2023-01-09 21:16:48 +00:00 · 2023-01-11 01:18:34 +00:00
3 changed files with 122 additions and 0 deletions
--- a/content/post/dependency-monitoring-with-gitea-and-renovate.md
+++ b/content/post/dependency-monitoring-with-gitea-and-renovate.md
@ -0,0 +1,122 @@
+---
+date: "2023-01-10T00:00:00+08:00"
+author: "xinyu"
+title: "Dependency monitoring with Gitea and Renovate"
+tags: ["renovate"]
+draft: false
+---
+
+In software development, keeping the latest technology updated is not only important for developers who must constantly learn and update their skills, but also for the projects they are engaged in and maintain.
+
+When you start a project from scratch, you usually use the latest stable version of the library to set it up. As time goes by, the scale of the project continues to grows, and libraries are grows too. The versions of libraries and packages are usually unchanged, and almost never updated. Yes, if the project fits perfectly with the current project, why update them?
+
+Here are some reasons why you should keep your dependencies updated:
+
+- Add bug fixes.
+- Add vulnerability fixes.
+- Improve performance.
+- ...
+
+So how do we do it with Gitea?
+
+According to the following tutorial, we configure Renovate Bot on our Gitea server to help us automatically find dependency problems in the project.
+
+## Pre-install
+
+- Gitea Server
+- A Linux server for Renovate Bot
+  - Docker Engine with docker compose
+
+## Setup Renovate
+
+1.Create a dedicated Renovate account on your Gitea server. The advantage of bot account is that you can set custom name, avatar, and access token to distinguish from real-human account.
+
+You can refer to this example, create a robot account:
+
+- Username: `renovatebot`
+- Full Name: `Renovate Bot`
+- Access Tokens: `abcdefghijklmnopqrstuvwxyz01234567654321`
+
+2.Add the Renovate Bot to the project collaborators we want to monitor.
+
+Open **Repository - Collaborators - Search user `renovatebot` - Add write permission**
+
+Here, we provide write permissions for the collaborator `renovatebot`. This will allow Renovate Bot to create branch in your repository. When an old version dependency is detected, it will create a patch in the new branch to update the dependency to the latest version and open a pull request.
+
+In addition, add Renovate Bot as a team member to avoid repeating configuration for each project.
+
+3.Start Renovate
+
+Create Renovate Bot with `docker compose`:
+
+```yml
+version: "3"
+
+services:
+  renovate:
+    image: renovate/renovate:34
+    container_name: renovate
+    environment:
+      RENOVATE_AUTODISCOVER: 'true'
+      # replace value RENOVATE_ENDPOINT with your own instance
+      RENOVATE_ENDPOINT: 'https://gitea.com'
+      RENOVATE_GIT_AUTHOR: 'Renovate Bot <bot@renovateapp.com>'
+      RENOVATE_PLATFORM: "gitea"
+      RENOVATE_TOKEN: "abcdefghijklmnopqrstuvwxyz01234567654321"
+```
+
+> The configuration above uses `renovate/renovate:34` as the base image. When you see this blog, the version number here may not be the latest, you should go to <https://hub.docker.com/r/renovate/renovate/tags> to find the latest Renovate version.
+
+- `RENOVATE_AUTODISCOVER: 'true'` Run Renovate on all repos you have push access.
+- `RENOVATE_ENDPOINT: 'https://gitea.com'` Custom endpoint to use. replace with your own instance
+- `RENOVATE_GIT_AUTHOR: 'Renovate Bot <bot@renovateapp.com>'` Author to use for Git commits. Must conform to RFC5322.
+- `RENOVATE_PLATFORM: "gitea"` Platform type of repository.
+- `RENOVATE_TOKEN` Repository Auth Token.
+
+Then, start renovate: `docker compose up`
+
+```log
+➜ docker compose up
+[+] Running 1/0
+ ⠿ Container renovate  Created                                                                                 0.0s
+Attaching to renovate
+renovate  |  INFO: Autodiscovered repositories
+renovate  |        "length": 1,
+renovate  |        "repositories": ["test_user/test_repo"]
+renovate  |  INFO: Repository started (repository=test_user/test_repo)
+renovate  |        "renovateVersion": "34.40.0"
+renovate  |  INFO: Repository has no package files - skipping (repository=test_user/test_repo)
+renovate  |  INFO: Repository finished (repository=test_user/test_repo)
+renovate  |        "cloned": true,
+renovate  |        "durationMs": 9650
+renovate exited with code 0
+```
+
+If you see `renovate exited with code 0` like the log above, it means the program ended normally. If a repository is detected, a dependency check is started, as the logs show.
+
+4.Run Renovate with Cron
+
+We created `renovate` in Docker, and the program exits automatically after running. If we want Renovate Bot to scan our package dependencies in the background regularly, we can use cron to do scheduled tasks.
+
+We use crontab to create a cron job to run Renovate Bot. (use `crontab -e` to start the task editor)
+
+```sh
+# Cron job every day 8am
+0 8 * * * /usr/bin/docker start renovate
+```
+
+> Learn how to write a crontab schedule expression at crontab.guru
+
+5.Repository onboarding
+
+Once you have enabled Renovate on a repository, you will get a "Configure Renovate" Pull Request looking something like this:
+
+![Configure Renovate](/demos/renovate/Configure-Renovate.png)
+
+Renovate will not make any changes to your repository or raise any further Pull Requests until after you merge the onboarding Pull Request.
+
+Now we merge `Configure Renovate` into the master branch. Run renovate (`docker start renovate`) again, and the dependency patch will be create:
+
+![Update dependency](/demos/renovate/Update-dependency.png)
+
+> Renovate documentation: <https://docs.renovatebot.com>
--- a/static/demos/renovate/Configure-Renovate.png
+++ b/static/demos/renovate/Configure-Renovate.png
--- a/static/demos/renovate/Update-dependency.png
+++ b/static/demos/renovate/Update-dependency.png