Renovate on Ryubing Forgejo
Over the last couple days, I've been configuring and setting up Renovate CLI for our Forgejo instance at git.ryujinx.app.
Warning: This blog post is full of some nerd shit. If that doesn't interest you, or you don't understand, that is fine.
What is Renovate?
For those who are unaware, Renovate is a tool much in the same vein as Dependabot. Personally, I am not the biggest fan of Dependabot, but I think that's mostly because it's only shown up on projects I didn't care about dependency updates for (such as Ryuko). When you do care, automated dependency management is a very nice tool to have.
I first decided to try Renovate when it was suggested to me by a user of another project I maintain (GRUKE, aka GreemDev NUKE). I was skeptical at first, given my experience with Dependabot; but I was very quickly surprised. It came with a very pleasant onboarding PR which detected too many dependencies (the nature of being a big convoluted repository). Thankfully the creators of Renovate know this can happen, so you are free to edit the configuration PR however much you would like, before merging the configuration. That way, the first time Renovate runs, it runs correctly.
Well that's GitHub. How are we running it on Forgejo?
Now to get to our infrastructure. Obviously, the Mend-hosted Renovate GitHub App that I use for GRUKE is not going to work on our Forgejo. Additionally, Renovate CE (the dedicated Renovate server application) does not support Forgejo, so our only option is running Renovate CLI on a schedule. I used Docker and cron, here's a rundown!
Forgejo-side setup
On our Forgejo instance, a user named renovate was created. This user has no special permissions, no instance administrator or anything.
The renovate user has a single repository, config. .profile, like we have, is not strictly necessary; it's just there to provide users information for how to use the Renovate instance, as well as give a launchpad to this blog post from an obvious location.
This repository is publicly accessible for transparency. This repository's name is a little misleading, since it does more than just hold the config. This repository is practically the entire Ryubing Forgejo Renovate setup, minus the docker-compose.yml, since that contains secrets.
The responsibilities of renovate/config are as follows:
- Mirror the most recent
ghcr.io/renovatebot/renovateDocker container images onto our Forgejo, every 6 hours. - Test our configuration against the same container images we are mirroring.
- Dogfooding: Renovate updates its own configuration repository.
Next, create a Forgejo access token for the bot's account. Use the following scopes:
read:miscread:organizationwrite:issuewrite:repositoryread:user
Make sure to select All for "Repository and organization access". This lets Renovate see all repositories that are public and that it has been granted access to. Combined with our autodiscover settings in our config, this lets anyone use our Renovate, so long as they give it permission and set the repository topic first.
Server-side setup
This was done on Ubuntu 24.04.4. Your mileage with the same tools may vary.
In a directory, /home/greem/services/renovate/config, I have a clone of the renovate/config repository, and one level above that is the docker-compose.yml.
The contents of the docker-compose.yml are as follows, minus the sensitive data:
services:
renovate:
container_name: renovate
image: git.ryujinx.app/renovate/renovate:latest
user: root # this is root inside the container; not on host machine
environment:
RENOVATE_CONFIG_FILE: /config.json
RENOVATE_TOKEN: <forgejo access token for renovate account with necessary permissions>
# this is here because renovate docs say it should only be configured via env var
# https://docs.renovatebot.com/self-hosted-configuration/#usecloudmetadataservices
RENOVATE_USE_CLOUD_METADATA_SERVICES: false
volumes:
- /home/greem/services/renovate/config/admin-config/config.json:/config.json:ro
- /home/greem/services/renovate/cache:/tmp/renovate/cache:rw
Then, in a crontab:
*/30 * * * * cronitor exec SSlGv3 '/usr/bin/docker compose --file /home/greem/services/renovate/docker-compose.yml up'
This runs every 30 minutes.
The reason Docker is not run directly is Cronitor. If you wish to run docker directly, and not use Cronitor, you can simply remove the stuff outside of the single-quotes that the docker compose command is in. Remove the single-quotes as well in that case.
Cronitor is used so I can be alerted if the Renovate task errors, as well as for public embeddable status widgets. It's completely free, so you can give it a try if you wish.
Click to see status history
And that's it! You should have a functional, consistent Renovate setup. You will need to modify the config files just as I did, to change the Renovate Docker images to your own for example; or for your own actions mirrors. The best part is that's pretty easy compared to getting it setup in the first place.
If you are a registered user of the Ryubing Forgejo and would like to use our Renovate, you are more than welcome to do so. In fact, I deliberately modified the configuration files from what they were to facilitate this. The original version of the config repository, used by the Forgejo project's own Renovate bot, used a Kubernetes configuration with hardcoded discovery repositories to scan. As you can see from above, there is no Kubernetes to be found. The repository also has files from code.forgejo.org/forgejo/renovate-config included.
Setup instructions for Ryubing Renovate can be found on the renovate bot's account README.
Credits to tech-tales.blog for a few parts of this setup; namely the scopes to use for the token and the docker-compose.yml base.
