Add dependabot and renovate

[yarhamjohn]

I noticed that we seem to be using a mix of Dependabot and Renovate for automating dependency upgrade PRs in our repos. Should we consolidate on one, and if so which?

Currently I am leaning towards Dependabot because its fully integrated with Github where as Renovate is a third-party tool. There may however be good reason why Renovate is better than Dependabot so please do discuss :)

• Are you happy for the content of this change to be publicly visible?
• Are all new or updated entries marked as isNew = true?
• Does radar.csv render correctly when viewed on Github?
• Does the updated tech radar display as you expect?

[adrianbanks]

When we introduced automated dependency updates, we went with renovate as it worked better with the two different project styles - so much so that some teams actively switched away from dependabot.

I think it is worth bringing this up again though to at least check that decision is still the correct one.

[mark-raymond]

3 years ago there were good reasons to go with Renovate over dependabot, but a lot could have changed in that time: https://github.com/red-gate/ArchitectureDecisions/blob/main/SQL%20Data%20Catalog/2019-04-29-use-renovate-to-auto-update-dependencies.md

[Greg-Smulko]

Thanks for linking to that ADR Mark!

The most relevant bit is this IMO:

dependabot - this does a great job for npm dependencies, but was unable to handle nuget dependencies hosted in our private Redgate Azure Devops package feed.
Renovate was the only one of the three options that was able to handle both npm and nuget dependencies from the Redgate feed.

So I assume we'd need to check whether the above is still true?

If dependabot handles private NuGet feed, I'd lean towards it, for the reasons you specified. And also Renovate is from Whitesource, and we moved from Whitesource to Snyk, so no argument for "a single provider that integrates it all". But, actually, Snyk also provides the option to automatically update dependencies - we'd only need to configure it in terms of granting access to GitHub repos. Something worth investigating I'd say?

(linking to this Slack message):

Hi, I wanted to resurrect this thread - having GitHub integration would mean that we can replace Whitesource's Renovate bot with Snyk and have everything in a single place.
Any hope to have it added to your long list @rmc47 by any chance? 😉

[mark-raymond]

Which repos use dependabot? https://github.blog/2020-06-01-keep-all-your-packages-up-to-date-with-dependabot/ says its configuration is in .github/dependabot.yml but no Redgate repos have that file.

[rmc47]

we'd only need to configure it in terms of granting access to GitHub repos. Something worth investigating I'd say?

Thanks for the nudge on this. It's definitely worth investigating, but last time I played, Snyk's GH auth was a bit more painful than I had hoped - by default, it OAuth's as the user making the connection and performs actions as that user, which isn't ideal.

They offer a broker service that acts as a connector between Snyk and GitHub, and I have a task on my backlog (https://jira.red-gate.com/browse/SEC-75) to implement that - but I've struggled to find time to do so to date.

[yarhamjohn]

Which repos use dependabot? https://github.blog/2020-06-01-keep-all-your-packages-up-to-date-with-dependabot/ says its configuration is in .github/dependabot.yml but no Redgate repos have that file.

Not sure how its done tbh but we have dependabot in CORE-WebsiteAndIntranet

[mark-raymond]

Which repos use dependabot? https://github.blog/2020-06-01-keep-all-your-packages-up-to-date-with-dependabot/ says its configuration is in .github/dependabot.yml but no Redgate repos have that file.

Not sure how its done tbh but we have dependabot in CORE-WebsiteAndIntranet

How do you configure it?

[yarhamjohn]

Which repos use dependabot? https://github.blog/2020-06-01-keep-all-your-packages-up-to-date-with-dependabot/ says its configuration is in .github/dependabot.yml but no Redgate repos have that file.

Not sure how its done tbh but we have dependabot in CORE-WebsiteAndIntranet

How do you configure it?

Not sure, but maybe its turned on by the vulnerability_alerts = true line in https://github.com/red-gate/terraform-github/blob/main/terraform/github.red-gate.repos.tf? Not sure how it would be configured without a yml though

[yarhamjohn]

There are 685 issues mentioning dependabot in red-gate including issues on repos like spawn, CORE-RedGate.Client, SqlDataCatalog, website-static etc

[TheEadie]

I believe we've settled on Renovate across the board now? So this PR is inverted from our actual decision?
We should get this updated with Renovate as Adopt and Dependabot as Hold.

[Greg-Smulko]

I believe we've settled on Renovate across the board now? So this PR is inverted from our actual decision? We should get this updated with Renovate as Adopt and Dependabot as Hold.

I agree that Renovate is the default and the main one.

But, I think the situation is that we still have Dependabot enabled on repos by default for security updates. I'm not 100% sure about that, but we get some PRs from Dependabot in Monitor sporadically.

The UI (from my private repo) looks like this, and I suspect that's the set of options we have enabled - but we can confirm with ITOps: