Automatic Docker Container Updates with Renovate
Table of Contents
Please consider leaving a small gesture of your appreciation.
Introduction #
I’ve written before about how I started using Renovate to keep my ever-growing number of Docker containers up-to-date. In that piece, I said that I needed to grow my trust in the system somewhat before allowing it to self-merge updates, and in turn allow these to be automatically deployed to my Homelab. Having had Renovate running for a number of months, I finally became fed up of having my email inbox filled up with GitHub Pull Request notifications, and decided to take the plunge on auto-updates!
When researching how to do this, a number of posts I found pointed to the Allow auto-merge setting on GitHub, saying that this was necessary for Renovate to work correctly.
For good reason, I don’t want my docker-compose.yml files publically available on GitHub, so my central repository is set to private, which precludes the use of Allow auto-merge.
I had resigned myself to continue manually approving every single PR - however, from my testing, it seems that Renovate doesn’t actually require this setting.
Configuration #
The configuration I’m now using is as follows:
{
"$schema": "https://docs.renovatebot.com/renovate-schema.json",
"extends": [
"config:recommended",
"docker:pinDigests",
":semanticCommitsDisabled",
":rebaseStalePrs",
":disableRateLimiting"
],
"timezone": "Europe/London",
"docker-compose": {
"fileMatch": [
"(^|/)(?:docker-)?compose[^/]*\\.ya?ml$",
"(.*)ya?ml$"
]
},
"ignoreTests": true,
"packageRules": [
{
"groupName": "all non-major dependencies",
"groupSlug": "all-minor-patch-digest",
"matchUpdateTypes": [
"minor",
"patch",
"digest"
],
"minimumReleaseAge": "1 day",
"automerge": true,
"automergeType": "branch",
"automergeSchedule": [
"* 0-3 * * *"
],
"matchPackageNames": [
"*"
]
}
]
}
The first important line to note is "ignoreTests": true - if you don’t have any kind of CI process running, then you must tell Renovate that you don’t wish to wait for non-existent tests to finish!
Secondly is the packageRules structure - in my example above I’m allowing the auto merge of any minor/patch/digest updates between midnight and 3am any day of the week.
You can learn more about automerge on the Renovate documentation.
Finally, I added a minimumReleaseAge of 1 day.
I had an issue with a minor update being pushed that contained a fairly catastrophic bug - this was quickly realised by the developers and the release was pulled, but not before my Homelab had automatically deployed the update!
There’s a fine line to be drawn between quickly utilising the latest security updates, and potentially rolling out a broken release - for me, 24 hours is the right compromise for now.
You may also wish to modify a couple of the extends items - I’m not 100% decided on what style of commit messages I want, nor am I entirely sold on pinning to a specific digest.
Conclusion #
I’ve now had this configuration up and running for a few months, and I’m very happy with it so far. All minor updates are automatically merged by Renovate once a day, and Portainer then pulls these onto my Docker Swarm shortly afterwards. Any major updates still follow the Pull Request process, but as I’m not running any particularly bleeding-edge software, these are few and far between.
I’ve only had issues with a couple of packages that don’t seem to follow the correct versioning scheme - Plex being one of them. Unfortunately for these, I still have to manually update every so often.
I hope this helps you keep the maintenance burden of your Homelab to an enjoyable level!