Skip to content

Dependency bots

Two common dependency bots exist right now:

Dependabot is GitHub-only and hence does not work on CodeFloe.

Renovate is compatible with Forgejo-based platforms and hence can be used on CodeFloe. In fact, the codefloe org makes heavy use of Renovate to keep its dependencies up-to-date. You can see its config in codefloe/renovate-config.

If you want to use renovate with your own repos, here are some important notes:

  • There is no global bot or integration which you can opt-in to. You have to host your own configuration and use this to run your own builds which do the work.
  • Checkbox-based webhook triggers in the "Dependency Dashboard", like one can do on GitHub, do not work with Forgejo-based platforms. The only way is to (re)run renovate on schedule and let it pick up the state of each repository (i.e. the "Dependency Dashboard").
  • You can use one central config for your private repos and additional organizations you own, to minimize the resource footprint. However, most of the time you might want to have separate configs to be more flexible with different execution schedules and configurations.
  • The use of cache is highly recommended as it will substantially speed up the process and reduce the requests against the APIs of the services hosting the dependencies a lot. As you cannot attach volumes to containers as a normal user or run any other static cache alongside the renovate builds, CodeFloe provides a valkey container on each agent which users can opt-in to. Please reach out through the Forum and provide a contact address to which the connection details can be sent.
  • Think about the cron schedule and log level of the renovate runs. While it is surely great to have frequent updates, a few runs per day, or maybe even just one run per day, might be completely sufficient. It all depends on the project's needs: for example, if you visit the repos yourself mainly once per week to update your hobby project, fewer runs are needed than for an active FOSS project with many contributors and dependencies. It is up to you to set the schedule. Keep in mind that every run requires resources and build time and has some "cost" associated with it. With respect to the log level: renovate runs with "DEBUG" easily result in 20k log lines or more. On the other hand, the "INFO" level is often not verbose enough to inspect why a certain dependency update failed or was not processed. Our recommendation is to use "INFO" by default and switch to "DEBUG" only when needed. If you want to use "DEBUG" as the default, please consider setting a small log retention period in the CI settings of that repo.

Note

The reason why no instance-wide bot exists is not just because of a missing upstream integration in renovate. Forgejo does not yet support scoped access tokens on the repo or organization level. This means that technically, the token handed over to renovate for its runs will be able to access all repositories of the respective user it belongs to. This is not desirable for many reasons and would be a security risk if applied this way. Once Forgejo supports scoped access tokens, we can implement a global bot which can be used to run renovate on all repositories of an instance.