Add Renovate pipeline #1946
Add Renovate pipeline #1946
Conversation
There was a problem hiding this comment.
Pull request overview
This PR adds Renovate pipeline infrastructure to the dotnet/docker-tools repository for automated dependency updates. The implementation includes a reusable job template, configuration files, and a scheduled pipeline that will run nightly at 3 AM UTC.
Changes:
- Adds Renovate tracking comment to
src/Dockerfile.linuxfor ORAS version monitoring - Creates Renovate configuration with custom regex manager for Dockerfile ARG/ENV variables
- Implements reusable Azure Pipeline job template for running Renovate
- Sets up nightly scheduled pipeline with dry-run and force-recreate options
Reviewed changes
Copilot reviewed 5 out of 5 changed files in this pull request and generated 5 comments.
Show a summary per file
| File | Description |
|---|---|
src/Dockerfile.linux |
Adds Renovate tracking comment for ORAS_VERSION ARG to enable automated version updates |
eng/renovate.json |
Configures Renovate with custom regex manager and dockerfileVersions preset |
eng/renovate.env |
Defines environment variables for Renovate bot configuration including PR templates and author settings |
eng/pipelines/templates/jobs/renovate.yml |
Implements reusable job template that validates config, runs Renovate in Docker, and publishes logs |
eng/pipelines/renovate.yml |
Defines scheduled pipeline that runs nightly against dotnet/dotnet-docker repository |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
| - checkout: self | ||
| fetchDepth: 1 | ||
|
|
||
| - script: mkdir -p $(logDirectory) && chmod 777 $(logDirectory) |
There was a problem hiding this comment.
The log directory is created with chmod 777 (world-writable permissions), which may be overly permissive. While this might be necessary for Docker to write to the directory, it's generally considered a security best practice to use more restrictive permissions.
Consider using chmod 775 or 770 instead, which would still allow Docker to write to the directory but with more restrictive permissions. If 777 is truly required due to Docker user mapping, consider adding a comment explaining why these broad permissions are necessary.
| - script: mkdir -p $(logDirectory) && chmod 777 $(logDirectory) | |
| - script: mkdir -p $(logDirectory) && chmod 770 $(logDirectory) |
| # https://docs.renovatebot.com/configuration-options/#prbodynotes | ||
| # https://docs.renovatebot.com/configuration-options/#prbodytemplate | ||
| RENOVATE_PR_HEADER=## Automated Dependency Update | ||
| RENOVATE_PR_BODY_NOTES=["This PR has been created automatically by the [.NET Renovate Bot](https://github.com/dotnet/arcade/blob/main/Documentation/Renovate.md) to update one or more dependencies in your repo. Please review the changes and merge the PR if everything looks good."] |
There was a problem hiding this comment.
The renovate.env file references documentation at "https://github.com/dotnet/arcade/blob/main/Documentation/Renovate.md", but according to the PR description, this documentation does not exist yet. The PR states "The intent is for eng/pipelines/templates/jobs/renovate.yml and eng/renovate.env to be moved to Arcade once things have been evaluated in this repo first", and references a related PR (dotnet/arcade#15594).
Consider either:
- Using a placeholder URL that will be updated when the documentation is created, or
- Removing the documentation link temporarily until it exists, or
- Creating the documentation first before this PR is merged
This could result in a broken link for users clicking on the PR body link.
| RENOVATE_PR_BODY_NOTES=["This PR has been created automatically by the [.NET Renovate Bot](https://github.com/dotnet/arcade/blob/main/Documentation/Renovate.md) to update one or more dependencies in your repo. Please review the changes and merge the PR if everything looks good."] | |
| RENOVATE_PR_BODY_NOTES=["This PR has been created automatically by the .NET Renovate Bot to update one or more dependencies in your repo. Please review the changes and merge the PR if everything looks good."] |
|
|
||
| - script: > | ||
| docker run | ||
| --env-file $(Build.SourcesDirectory)/eng/renovate.env |
There was a problem hiding this comment.
The path to eng/renovate.env is hard-coded in this script, but the template accepts a renovateConfigPath parameter. This creates an inconsistency where the renovate.json path can be customized, but the renovate.env path cannot.
Consider either:
- Adding a renovateEnvPath parameter with a default value of 'eng/renovate.env', similar to the renovateConfigPath parameter, or
- If renovate.env is always expected to be at eng/renovate.env, document this requirement in a comment near the renovateConfigPath parameter
This would make the template more flexible and reusable in different contexts.
| jq -r 'select(.msg == "PR created" and .pr != null) | "https://github.com/\(.repository)/pull/\(.pr)"' $(logDirectory)/renovate-log.json | sort -u | ||
| displayName: List created PRs |
There was a problem hiding this comment.
The "List created PRs" step uses jq to parse the renovate-log.json file but lacks error handling. If the "Run Renovate" step fails before creating the log file, or if the log file is empty or malformed, this step will fail with an error from jq.
Consider adding error handling such as:
- Add a condition like
condition: succeededOrFailed()so it runs even if previous steps failed - Check for file existence before running jq:
test -f $(logDirectory)/renovate-log.json && jq ... || echo "No log file found" - Or use jq with the
-eflag and handle its exit code appropriately
Additionally, this step will still run in dry-run mode and might report PRs even though they weren't actually created. Consider adding a condition to skip this step when dryRun is true.
| jq -r 'select(.msg == "PR created" and .pr != null) | "https://github.com/\(.repository)/pull/\(.pr)"' $(logDirectory)/renovate-log.json | sort -u | |
| displayName: List created PRs | |
| if [ -s "$(logDirectory)/renovate-log.json" ]; then | |
| if ! jq -r 'select(.msg == "PR created" and .pr != null) | "https://github.com/\(.repository)/pull/\(.pr)"' "$(logDirectory)/renovate-log.json" | sort -u; then | |
| echo "Failed to parse Renovate log file with jq." | |
| fi | |
| else | |
| echo "No Renovate log file found or file is empty." | |
| fi | |
| displayName: List created PRs | |
| condition: and(succeededOrFailed(), eq('${{ parameters.dryRun }}', false)) |
| jobs: | ||
| - template: /eng/pipelines/templates/jobs/renovate.yml | ||
| parameters: | ||
| gitHubRepo: dotnet/dotnet-docker |
There was a problem hiding this comment.
The gitHubRepo parameter is set to 'dotnet/dotnet-docker', but this repository is dotnet/docker-tools (based on README.md and eng/pipelines/templates/variables/image-builder.yml which references "https://github.com/dotnet/docker-tools").
This means the Renovate pipeline will run against dotnet/dotnet-docker rather than the repository where the pipeline is defined. This may be intentional for testing purposes, but it should be clarified:
- If this is intentional (e.g., testing Renovate infrastructure on a different repo), consider adding a comment in the pipeline explaining this
- If Renovate should run against the docker-tools repository itself, change the gitHubRepo value to 'dotnet/docker-tools'
Additionally, the Renovate comment added to src/Dockerfile.linux in this PR will only be effective if Renovate runs against the docker-tools repository, not dotnet/dotnet-docker.
1 participant
src/Dockerfile.linuxwith Renovate tracking comment for ORAS versionThe intent is for
eng/pipelines/templates/jobs/renovate.ymlandeng/renovate.envto be moved to Arcade once things have been evaluated in this repo first.Related: dotnet/arcade#15594