|
| 1 | +# Renovate |
| 2 | + |
| 3 | +[Renovate](https://docs.renovatebot.com/) is the tool we (the infrastructure team) recommend to |
| 4 | +keep dependencies such as crates, GitHub Actions and Docker base images up-to-date. |
| 5 | + |
| 6 | +## About Dependency Updates |
| 7 | + |
| 8 | +> Why keeping dependencies up-to-date? |
| 9 | +
|
| 10 | +To get bug fixes, performance improvements, security patches, |
| 11 | +new features and have a better developer experience in general. |
| 12 | + |
| 13 | +> How often should dependencies be updated? |
| 14 | +
|
| 15 | +Receiving PRs to update dependencies too often is overwhelming. |
| 16 | +E.g. we don't recommend receiving a PR for every new version of a dependency. |
| 17 | + |
| 18 | +Instead, we recommend receiving a few PRs on a regular schedule, e.g. once a week or once a month. |
| 19 | +E.g. one PR for GitHub Actions updates, one PR for compatible crate updates and one PR for each incompatible crate update. |
| 20 | + |
| 21 | +> Should dependencies updates be automatically merged? |
| 22 | +
|
| 23 | +If you have a reliable test suite, and the CI |
| 24 | +doesn't automatically deploy to production or publish artifacts |
| 25 | +when you merge a PR, then it should |
| 26 | +be safe to automerge dependency updates that pass CI checks. |
| 27 | + |
| 28 | +## How to add Renovate to a repository |
| 29 | + |
| 30 | +### 1. Install the renovate GitHub App |
| 31 | + |
| 32 | +Add `bots = ["renovate"]` or `bots = ["forking-renovate"]` to your repository |
| 33 | +toml file in the [`team`](https://github.com/rust-lang/team) repository. |
| 34 | + |
| 35 | +E.g. see [annotate-snippets-rs](https://github.com/rust-lang/team/blob/900ea95242ceff029389e5d97917345f480d8665/repos/rust-lang/annotate-snippets-rs.toml#L4) |
| 36 | + |
| 37 | +Here are the differences between the two apps: |
| 38 | + |
| 39 | +- The [`renovate` GitHub App](https://github.com/apps/renovate) creates |
| 40 | + update branches directly in the target repository. That requires write access |
| 41 | + to repository contents. Thanks to this permission, it also supports automerge. |
| 42 | +- The [`forking-renovate` GitHub App](https://github.com/apps/forking-renovate) |
| 43 | + creates branches in its own fork and opens PRs back to the target |
| 44 | + repository. It doesn't require any permissions on the target repository, |
| 45 | + but it only works for public repositories and does not support automerge. |
| 46 | + |
| 47 | +### 2. Configure Renovate |
| 48 | + |
| 49 | +Create a `.github/renovate.json5` file. |
| 50 | +Other file formats and locations are also supported, see the [Renovate documentation](https://docs.renovatebot.com/configuration-options/). |
| 51 | + |
| 52 | +See the existing configuration files in the Rust organization for examples: |
| 53 | +[GitHub code search for `renovate.json` paths](https://github.com/search?q=org%3Arust-lang+path%3Arenovate.json&type=code). |
| 54 | + |
| 55 | +### 3. Ensure Renovate is working |
| 56 | + |
| 57 | +Check that Renovate created the |
| 58 | +[dependency dashboard](https://docs.renovatebot.com/key-concepts/dashboard/) |
| 59 | +GitHub issue, so that you can |
| 60 | +trigger PRs in the repository by interacting with that issue. |
| 61 | + |
| 62 | +## Support |
| 63 | + |
| 64 | +If Renovate isn't working, or you have questions, ask in the |
| 65 | +[`#t-infra`](https://rust-lang.zulipchat.com/#narrow/channel/242791-t-infra) Zulip channel. |
0 commit comments