Skip to main content
Skip table of contents

Renovate Smart Merge Control Implementation Examples

Overview

The following article provides a deep dive into how to use Mend Renovate’s feature, Smart Merge Control, and the different functions of each packageRule

Group High-Confidence Updates

When using Renovate, you can choose to have updates delivered individually, or grouped, using various static configuration options.

  • When updates are not grouped (ie. delivered individually), a user has to manually process each update separately, which takes additional time and effort.

  • When updates are grouped, some updates might have a low confidence of merging, so the whole group of updates will fail.

Configuration Example

The below example groups all minor and patch updates with very high or high confidence into a single pull request with the name “Mend: high confidence minor and patch dependency updates”

JSON 
{ 
   "packageRules": [
     {
      	 "groupName": "Mend: high confidence minor and patch dependency updates",
      	 "matchUpdateTypes": ["minor", "patch"],
      	 "matchConfidence": ["very high", "high"]
     }
   ]
}

Suppress Low-Confidence Updates

When suppressing updates based on confidence level, the only updates that will appear in Renovate pull requests are those with a higher chance of merging successfully. Not only will this reduce the number of pull requests that your developers see, but the pull requests that are created are effective and easier to act on.

Configuration Example

The below example suppresses any update with low or neutral confidence where it will sit in the Dependency Dashboard. The issues tab must be enabled for the Dependency Dashboard to populate.

This should be used with caution for Azure DevOps and Bitbucket as the Dependency Dashboard feature is unavailable and there is no current way to open these pull requests if suppressed.

JSON 
{ 
   "packageRules": [
      {
      	 "matchConfidence": ["low"],
      	 "dependencyDashboardApproval": true,
         "commitMessagePrefix": "[LOW] "
      },
      {
      	 "matchConfidence": ["neutral"],
      	 "dependencyDashboardApproval": true,
         "commitMessagePrefix": "[NEUTRAL] "
      }
   ]
}

If you are using Remediate and Renovate together, we do not recommend suppressing low and neutral findings as the security updates will be “trapped” in the Dependency Dashboard.

Auto-Merge

Even with the best recommendations, accepting and merging pull requests can be a time-consuming activity and one that competes with other developer priorities. This can lead to the task of updating dependencies becoming a chore, leading the developer to delay or postpone the task of merging critical updates.

With Smart Merge Control, developers can configure Renovate to automatically merge pull requests that have high merge confidence. This way, updates that are known to be trusted can be seamlessly merged into the codebase without any developer intervention. This will free up the developers for other tasks, while also ensuring a continuous improvement in the security of the application.

Configuration Example

The below example groups all minor and patch updates with very high or high confidence into a single pull request with the name “Mend: high confidence minor and patch dependency updates” and automatically merges the pull request.

JSON 
{ 
   "packageRules": [
     {
      	"groupName": "Mend: high confidence minor and patch dependency updates",
      	"matchUpdateTypes": ["minor", "patch"],
      	"matchConfidence": ["very high", "high"],
        "automerge": true
     }
   ]
}

Getting it done

Prerequisites

Configure

The below steps will walk through setting up an implementation of smart merge control with high-confidence grouping, low-confidence suppression, and auto-merge.

Our Mend Field Engineering team offers different json file examples in the Mend Toolkit.

Please note that the examples within the mend-toolkit repo may change in the future. It is only recommended to point directly to them for a limited time while testing the solution. For production usage, it is recommended to maintain the json file in your own repository as shown below.

Point your Mend Repository Integration to a renovate.json file

  • Create a smart-merge.json file in your whitesource-config global configuration repository.

    • This file can be named anything, smart-merge is used as an example

  • Add the following to your smart-merge.json file.

    JSON 
    { 
   "packageRules": [
     {
      	 "groupName": "Mend: high confidence minor and patch dependency updates",
      	 "matchUpdateTypes": ["minor", "patch"],
      	 "matchConfidence": ["very high", "high"]
     },
      {
      	 "matchConfidence": ["low"],
      	 "dependencyDashboardApproval": true,
         "commitMessagePrefix": "[LOW] "
      },
      {
      	 "matchConfidence": ["neutral"],
      	 "dependencyDashboardApproval": true,
         "commitMessagePrefix": "[NEUTRAL] "
      }
   ]
}

  • The above configuration combines high-confidence minor and patch grouping with low-confidence suppression and is a common practice for GitHub and GitLab where the Dependency Dashboard is available. For repository integrations without a Dependency Dashboard, it is recommended to remove lines 8-17.

  • Point your repo-config.json to the smart-merge.json file via the remediateSettings.extends block.

    JSON 
    
  "remediateSettings": {
    "workflowRules": {
      "enabled": false
    },
    "enableRenovate": true,
    "extends": [
      "config:recommended",
      "mergeConfidence:all-badges",
      "github>your-organization-name/whitesource-config:smart-merge"
    ]
  }
}

  • The above example is for Github.com and your-organization-name should be replaced with the name of your organization. For all other repo integrations, it is recommended to use "local>whitesource-config/whitesource-config:smart-merge"

For more information on the syntax of pointing to a json file as a preset, read Renovate’s config preset documentation.

Run the scan

As Renovate applies to open source components (SCA), you can initiate Smart Merge Control via one of the following valid push commands of the Mend Repository Integrations’ SCA scan:

  • One of the commits in the push command includes an addition/modification of the package manager dependency file(s). Refer to the list of supported dependency files to find out whether your dependency files are supported.

View your results

Renovate Dependency Dashboard issue

An issue will be created by Renovate called “Dependency Dashboard” that gives a high-level view of Renovate updates and detected dependencies. Read the Dependency Dashboard docs to learn more.

Pull requests for very high-confidence updates

A single pull request called “Mend: high confidence minor and patch dependency updates” will be created by whitesource-remediate/mend-high-confidence-minor-and-patch-dependency-updates. This pull request contains merge confidence data on all minor and patch update types with a high or very high Merge Confidence level. This pull request will need to be manually merged.

Pull requests for all other updates

A single pull request will be created by whitesource-remediate for each update that does not have a low or neutral Merge Confidence level. These pull requests will need to be manually merged.

Existing pull requests

Existing pull requests that contain updates with a low or neutral MergeConfidence level will be auto-closed.

New pull requests

Any new pull requests that contain low or neutral MergeConfidence level will be listed in the Dependency Dashboard issue to be manually approved for creation.

Reference

JavaScript errors detected

Please note, these errors can depend on your browser setup.

If this problem persists, please contact our support.

Contact Support Close