically merge non-major updates of updates by default.
  • :automergeBranch - But set the default automatic merge type to be branch meaning a PR is only opened on failure.
  • :rebaseStalePrs - Any PRs previously opened by Renovate will be automatically rebased should they fall behind.
  • :semanticCommitsDisabled - Disable semantic prefixes for commit messages and PR titles.
  • :separateMajorReleases - Any new major releases for a package will be separated into its own update.
  • :combinePatchMinorReleases - Patch and minor releases for a single package will be combined to a single update.
  • :enableVulnerabilityAlerts - Open a PR should the repository have any vulnerability alerts (see below).
  • :timezone(UTC) - Not strictly necessary but ensures schedules use the UTC timezone.
  • :gitSignOff - DCO requires all commits to be signed off.
  • :label(renovate) - Add the label renovate to any PRs.
  • group:allNonMajor - Any non-major updates will be grouped into a single update.

Vulnerability Alerts

From https://docs.renovatebot.com/configuration-options/#vulnerabilityalerts:

Renovate can read from GitHub's Vulnerability Alerts and customize Pull Requests accordingly. For this to work, you must first ensure you have enabled "Dependency graph" and "Dependabot alerts" under the "Security & analysis" section of the repository's "Settings" tab.

Additionally, if you are running Renovate in app mode then you must make sure that the app has been granted the permissions to read "Vulnerability alerts". If you are the account admin, browse to the app (e.g. https://github.com/apps/renovate), select "Configure", and then scroll down to the "Permissions" section and verify that read access to "vulnerability alerts" is mentioned.

Once the above conditions are met, and you have received one or more vulnerability alerts from GitHub for this repository, then Renovate will attempt to raise fix PRs accordingly.

Other Settings

"commitBodyTable": true,
"lockFileMaintenance": {"enabled": true, "extends": ["schedule:weekly"]},
"platformAutomerge": true,
"prFooter": "[Read more information](https://github.com/laminas/.github/blob/main/RENOVATE.md) about the use of [Renovate Bot](https://github.com/renovatebot/renovate) within Laminas.",
"rangeStrategy": "replace",
"rollbackPrs": true,
"vulnerabilityAlerts": {
    "extends": [":automergeDisabled", ":automergePr", ":labels(Awaiting Maintainer Response, security)"],
    "rangeStrategy": "bump"
}
  • commitBodyTable - Adds a table to the commit message describing all updates in the commit.
  • lockFileMaintenance - Lockfile maintenance should be performed during the scheduled run.
  • platformAutomerge - Use GitHub's merging features, falling back to Renovate's own merging methods.
  • prFooter - The text here will be set as the footer to any PR opened by Renovate.
  • rangeStrategy - Setting this to replace ensures that PRs are only created once the new release falls outside the version constraints inside composer.json.
  • rollbackPrs - A rare occurrence, but should a package become revoked, a PR to downgrade the package will be created.
  • vulnerabilityAlerts - Vulnerability alerts, enabled by a previous preset, will use a rangeStrategy of update-lockfile by default. This ensures that composer.json files are updated also, and that manual intervention is required by the maintainer to tag a new minor.

Package Rules

"packageRules": [
    {"matchDepTypes": ["require"], "rangeStrategy": "widen"},
    {"matchPackagePatterns": ["^laminas/"], "groupSlug": "laminas", "groupName": "all Laminas packages"},
    {"matchPackagePatterns": ["^laminas-api-tools/"], "groupSlug": "laminas-api-tools", "groupName": "all Laminas API Tools packages"},
    {"matchPackagePatterns": ["^mezzio/"], "groupSlug": "mezzio", "groupName": "all Mezzio packages"},
    {
        "matchPackageNames": ["php"],
        "allowedVersions": "^8.0"
        "extends": [":automergeDisabled", ":automergePr", ":label(Awaiting Maintainer Response)"],
        "ignoreUnstable": false,
        "groupName": "PHP"
    }
]

The first of these package rules will ensure that non-development dependency version constraints are widened when a newer version is available outside them. Widening the range of a development dependency makes little sense.

  • replace Replace the range with a newer one if the new version falls outside it, and update nothing otherwise.
  • widen Widen the range with newer one, e.g. ^1.0.0 -> ^1.0.0 || ^2.0.0.

Although not necessary, this will group updates from each of these organizations into a single update. Combined with the rules from above, this will usually only occur for new major releases.

The final package rule will allow us to use renovate to automate PHP upgrades. By extending the relevant presets, these PRs are not automatically merged, even if all checks are green, and additionally they will be assigned the label "Awaiting Maintainer Response". The allowedVersions setting tells renovate which PHP versions it's allowed to upgrade to, whilst ignoreUnstable allows renovate to propose updates for unreleased PHP versions (e.g. 8.2.0-rc1).

Security Updates Only Configuration

Extending the default, the file renovate-config-security-updates-only.json is made specifically for use in Laminas repositories that have been marked as receiving "security-updates-only".

Presets

"extends": [
   "local>laminas/.github:renovate-config",
   ":maintainLockFilesDisabled"
],
  • local>laminas/.github:renovate-config - As stated, the first preset extends the default configuration described above.
  • :maintainLockFilesDisabled - Only update lock files when composer.json is updated.

Package Rules

"packageRules": [
   {"matchPackagePatterns": ["*"], "enabled": false},
   {"matchPackageNames": ["php"], "enabled": true}
]

The first rule will disable all updates that aren't lockfile maintenance (disabled above) or vulnerability alerts (which we want to keep). Then with the second rule, we allow updates again but only for PHP.

Links

Renovate on GitHub Renovate Documentation Mend Renovate website Mend Renovate GitHub app