Skip to main content

Running Renovate Bot on Nomad

· 2 min read
Stephan Hochdörfer

Earlier this year we decided to test Renovate to manage automated dependency updates in our self-hosted GitLab environment. Being able to run Renovate in our own environment and configure it to our needs made a lot of sense. Since we run our internal tooling on a Nomad cluster, we had to configure a Nomad job for Renovate.

Since Renovate needs to run periodically, deploying it as a cron job in Nomad made sense. Thankfully, it does not take much to configure a Nomad job to behave like a cron job and run periodically by adding the following lines to the job configuration:

periodic {
cron = "@hourly"
prohibit_overlap = true

This will instruct Nomad to run the job hourly and also make sure that the job execution will wait until previous instances of this job have been completed.

Other than that, it is needed to configure a Nomad job, group, and task to run the official Renovate Docker image and configure it via some environment variables. Secrets are not hardcoded but read from our central Vault instance:

job "renovatebot.batch" {
datacenters = ["dc1"]
type = "batch"

meta {
Container_OS = "Renovate"

vault {
policies = ["default"]
change_mode = "signal"
change_signal = "SIGUSR1"

periodic {
cron = "@hourly"
prohibit_overlap = true

group "renovatebot" {
count = 1

task "renovate" {
driver = "docker"

template {
data = <<EOH
RENOVATE_GIT_AUTHOR=Renovate Bot <renovate@gitlab.loc>
RENOVATE_TOKEN={{ with secret "renovatebot" }}{{ }}{{ end }}
RENOVATE_HOST_RULES={{ with secret "renovatebot" }}{{ }}{{ end }}
GITHUB_COM_TOKEN={{ with secret "renovatebot" }}{{ }}{{ end }}
destination = "secrets/.env"
env = true

config {
image = "renovate/renovate:latest"

resources {
memory = 2048
memory_max = 4096

The deployment happens via a GitLab CI job which will run terraform to interact with the Nomad cluster:

stage: deploy
image: hashicorp/terraform:light
- tags
name: production
- terraform --version
- terraform init
- terraform validate
- terraform plan -out "planfile"
- terraform apply -input=false "planfile"
allow_failure: false

Each time we create a new tag in GitLab, the deployment pipeline will run and deploy the job on our Nomad cluster. Every hour Renovate bot will run on any of our Nomad clients and check all assigned GitLab repositories for dependency upgrades.