Dependency bot
==============
It is good practice to update dependencies regularly to avoid vulnerabilities,
limit incompatibilities between dependencies and avoid complex upgrades when
upgrading from a version that is too old. A variety of tools can help you stay
up to date. :term:`uv` is supported by `Renovate
`_.
Renovate uses the :ref:`uv_lock` file to detect that ``uv`` is being used to
manage dependencies and suggests updates for project dependencies, optional
dependencies and development dependencies. Renovate updates both the
:file:`pyproject.toml` and :file:`uv.lock` files.
Installation and configuration
------------------------------
The Renovate CLI tool can be installed with
.. code-block:: console
$ npm install renovate
.. tip::
The Renovate bot should run under its own service user. We therefore
recommend creating and using a separate account, ``renovate-bot``, for the
bot. Then create and save an access token for this account.
You can now configure Renovate for your
:doc:`/productive/git/advanced/gitlab/index` server. Renovate looks for a
:file:`config.js` file in the current working directory by default. However, you
can override this by defining the environment variable ``RENOVATE_CONFIG_FILE``.
The configuration can then look like this, for example:
.. code-block:: js
:caption: config.js
module.exports = {
endpoint: 'https://ce.cusy.io/api/v4/',
token: 'GITLAB_TOKEN',
platform: 'gitlab',
onboardingConfig: {
extends: ['config:recommended'],
},
repositories: ['USERNAME/REPO', 'ORGNAME/REPO'],
};
.. note::
Changes the paths to the repositories to something suitable. Also replace the
GitLab token value with the value created in the previous step.
.. seealso::
* `Renovate configuration overview
`_
If you now want to regularly update the :file:`uv.lock` file in your repository,
you should use the `lockFileMaintenance
`_
option in the :file:`renovate.json5` file in your repository, for example:
.. code-block:: json5
:caption: renovate.json5
{
$schema: "https://docs.renovatebot.com/renovate-schema.json",
lockFileMaintenance: {
enabled: true,
},
}
However, Renovate does not automatically recognise files with
:ref:`inline-script-metadata`. You must explicitly specify these Python scripts
with `fileMatch
`_, for example
with:
.. code-block:: json5
:caption: renovate.json5
:emphasize-lines: 4-5
{
$schema: "https://docs.renovatebot.com/renovate-schema.json",
pep723: {
fileMatch: [
"app\\.py",
],
},
}
.. seealso::
* `lockFileMaintenance
`_
Finally, the timing of Renovate should be planned, for example with `cron
`_:
.. code-block:: bash
#!/bin/bash
export PATH="/home/renovate-bot/.node_modules/.bin/renovate:$PATH"
export RENOVATE_CONFIG_FILE="/home/renovate-bot/config.js"
export RENOVATE_TOKEN="GITLAB_TOKEN"
0 * * * * renovate
CI/CD pipeline
--------------
Renovate can also be integrated into :doc:`cicd`:
* `GitHub Action `_
* `GitLab Runner `_