Keyboard shortcuts

Press or to navigate between chapters

Press S or / to search in the book

Press ? to show this help

Press Esc to hide this help

Renovate

Renovate is the tool we (the infrastructure team) recommend to keep dependencies such as crates, GitHub Actions and Docker base images up-to-date.

About Dependency Updates

Why keeping dependencies up-to-date?

To get bug fixes, performance improvements, security patches, new features and have a better developer experience in general.

How often should dependencies be updated?

Receiving PRs to update dependencies too often is overwhelming. E.g. we don’t recommend receiving a PR for every new version of a dependency.

Instead, we recommend receiving a few PRs on a regular schedule, e.g. once a week or once a month. E.g. one PR for GitHub Actions updates, one PR for compatible crate updates and one PR for each incompatible crate update.

Should dependencies updates be automatically merged?

If you have a reliable test suite, and the CI doesn’t automatically deploy to production or publish artifacts when you merge a PR, then it should be safe to automerge dependency updates that pass CI checks.

How to add Renovate to a repository

1. Install the renovate GitHub App

Add bots = ["renovate"] or bots = ["forking-renovate"] to your repository toml file in the team repository.

E.g. see annotate-snippets-rs

Here are the differences between the two apps:

  • The renovate GitHub App creates update branches directly in the target repository. That requires write access to repository contents. Thanks to this permission, it also supports automerge.
  • The forking-renovate GitHub App creates branches in its own fork and opens PRs back to the target repository. It doesn’t require any permissions on the target repository, but it only works for public repositories and does not support automerge.

2. Configure Renovate

Create a .github/renovate.json5 file. Other file formats and locations are also supported, see the Renovate documentation.

See the existing configuration files in the Rust organization for examples: GitHub code search for renovate.json paths.

3. Ensure Renovate is working

Check that Renovate created the dependency dashboard GitHub issue, so that you can trigger PRs in the repository by interacting with that issue.

Support

If Renovate isn’t working, or you have questions, ask in the #t-infra Zulip channel.