Renovate

TLDR: Renovate is a great tool for automating package and container updates.

I finally set up Renovate in my lab and let me tell you, it's wonderful. If you're not familiar with Renovate, it's a GitHub (or other source control platform) bot which can automate updates in your project. Think Dependabot, except Renovate can update docker containers. And coincidentally, that's my particular use case. Lucky me.

I used this great guide by Nick Cunningham to make things easier, except for a few minor tweaks since I am using Forgejo instead of Gitea. I was drawn to Renovate because I already use Komodo and Forgejo, and it seems to be a popular trio with the community. Overall the setup was pretty simple, though since I already had two thirds of it your mileage may vary. I did have a slight bit of trouble getting Renovate to run successfully with a GitHub token, so I had to recreate it a couple times to get the right permissions. I also accidentally used the wrong value for the workspace path, but that was an easy fix aided by reading the documentation (helpful sometimes).

I also had to go through all of my Komodo stacks, which I have defined using resource syncs in a git repo, and make sure the image version pinnings were set appropriately for Renovate to do its job. I ended up having to update all but the two most recently added stacks, which makes me wonder where the 'good practice' I thought I had went... Also, GitHub's container registry is terrible if you're trying to actually search for tags. Like, get it together. Anyway, once everything was set up and working Renovate immediately found a few available updates, and I was able to get them deployed simply by merging the created PRs. Woo, automation! Now I just have to actually stick to a patching schedule for OS updates, especially since I've already gone through the effort of creating the automation...