Skip to main content

Running Renovate Bot on Nomad

This blog post might be outdated!
This blog post was published more than one year ago and might be outdated!
· 2 min read
Stephan Hochdörfer
Stephan Hochdörfer
Head of IT Business Operations

Earlier this year we decided to test Renovate to manage automated dependency updates in our self-hosted GitLab environment. Being able to run Renovate in our own environment and configure it to our needs made a lot of sense. Since we run our internal tooling on a Nomad cluster, we had to configure a Nomad job for Renovate.

Since Renovate needs to run periodically, deploying it as a cron job in Nomad made sense. Thankfully, it does not take much to configure a Nomad job to behave like a cron job and run periodically by adding the following lines to the job configuration:

periodic {
  cron = "@hourly"
  prohibit_overlap = true
}

This will instruct Nomad to run the job hourly and also make sure that the job execution will wait until previous instances of this job have been completed.

Other than that, it is needed to configure a Nomad job, group, and task to run the official Renovate Docker image and configure it via some environment variables. Secrets are not hardcoded but read from our central Vault instance:

job "renovatebot.batch" {
  datacenters = ["dc1"]
  type = "batch"

  meta {
    Container_OS = "Renovate"
  }

  vault {
    policies = ["default"]
    change_mode   = "signal"
    change_signal = "SIGUSR1"
  }

  periodic {
    cron = "@hourly"
    prohibit_overlap = true
  }

  group "renovatebot" {
    count = 1

    task "renovate" {
      driver = "docker"

      template {
        data = <<EOH
RENOVATE_AUTODISCOVER=true
RENOVATE_ENDPOINT=https://gitlab.loc/api/v4/
RENOVATE_GIT_AUTHOR=Renovate Bot <renovate@gitlab.loc>
RENOVATE_PLATFORM=gitlab
RENOVATE_TOKEN={{ with secret "renovatebot" }}{{ .Data.data.gitlab_token }}{{ end }}
RENOVATE_AUTOMERGE=false
RENOVATE_HOST_RULES={{ with secret "renovatebot" }}{{ .Data.data.host_rules }}{{ end }}
GITHUB_COM_TOKEN={{ with secret "renovatebot" }}{{ .Data.data.github_token }}{{ end }}
EOH
        destination = "secrets/.env"
        env = true
      }

      config {
        image = "renovate/renovate:latest"
      }

      resources {
        memory = 2048
        memory_max = 4096
      }
    }
  }
}

The deployment happens via a GitLab CI job which will run terraform to interact with the Nomad cluster:

deploy:prod:
  stage: deploy
  image: hashicorp/terraform:light
  only:
    - tags
  environment:
    name: production
  script:
    - terraform --version
    - terraform init
    - terraform validate
    - terraform plan -out "planfile"
    - terraform apply -input=false "planfile"
  allow_failure: false

Each time we create a new tag in GitLab, the deployment pipeline will run and deploy the job on our Nomad cluster. Every hour Renovate bot will run on any of our Nomad clients and check all assigned GitLab repositories for dependency upgrades.