Self-Hosted configuration options¶
The configuration options listed in this document are applicable to self-hosted instances of Renovate ("the bot").
Please also see Self-Hosted Experimental Options.
Note
Config options with type=string
are always non-mergeable, so mergeable=false
.
allowCustomCrateRegistries¶
Set this to true
if custom crate registries are allowed.
Name | Value |
---|---|
type | boolean |
default | false |
cli | --allow-custom-crate-registries |
env | RENOVATE_ALLOW_CUSTOM_CRATE_REGISTRIES |
allowPlugins¶
Set this to true
if repositories are allowed to run install plugins.
Name | Value |
---|---|
type | boolean |
default | false |
cli | --allow-plugins |
env | RENOVATE_ALLOW_PLUGINS |
allowPostUpgradeCommandTemplating¶
Set this to true
to allow templating for post-upgrade commands.
Name | Value |
---|---|
type | boolean |
default | false |
cli | --allow-post-upgrade-command-templating |
env | RENOVATE_ALLOW_POST_UPGRADE_COMMAND_TEMPLATING |
Set to true
to allow templating of dependency level post-upgrade commands.
Let's look at an example of configuring packages with existing Angular migrations.
Add two properties to config.js
: allowPostUpgradeCommandTemplating
and allowedPostUpgradeCommands
:
module.exports = {
allowPostUpgradeCommandTemplating: true,
allowedPostUpgradeCommands: ['^npm ci --ignore-scripts$', '^npx ng update'],
};
In the renovate.json
file, define the commands and files to be included in the final commit.
The command to install dependencies (npm ci --ignore-scripts
) is necessary because, by default, the installation of dependencies is skipped (see the skipInstalls
global option).
{
"packageRules": [
{
"matchPackageNames": ["@angular/core"],
"postUpgradeTasks": {
"commands": [
"npm ci --ignore-scripts",
"npx ng update {{{depName}}} --from={{{currentVersion}}} --to={{{newVersion}}} --migrate-only --allow-dirty --force"
],
"fileFilters": ["**/**"]
}
}
]
}
With this configuration, the executable command for @angular/core
looks like this:
npm ci --ignore-scripts
npx ng update @angular/core --from=10.0.0 --to=11.0.0 --migrate-only --allow-dirty --force
allowScripts¶
Set this to true
if repositories are allowed to run install scripts.
Name | Value |
---|---|
type | boolean |
default | false |
cli | --allow-scripts |
env | RENOVATE_ALLOW_SCRIPTS |
allowedPostUpgradeCommands¶
A list of regular expressions that decide which post-upgrade tasks are allowed.
Name | Value |
---|---|
type | array |
subType | string |
cli | --allowed-post-upgrade-commands |
env | RENOVATE_ALLOWED_POST_UPGRADE_COMMANDS |
A list of regular expressions that determine which commands in postUpgradeTasks
are allowed to be executed.
If this list is empty then no tasks will be executed.
e.g.
{
"allowedPostUpgradeCommands": ["^tslint --fix$", "^tslint --[a-z]+$"]
}
autodiscover¶
Autodiscover all repositories.
Name | Value |
---|---|
type | boolean |
default | false |
cli | --autodiscover |
env | RENOVATE_AUTODISCOVER |
When you enable autodiscover
, by default, Renovate will run on every repository that the bot account can access.
If you want Renovate to run on only a subset of those, use the autodiscoverFilter
option to limit the bot to only the wanted repositories.
autodiscoverFilter¶
Filter the list of autodiscovered repositories.
Name | Value |
---|---|
type | string |
cli | --autodiscover-filter |
env | RENOVATE_AUTODISCOVER_FILTER |
You can use this option to filter the list of repositories that the Renovate bot account can access through autodiscover
.
It takes a minimatch glob-style or regex pattern.
Minimatch:
{
"autodiscoverFilter": "project/*"
}
Regex:
All text inside the start and end /
will be treated as a regular expression.
{
"autodiscoverFilter": "/project/.*/"
}
You can negate the regex by putting a !
in front:
{
"autodiscoverFilter": "!/project/.*/"
}
baseDir¶
The base directory for Renovate to store local files, including repository files and cache. If left empty, Renovate will create its own temporary directory to use.
Name | Value |
---|---|
type | string |
cli | --base-dir |
env | RENOVATE_BASE_DIR |
default | null |
By default Renovate uses a temporary directory like /tmp/renovate
to store its data.
You can override this default with the baseDir
option.
e.g.
{
"baseDir": "/my-own-different-temporary-folder"
}
binarySource¶
Controls how third-party tools like npm or Gradle are called: directly, via Docker sidecar containers, or via dynamic install.
Name | Value |
---|---|
type | string |
allowedValues | global,docker,install |
default | "global" |
cli | --binary-source |
env | RENOVATE_BINARY_SOURCE |
Renovate often needs to use third-party binaries in its PRs, e.g. npm
to update package-lock.json
or go
to update go.sum
.
By default, Renovate will use a child process to run such tools, so they need to be pre-installed before running Renovate and available in the path.
Renovate can instead use "sidecar" containers for third-party tools when binarySource=docker
.
If configured, Renovate will use docker run
to create containers such as Node.js or Python to run tools within as-needed.
For this to work, docker
needs to be installed and the Docker socket available to Renovate.
Additionally, when Renovate is run inside a container built using containerbase/buildpack
, such as the official Renovate images on Docker Hub, then binarySource=install
can be used.
This mode means that Renovate will dynamically install the version of tools available, if supported.
Supported tools for dynamic install are:
composer
flux
jb
npm
Unsupported tools will fall back to binarySource=global
.
cacheDir¶
The directory where Renovate stores its cache. If left empty, Renovate creates a subdirectory within the baseDir
.
Name | Value |
---|---|
type | string |
cli | --cache-dir |
env | RENOVATE_CACHE_DIR |
default | null |
By default Renovate stores cache data in a temporary directory like /tmp/renovate/cache
.
Use the cacheDir
option to override this default.
The baseDir
and cacheDir
option may point to different directories.
You can use one directory for the repo data, and another for the cache data.
For example:
{
"baseDir": "/my-own-different-temporary-folder",
"cacheDir": "/my-own-different-cache-folder"
}
customEnvVariables¶
Custom environment variables for child processes and sidecar Docker containers.
Name | Value |
---|---|
type | object |
cli | --custom-env-variables |
env | RENOVATE_CUSTOM_ENV_VARIABLES |
This configuration will be applied after all other environment variables so that it can be used to override defaults.
detectGlobalManagerConfig¶
If true
, Renovate will try to detect global manager configuration from the file system.
Name | Value |
---|---|
type | boolean |
default | false |
cli | --detect-global-manager-config |
env | RENOVATE_DETECT_GLOBAL_MANAGER_CONFIG |
The purpose of this capability is to allow a bot admin to configure manager-specific files such as a global .npmrc
file, instead of configuring it in Renovate config.
This feature is disabled by default because it may prove surprising or undesirable for some users who don't expect Renovate to go into their home directory and import registry or credential information.
Currently this capability is supported for the npm
manager only - specifically the ~/.npmrc
file.
If found, it will be imported into config.npmrc
with config.npmrcMerge
will be set to true
.
detectHostRulesFromEnv¶
If true
, Renovate will try to detect host rules from environment variables.
Name | Value |
---|---|
type | boolean |
default | false |
cli | --detect-host-rules-from-env |
env | RENOVATE_DETECT_HOST_RULES_FROM_ENV |
The format of the environment variables must follow:
- Datasource name (e.g.
NPM
,PYPI
) - Underscore (
_
) matchHost
- Underscore (
_
) - Field name (
TOKEN
,USERNAME
, orPASSWORD
)
Hyphens (-
) in datasource or host name must be replaced with double underscores (__
).
Periods (.
) in host names must be replaced with a single underscore (_
).
Note
The following prefixes cannot be supported for this functionality: npm_config_
, npm_lifecycle_
, npm_package_
.
npmjs registry token example¶
NPM_REGISTRY_NPMJS_ORG_TOKEN=abc123
:
{
"hostRules": [
{
"hostType": "npm",
"matchHost": "registry.npmjs.org",
"token": "abc123"
}
]
}
GitLab Tags username/password example¶
GITLAB__TAGS_CODE__HOST_COMPANY_COM_USERNAME=bot GITLAB__TAGS_CODE__HOST_COMPANY_COM_PASSWORD=botpass123
:
{
"hostRules": [
{
"hostType": "gitlab-tags",
"matchHost": "code-host.company.com",
"username": "bot",
"password": "botpass123"
}
]
}
Datasource and credentials only¶
You can skip the host part, and use just the datasource and credentials.
DOCKER_USERNAME=bot DOCKER_PASSWORD=botpass123
:
{
"hostRules": [
{
"hostType": "docker",
"username": "bot",
"password": "botpass123"
}
]
}
dockerChildPrefix¶
Change this value to add a prefix to the Renovate Docker sidecar container names and labels.
Name | Value |
---|---|
type | string |
default | "renovate_" |
cli | --docker-child-prefix |
env | RENOVATE_DOCKER_CHILD_PREFIX |
Adds a custom prefix to the default Renovate sidecar Docker containers name and label.
If this is set to myprefix_
the final container created from renovate/node
image would be named myprefix_node
instead of currently used renovate_node
and be labeled myprefix_child
instead of renovate_child
.
Note
Dangling containers will only be removed when Renovate runs again with the same prefix.
dockerImagePrefix¶
Change this value to override the default Renovate Docker sidecar image name prefix.
Name | Value |
---|---|
type | string |
default | "docker.io/renovate" |
cli | --docker-image-prefix |
env | RENOVATE_DOCKER_IMAGE_PREFIX |
By default Renovate pulls the sidecar Docker containers from docker.io/renovate
.
You can use the dockerImagePrefix
option to override this default.
Say you want to pull your images from ghcr.io/renovatebot
instead of docker.io/renovate
.
You would use put this in your configuration file:
{
"dockerImagePrefix": "ghcr.io/renovatebot"
}
If you pulled a new node
image, the final image would be ghcr.io/renovatebot/node
instead of docker.io/renovate/node
.
dockerUser¶
Set the UID
and GID
for Docker-based binaries if you use binarySource=docker
.
Name | Value |
---|---|
type | string |
cli | --docker-user |
env | RENOVATE_DOCKER_USER |
default | null |
Override default user and group used by Docker-based binaries. The user-id (UID) and group-id (GID) should match the user that executes Renovate.
Read the Docker run reference for more information on user and group syntax.
Set this to 1001:1002
to use UID 1001 and GID 1002.
e.g.
{
"dockerUser": "1001:1002"
}
If you use binarySource=docker|install
read the section below.
If you need to change the Docker user please make sure to use the root (0
) group, otherwise you'll get in trouble with missing file and directory permissions.
Like this:
> export RENOVATE_DOCKER_USER="$(id -u):0" # 500:0 (username:root)
dryRun¶
If enabled, perform a dry run by logging messages instead of creating/updating/deleting branches and PRs.
Name | Value |
---|---|
type | string |
allowedValues | extract,lookup,full |
cli | --dry-run |
env | RENOVATE_DRY_RUN |
Use dryRun
to preview the behavior of Renovate in logs, without making any changes to the repository files.
You can choose from the following behaviors for the dryRun
config option:
null
: Default behavior - Performs a regular Renovate run including creating/updating/deleting branches and PRs"extract"
: Performs a very quick package file scan to identify the extracted dependencies"lookup"
: Performs a package file scan to identify the extracted dependencies and updates available"full"
: Performs a dry run by logging messages instead of creating/updating/deleting branches and PRs
Information provided mainly in debug log level.
endpoint¶
Custom endpoint to use.
Name | Value |
---|---|
type | string |
cli | --endpoint |
env | RENOVATE_ENDPOINT |
executionTimeout¶
Default execution timeout in minutes for child processes Renovate creates.
Name | Value |
---|---|
type | integer |
default | 15 |
cli | --execution-timeout |
env | RENOVATE_EXECUTION_TIMEOUT |
Default execution timeout in minutes for child processes Renovate creates. If this option is not set, Renovate will fallback to 15 minutes.
exposeAllEnv¶
Set this to true
to allow passing of all environment variables to package managers.
Name | Value |
---|---|
type | boolean |
default | false |
cli | --expose-all-env |
env | RENOVATE_EXPOSE_ALL_ENV |
By default, Renovate only passes a limited set of environment variables to package managers.
Confidential data can be leaked if a malicious script enumerates all environment variables.
Set exposeAllEnv
to true
only if you have reviewed (and trust) the repositories which Renovate bot runs against.
Setting this to true
will also allow for variable substitution in .npmrc
files.
force¶
Any configuration set in this object will force override existing settings.
Name | Value |
---|---|
type | object |
This object is used as a "force override" when you need to make sure certain configuration overrides whatever is configured in the repository. For example, forcing a null (no) schedule to make sure Renovate raises PRs on a run even if the repository itself or its preset defines a schedule that's currently inactive.
In practice, it is implemented by converting the force
configuration into a packageRule
that matches all packages.
forceCli¶
Decides if CLI configuration options are moved to the force
config section.
Name | Value |
---|---|
type | boolean |
default | true |
cli | --force-cli |
env | RENOVATE_FORCE_CLI |
This is set to true by default, meaning that any settings (such as schedule
) take maximum priority even against custom settings existing inside individual repositories.
It will also override any settings in packageRules
.
forkMode¶
Set to true
to fork the source repository and create branches there instead.
Name | Value |
---|---|
type | boolean |
default | false |
cli | --fork-mode |
env | RENOVATE_FORK_MODE |
You probably have no need for this option - it is an experimental setting for the Renovate hosted GitHub App.
If this is set to true
then Renovate will fork the repository into the personal space of the person owning the Personal Access Token.
forkToken¶
Will be used on GitHub when forkMode
is set to true
to clone the repositories.
Name | Value |
---|---|
type | string |
default | "" |
cli | --fork-token |
env | RENOVATE_FORK_TOKEN |
You probably have no need for this option - it is an experimental setting for the Renovate hosted GitHub App.
This should be set to a Personal Access Token (GitHub only) when forkMode
is set to true
.
Renovate will use this token to fork the repository into the personal space of the person owning the Personal Access Token.
Renovate will then create branches on the fork and opens Pull Requests on the parent repository.
gitNoVerify¶
Which Git commands will be run with the --no-verify
option.
Name | Value |
---|---|
type | array |
subType | string |
allowedValues | commit,push |
default | ["commit","push"] |
cli | --git-no-verify |
env | RENOVATE_GIT_NO_VERIFY |
Controls when Renovate passes the --no-verify
flag to git
.
The flag can be passed to git commit
and/or git push
.
Read the documentation for git commit --no-verify and git push --no-verify to learn exactly what each flag does.
To learn more about Git hooks, read the Pro Git 2 book, section on Git Hooks.
gitPrivateKey¶
PGP key to use for signing Git commits.
Name | Value |
---|---|
type | string |
env | RENOVATE_GIT_PRIVATE_KEY |
default | null |
This should be an armored private key, e.g. the type you get from running gpg --export-secret-keys --armor 92066A17F0D1707B4E96863955FEF5171C45FAE5 > private.key
.
Replace the newlines with \n
before adding the resulting single-line value to your bot's config.
It will be loaded lazily. Before the first commit in a repository, Renovate will:
- Run
gpg import
(if it hasn't been run before) - Run
git config user.signingkey
andgit config commit.gpgsign true
The git
commands are run locally in the cloned repo instead of globally.
This reduces the chance of unintended consequences with global Git configs on shared systems.
gitTimeout¶
Configure the timeout with a number of milliseconds to wait for a Git task.
Name | Value |
---|---|
type | integer |
default | 0 |
cli | --git-timeout |
env | RENOVATE_GIT_TIMEOUT |
To handle the case where the underlying Git processes appear to hang, configure the timeout with the number of milliseconds to wait after last received content on either stdOut
or stdErr
streams before sending a SIGINT
kill message.
gitUrl¶
Overrides the default resolution for Git remote, e.g. to switch GitLab from HTTPS to SSH-based.
Name | Value |
---|---|
type | string |
allowedValues | default,ssh,endpoint |
default | "default" |
cli | --git-url |
env | RENOVATE_GIT_URL |
Override the default resolution for Git remote, e.g. to switch GitLab from HTTPS to SSH-based. Currently works for GitLab only.
Possible values:
default
: use HTTPS URLs provided by the platform for Gitssh
: use SSH URLs provided by the platform for Gitendpoint
: ignore URLs provided by the platform and use the configured endpoint directly
githubTokenWarn¶
Display warnings about GitHub token not being set.
Name | Value |
---|---|
type | boolean |
default | true |
cli | --github-token-warn |
env | RENOVATE_GITHUB_TOKEN_WARN |
By default, Renovate logs and displays a warning when the GITHUB_COM_TOKEN
is not set.
By setting githubTokenWarn
to false
, Renovate suppresses these warnings on Pull Requests, etc.
Disabling the warning is helpful for self-hosted environments that can't access the github.com
domain, because the warning is useless in these environments.
globalExtends¶
Configuration presets to use or extend for a self-hosted config.
Name | Value |
---|---|
type | array |
subType | string |
cli | --global-extends |
env | RENOVATE_GLOBAL_EXTENDS |
Unlike the extends
field, which is passed through unresolved to be part of repository config, any presets in globalExtends
are resolved immediately as part of global config.
Therefore you need to use this field if your preset has any global-only configuration options, such as the list of repositories to run against.
Use the extends
field instead of this if, for example, you need the ability for a repository config (e.g. renovate.json
) to be able to use ignorePresets
for any preset defined in global config.
logContext¶
Add a global or per-repo log context to each log entry.
Name | Value |
---|---|
type | string |
cli | --log-context |
env | RENOVATE_LOG_CONTEXT |
logContext
is included with each log entry only if logFormat="json"
- it is not included in the pretty log output.
If left as default (null), a random short ID will be selected.
logFile¶
Log file path.
Name | Value |
---|---|
type | string |
cli | --log-file |
env | RENOVATE_LOG_FILE |
default | null |
logFileLevel¶
Set the log file log level.
Name | Value |
---|---|
type | string |
default | "debug" |
cli | --log-file-level |
env | RENOVATE_LOG_FILE_LEVEL |
migratePresets¶
Define presets here which have been removed or renamed and should be migrated automatically.
Name | Value |
---|---|
type | object |
additionalProperties | [object Object] |
cli | --migrate-presets |
env | RENOVATE_MIGRATE_PRESETS |
Use this if you have repositories that extend from a particular preset, which has now been renamed or removed. This is handy if you have a large number of repositories that all extend from a particular preset which you want to rename, without the hassle of manually updating every repository individually. Use an empty string to indicate that the preset should be ignored rather than replaced.
Example:
modules.exports = {
migratePresets: {
'@company': 'local>org/renovate-config',
},
};
In the above example any reference to the @company
preset will be replaced with local>org/renovate-config
.
onboarding¶
Require a Configuration PR first.
Name | Value |
---|---|
type | boolean |
cli | --onboarding |
env | RENOVATE_ONBOARDING |
default | true |
Set this to false
only if all three statements are true:
- You've configured Renovate entirely on the bot side (e.g. empty
renovate.json
in repositories) - You want to run Renovate on every repository the bot has access to
- You want to skip all onboarding PRs
onboardingBranch¶
Change this value to override the default onboarding branch name.
Name | Value |
---|---|
type | string |
default | "renovate/configure" |
env | RENOVATE_ONBOARDING_BRANCH |
Note
This setting is independent of branchPrefix
.
For example, if you configure branchPrefix
to be renovate-
then you'd still have the onboarding PR created with branch renovate/configure
until you configure onboardingBranch=renovate-configure
or similar.
If you have an existing Renovate installation and you change onboardingBranch
then it's possible that you'll get onboarding PRs for repositories that had previously closed the onboarding PR unmerged.
onboardingCommitMessage¶
Change this value to override the default onboarding commit message.
Name | Value |
---|---|
type | string |
env | RENOVATE_ONBOARDING_COMMIT_MESSAGE |
If commitMessagePrefix
or semanticCommits
values are defined then they will be prepended to the commit message using the same logic that is used for adding them to non-onboarding commit messages.
onboardingConfig¶
Configuration to use for onboarding PRs.
Name | Value |
---|---|
type | object |
default | {"$schema":"https://docs.renovatebot.com/renovate-schema.json"} |
mergeable | true |
cli | --onboarding-config |
env | RENOVATE_ONBOARDING_CONFIG |
onboardingConfigFileName¶
Change this value to override the default onboarding config file name.
Name | Value |
---|---|
type | string |
default | "renovate.json" |
env | RENOVATE_ONBOARDING_CONFIG_FILE_NAME |
If set to one of the valid config file names, the onboarding PR will create a configuration file with the provided name instead of renovate.json
.
Falls back to renovate.json
if the name provided is not valid.
onboardingNoDeps¶
Onboard the repository even if no dependencies are found.
Name | Value |
---|---|
type | boolean |
default | false |
cli | --onboarding-no-deps |
env | RENOVATE_ONBOARDING_NO_DEPS |
Set this to true if you want Renovate to create an onboarding PR even if no dependencies are found. Otherwise, Renovate skips onboarding a repository if it finds no dependencies in it.
onboardingPrTitle¶
Change this value to override the default onboarding PR title.
Name | Value |
---|---|
type | string |
default | "Configure Renovate" |
env | RENOVATE_ONBOARDING_PR_TITLE |
Similarly to onboardingBranch
, if you have an existing Renovate installation and you change onboardingPrTitle
then it's possible that you'll get onboarding PRs for repositories that had previously closed the onboarding PR unmerged.
optimizeForDisabled¶
Set to true
to first check for disabling in config before cloning.
Name | Value |
---|---|
type | boolean |
default | false |
cli | --optimize-for-disabled |
env | RENOVATE_OPTIMIZE_FOR_DISABLED |
password¶
Password for authentication.
Name | Value |
---|---|
type | string |
supportedPlatforms | azure,bitbucket,bitbucket-server |
cli | --password |
env | RENOVATE_PASSWORD |
default | null |
persistRepoData¶
If set to true
, repository data is kept between runs instead of deleted.
Name | Value |
---|---|
type | boolean |
default | false |
cli | --persist-repo-data |
env | RENOVATE_PERSIST_REPO_DATA |
Set this to true if you want Renovate to persist repo data between runs.
The intention is that this allows Renovate to do a faster git fetch
between runs rather than git clone
.
It also may mean that ignored directories like node_modules
can be preserved and save time on operations like npm install
.
platform¶
Platform type of repository.
Name | Value |
---|---|
type | string |
allowedValues | azure,bitbucket,bitbucket-server,gitea,github,gitlab |
default | "github" |
cli | --platform |
env | RENOVATE_PLATFORM |
prCommitsPerRunLimit¶
Set the maximum number of commits per Renovate run. By default there is no limit.
Name | Value |
---|---|
type | integer |
default | 0 |
cli | --pr-commits-per-run-limit |
env | RENOVATE_PR_COMMITS_PER_RUN_LIMIT |
Parameter to reduce CI load. CI jobs are usually triggered by these events: pull-request creation, pull-request update, automerge events. Set as an integer. Default is no limit.
printConfig¶
If enabled, Renovate logs the fullly resolved config for each repo, plus the fully resolved presets.
Name | Value |
---|---|
type | boolean |
default | false |
cli | --print-config |
env | RENOVATE_PRINT_CONFIG |
This option is useful for troubleshooting, particularly if using presets.
e.g. run renovate foo/bar --print-config > config.log
and the fully-resolved config will be included in the log file.
privateKey¶
Server-side private key.
Name | Value |
---|---|
type | string |
replaceLineReturns | true |
cli | --private-key |
env | RENOVATE_PRIVATE_KEY |
default | null |
This private key is used to decrypt config files.
The corresponding public key can be used to create encrypted values for config files. If you want a simple UI to encrypt values you can put the public key in a HTML page similar to https://app.renovatebot.com/encrypt.
To create the key pair with GPG use the following commands:
gpg --full-generate-key
and follow the prompts to generate a key. Name and email are not important to Renovate, and do not configure a passphrase. Use a 4096bit key.
key generation log
❯ gpg --full-generate-key
gpg (GnuPG) 2.2.24; Copyright (C) 2020 Free Software Foundation, Inc.
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.
Please select what kind of key you want:
(1) RSA and RSA (default)
(2) DSA and Elgamal
(3) DSA (sign only)
(4) RSA (sign only)
(14) Existing key from card
Your selection? 1
RSA keys may be between 1024 and 4096 bits long.
What keysize do you want? (3072) 4096
Requested keysize is 4096 bits
Please specify how long the key should be valid.
0 = key does not expire
<n> = key expires in n days
<n>w = key expires in n weeks
<n>m = key expires in n months
<n>y = key expires in n years
Key is valid for? (0)
Key does not expire at all
Is this correct? (y/N) y
GnuPG needs to construct a user ID to identify your key.
Real name: Renovate Bot
Email address: renovate@whitesourcesoftware.com
Comment:
You selected this USER-ID:
"Renovate Bot <renovate@whitesourcesoftware.com>"
Change (N)ame, (C)omment, (E)mail or (O)kay/(Q)uit? O
gpg: key 0649CC3899F22A66 marked as ultimately trusted
gpg: revocation certificate stored as '/Users/rhys/.gnupg/openpgp-revocs.d/794B820F34B34A8DF32AADB20649CC3899F22A66.rev'
public and secret key created and signed.
pub rsa4096 2021-09-10 [SC]
794B820F34B34A8DF32AADB20649CEXAMPLEONLY
uid Renovate Bot <renovate@whitesourcesoftware.com>
sub rsa4096 2021-09-10 [E]
- Copy the key ID from the output (
794B820F34B34A8DF32AADB20649CEXAMPLEONLY
in the above example) or rungpg --list-secret-keys
if you forgot to take a copy - Run
gpg --armor --export-secret-keys YOUR_NEW_KEY_ID > renovate-private-key.asc
to generate an armored (text-based) private key file - Run
gpg --armor --export YOUR_NEW_KEY_ID > renovate-public-key.asc
to generate an armored (text-based) public key file
The private key should then be added to your Renovate Bot global config (either using privateKeyPath
or exporting it to the RENOVATE_PRIVATE_KEY
environment variable).
The public key can be used to replace the existing key in https://app.renovatebot.com/encrypt for your own use.
Any encrypted secrets using GPG must have a mandatory organization/group scope, and optionally can be scoped for a single repository only. The reason for this is to avoid "replay" attacks where someone could learn your encrypted secret and then reuse it in their own Renovate repositories. Instead, with scoped secrets it means that Renovate ensures that the organization and optionally repository values encrypted with the secret match against the running repository.
Note
Simple public key encryption was previously used to encrypt secrets, but this approach has been deprecated and is no longer documented.
privateKeyOld¶
Secondary or old private key to try.
Name | Value |
---|---|
type | string |
replaceLineReturns | true |
cli | --private-key-old |
env | RENOVATE_PRIVATE_KEY_OLD |
default | null |
Use this field if you need to perform a "key rotation" and support more than one keypair at a time.
Decryption with this key will be tried after privateKey
.
If you are migrating from the legacy public key encryption approach to use GPG, then move your legacy private key from privateKey
to privateKeyOld
and then put your new GPG private key in privateKey
.
Doing so will mean that Renovate will first try to decrypt using the GPG key but fall back to the legacy key and try that next.
You can remove the privateKeyOld
config option once all the old encrypted values have been migrated, or if you no longer want to support the old key and let the processing of repositories fail.
privateKeyPath¶
Path to the Server-side private key.
Name | Value |
---|---|
type | string |
cli | --private-key-path |
env | RENOVATE_PRIVATE_KEY_PATH |
default | null |
Used as an alternative to privateKey
, if you want the key to be read from disk instead.
privateKeyPathOld¶
Path to the Server-side old private key.
Name | Value |
---|---|
type | string |
cli | --private-key-path-old |
env | RENOVATE_PRIVATE_KEY_PATH_OLD |
default | null |
Used as an alternative to privateKeyOld
, if you want the key to be read from disk instead.
productLinks¶
Links which are used in PRs, issues and comments.
Name | Value |
---|---|
type | object |
mergeable | true |
default | {"documentation":"https://docs.renovatebot.com/","help":"https://github.com/renovatebot/renovate/discussions","homepage":"https://github.com/renovatebot/renovate"} |
additionalProperties | [object Object] |
cli | --product-links |
env | RENOVATE_PRODUCT_LINKS |
Override this object if you want to change the URLs that Renovate links to, e.g. if you have an internal forum for asking for help.
redisUrl¶
If set, this Redis URL will be used for caching instead of the file system.
Name | Value |
---|---|
type | string |
cli | --redis-url |
env | RENOVATE_REDIS_URL |
default | null |
If this value is set then Renovate will use Redis for its global cache instead of the local file system.
The global cache is used to store lookup results (e.g. dependency versions and release notes) between repositories and runs.
Example url: redis://localhost
.
repositories¶
List of Repositories.
Name | Value |
---|---|
type | array |
env | RENOVATE_REPOSITORIES |
Elements in the repositories
array can be an object if you wish to define additional settings:
{
repositories: [
{ repository: 'g/r1', bumpVersion: true },
'g/r2'
],
}
repositoryCache¶
This option decides if Renovate uses a JSON cache to speed up extractions.
Name | Value |
---|---|
type | string |
allowedValues | disabled,enabled,reset |
default | "disabled" |
cli | --repository-cache |
env | RENOVATE_REPOSITORY_CACHE |
Set this to "enabled"
to have Renovate maintain a JSON file cache per-repository to speed up extractions.
Set to "reset"
if you ever need to bypass the cache and have it overwritten.
JSON files will be stored inside the cacheDir
beside the existing file-based package cache.
Warning
This is an experimental feature and may be modified or removed in a future non-major release.
requireConfig¶
Controls Renovate's behavior regarding repository config files such as renovate.json
.
Name | Value |
---|---|
type | string |
default | "required" |
allowedValues | required,optional,ignored |
cli | --require-config |
env | RENOVATE_REQUIRE_CONFIG |
By default, Renovate needs a Renovate config file in each repository where it runs before it will propose any dependency updates.
You can choose any of these settings:
"required"
(default): a repository config file must be present"optional"
: if a config file exists, Renovate will use it when it runs"ignored"
: config files in the repo will be ignored, and have no effect
This feature is closely related to the onboarding
config option.
The combinations of requireConfig
and onboarding
are:
onboarding=true |
onboarding=false |
|
---|---|---|
requireConfig=required |
An onboarding PR will be created if no config file exists. If the onboarding PR is closed and there's no config file, then the repository is skipped. | Repository is skipped unless a config file is added manually. |
requireConfig=optional |
An onboarding PR will be created if no config file exists. If the onboarding PR is closed and there's no config file, the repository will be processed. | Repository is processed regardless of config file presence. |
requireConfig=ignored |
No onboarding PR will be created and repo will be processed while ignoring any config file present. | Repository is processed, any config file is ignored. |
secrets¶
Object which holds secret name/value pairs.
Name | Value |
---|---|
type | object |
mergeable | true |
additionalProperties | [object Object] |
cli | --secrets |
env | RENOVATE_SECRETS |
Secrets may be configured by a bot admin in config.js
, which will then make them available for templating within repository configs.
For example, to configure a GOOGLE_TOKEN
to be accessible by all repositories:
module.exports = {
secrets: {
GOOGLE_TOKEN: 'abc123',
},
};
They can also be configured per repository, e.g.
module.exports = {
repositories: [
{
repository: 'abc/def',
secrets: {
GOOGLE_TOKEN: 'abc123',
},
},
],
};
It could then be used in a repository config or preset like so:
{
"hostRules": [
{
"matchHost": "google.com",
"token": "{{ secrets.GOOGLE_TOKEN }}"
}
]
}
Secret names must start with an upper or lower case character and can have only characters, digits, or underscores.
skipInstalls¶
Skip installing modules/dependencies if lock file updating is possible without a full install.
Name | Value |
---|---|
type | boolean |
cli | --skip-installs |
env | RENOVATE_SKIP_INSTALLS |
default | null |
By default, Renovate will use the most efficient approach to updating package files and lock files, which in most cases skips the need to perform a full module install by the bot.
If this is set to false, then a full install of modules will be done.
This is currently applicable to npm
and lerna
/npm
only, and only used in cases where bugs in npm
result in incorrect lock files being updated.
token¶
Repository Auth Token.
Name | Value |
---|---|
type | string |
cli | --token |
env | RENOVATE_TOKEN |
default | null |
unicodeEmoji¶
Enable or disable Unicode emoji.
Name | Value |
---|---|
type | boolean |
default | true |
cli | --unicode-emoji |
env | RENOVATE_UNICODE_EMOJI |
If enabled emoji shortcodes (:warning:
) are replaced with their Unicode equivalents (⚠️
).
username¶
Username for authentication.
Name | Value |
---|---|
type | string |
supportedPlatforms | azure,bitbucket,bitbucket-server |
cli | --username |
env | RENOVATE_USERNAME |
default | null |
You might need to set a username
if you use:
- The Bitbucket platform, or
- use the GitHub App with CLI (required)
If you're using a Personal Access Token (PAT) to authenticate then you should not specify username
.
writeDiscoveredRepos¶
Writes discovered repositories to a JSON file and then exit.
Name | Value |
---|---|
type | string |
cli | --write-discovered-repos |
default | null |
Optional parameter which allows to write the discovered repositories into a JSON file instead of renovating them.
Usage: renovate --write-discovered-repos=/tmp/renovate-repos.json
["myOrg/myRepo", "myOrg/anotherRepo"]