Dependency bots

Two common dependency bots exist right now:

• Dependabot
• Renovate

Dependabot is GitHub-only and hence does not work on CodeFloe.

Renovate is compatible with Forgejo-based platforms and hence can be used on CodeFloe. In fact, the codefloe org makes heavy use of Renovate to keep its dependencies up-to-date. You can see its config in codefloe/renovate-config.

Renovate

If you want to use renovate with your own repos, multiple options exist:

1. You can opt-in into CodeFloe's instance-wide bot which runs hourly (at 30 minutes past the hour).
2. You can execute renovate yourself on your own schedule and optionally make use of a shared dependency cache provided by CodeFloe.

Instance-wide Bot

An instance-wide renovate bot is operated by CodeFloe. It makes use of a central cache for dependencies and repositories.

The dependency cache lives in a Valkey instance on CodeFloe's CI agent hosts. The repository cache is stored in a private S3 bucket.

This bot is operated by CodeFloe admins, hence the same trust policy applies as for private repositories stored on CodeFloe. (CodeFloe admins have the permissions to potentially access any private repository. This also applies to the private S3 bucket which stores the renovate repo cache.)

Note

If you have previously been using the hosted renovate bot on GitHub, trust concepts are similar: the GitHub renovate bot also makes heavy use of caching and as a user you also trust the admins of the service to store your private repos and possibly access them.

To make use of the bot, follow these steps:

1. Give the renovate-bot user write access to your repositories. The easiest way to do this is to create a new team which contains all repos that you want to have processed by renovate and add the renovate-bot user to it.

2. Add a renovate.json config to all repos which should be processed. This file also references the respective config to use for this repo. The file must at least contain the following:

   {
     "$schema": "https://docs.renovatebot.com/renovate-schema.json"
   }
   

   By default, the config files from codefloe/renovate-config will be used.

   You can "extend" these config defaults with your own config settings by either overriding individual settings or by referencing your own config repo. For example:

   {
     "$schema": "https://docs.renovatebot.com/renovate-schema.json",
     "extends": ["myorg/renovate-config"],
   }
   

   This way, renovate will process your repo and check for the existence of a valid config in the referenced repo.

Personal Bot

Alternatively, running your own instance of renovate is also possible.

Note

When you decide to go this way, please also take the time to configure a dependency and repo cache. Otherwise renovate will take several minutes for only a few repos, putting unnecessary load on the CI runners.

Also think about the frequency of your runs: if you only host your homelab repos there, it might be sufficient to run it once a day. On the other hand, if you have a repo with a lot of activity and dependencies, you should run it more frequently so that renovate can properly update and rebase concurrent dependency updates.

When going for this option, you can (should!) make use of the shared dependency cache offered by CodeFloe. This cache only stores the already looked up dependencies resolutions by renovate from previous runs, so that renovate does not need to perform the look up again. It does not contain any secrets or private Git information.

To do so, use the global codoefloe_renovate_dependency_cache secret for the redisUrl option in renovate. The secret is scoped to only be used by the Crow CI renovate plugin, hence you need to use Crow CI to run the bot.

Note

There is no similar option in Forgejo Actions right now which allows restricting a secret to only be used by a specific workflow/action. Without this option, the secret could be easily exposed by an arbitrary workflow.

The following section summarizes the advantages and disadvantages of running your own bot vs. joining the instance-wide one:

Advantages

• You can control the frequency of runs and also trigger individual runs on demand, if needed.
• No external bot account has permissions to access your private repositories.
• You can let renovate operate only on your own subset of repos, making executing possibly faster than joining the instance-wide bot.

Disadvantages

• You need to maintain your own instance of renovate.
• You may want to create a dedicated account for your renovate bot
• You need to manage your own cache for dependencies and repositories (or have long runtimes).
• If you have multiple organizations with different members, you'll likely want multiple instances of renovate to keep them separate from each other.

---

If you have ideas how to improve this or runing into an issue, please open an issue in the CodeFloe forum.