Dependency bot¶
It is good practice to update dependencies regularly to avoid vulnerabilities, limit incompatibilities between dependencies and avoid complex upgrades when upgrading from a version that is too old. A variety of tools can help you stay up to date. uv is supported by Renovate.
Renovate uses the uv.lock file file to detect that uv
is being used to
manage dependencies and suggests updates for project dependencies, optional
dependencies and development dependencies. Renovate updates both the
pyproject.toml
and uv.lock
files.
Installation and configuration¶
The Renovate CLI tool can be installed with
$ npm install renovate
Tip
The Renovate bot should run under its own service user. We therefore
recommend creating and using a separate account, renovate-bot
, for the
bot. Then create and save an access token for this account.
You can now configure Renovate for your
GitLab server. Renovate looks for a
config.js
file in the current working directory by default. However, you
can override this by defining the environment variable RENOVATE_CONFIG_FILE
.
The configuration can then look like this, for example:
module.exports = {
endpoint: 'https://ce.cusy.io/api/v4/',
token: 'GITLAB_TOKEN',
platform: 'gitlab',
onboardingConfig: {
extends: ['config:recommended'],
},
repositories: ['USERNAME/REPO', 'ORGNAME/REPO'],
};
Note
Changes the paths to the repositories to something suitable. Also replace the GitLab token value with the value created in the previous step.
See also
If you now want to regularly update the uv.lock
file in your repository,
you should use the lockFileMaintenance
option in the renovate.json5
file in your repository, for example:
{
$schema: "https://docs.renovatebot.com/renovate-schema.json",
lockFileMaintenance: {
enabled: true,
},
}
However, Renovate does not automatically recognise files with Inline script metadata. You must explicitly specify these Python scripts with fileMatch, for example with:
{
$schema: "https://docs.renovatebot.com/renovate-schema.json",
pep723: {
fileMatch: [
"app\\.py",
],
},
}
See also
Finally, the timing of Renovate should be planned, for example with cron:
#!/bin/bash
export PATH="/home/renovate-bot/.node_modules/.bin/renovate:$PATH"
export RENOVATE_CONFIG_FILE="/home/renovate-bot/config.js"
export RENOVATE_TOKEN="GITLAB_TOKEN"
0 * * * * renovate
CI/CD pipeline¶
Renovate can also be integrated into CI/CD pipelines: