Renovate - Automated updates
Vortex uses Renovate for automated dependency updates.
The configuration is stored in renovate.json. It is
based on Renovate configuration for automated Drupal dependency updates
project.
How updates are organized
All Renovate PRs use the branch prefix deps/ and are labeled Dependencies.
Assignees can be configured in the assignees field.
Update rules
| Group | Packages | Update types | Schedule |
|---|---|---|---|
| Drupal core | drupal/core-recommended, drupal/core-composer-scaffold and other drupal/core-* packages | Minor, patch | Daily before 2 AM UTC |
| Drupal contrib and PHP packages (non-core) | All Drupal contrib modules and non-Drupal Packagist packages | Minor, patch | Weekly, Sunday before 2 AM UTC |
| JS packages | All npm packages (root package.json only) | Minor, patch | Weekly, Sunday before 2 AM UTC |
| Container images | All images in .docker/ and docker-compose.yml | Major, minor, patch | Daily before 3 AM UTC |
| GitHub Actions | All actions (pinned to digests) | Major, minor, patch | Daily before 3 AM UTC |
Disabled updates
These are intentionally skipped by Renovate — update them manually:
| Group | What is skipped | Why |
|---|---|---|
| Drupal core major | drupal/core-recommended, drupal/core-composer-scaffold and other drupal/core-* packages | Major version upgrades may introduce breaking changes |
| PHP and Drupal contrib major | All Drupal contrib modules and non-Drupal Packagist packages | Major version upgrades may introduce breaking changes |
| JS major | All npm packages | Major version upgrades may introduce breaking changes |
| PHP language version | php constraint in composer.json | Major version upgrades may introduce breaking changes |
| JS language versions | node, yarn in package.json | Major version upgrades may introduce breaking changes |
| JS non-root packages | Any package.json not at the root | Theme dependencies are managed separately |
Self-hosted vs GitHub app
Renovate can run as a hosted GitHub app or as a standalone self-hosted service in CircleCI or GitHub Actions.
A self-hosted service can be beneficial when your project is restricted in terms of third-party access.
Note: If the RENOVATE_TOKEN is not provided and the job is configured, the job will still run but the Renovate
update steps will be skipped gracefully without causing a build failure.
Setting up Renovate self-hosted in CircleCI
Required environment variables
The following environment variables must be manually created in the CircleCI project settings:
RENOVATE_TOKEN(required): GitHub access token with repository write permissionsRENOVATE_REPOSITORIES(required): Repository to run Renovate on in formatyourorg/repoRENOVATE_GIT_AUTHOR(required): Author for Renovate commits in formatName <email@example.com>(e.g.,Renovate Bot <renovate@example.com>)
Optional environment variables
These can be created to customize behavior (will use defaults if not set):
RENOVATE_DRY_RUN: Set totrueto test runs without making changes (default:false)RENOVATE_DEPENDENCY_DASHBOARD: Set totrueto enable the dependency dashboard (default:false)
Note that triggering actions from the self-hosted service is not supported.
Manual trigger
The Renovate job in CircleCI can be triggered manually from the CircleCI pipeline UI.
Debug logging
Debug logging is enabled by default with LOG_LEVEL: 'debug' to provide detailed
information about the Renovate execution process. This helps with troubleshooting
dependency update issues and understanding why certain updates might be skipped.
Setting up Renovate self-hosted in GitHub Actions
Required environment variables
The following must be manually created in the GitHub repository settings:
RENOVATE_TOKEN(required): GitHub access token with repository write permissions Location: Settings > Secrets and variables > Actions > Repository secretsRENOVATE_GIT_AUTHOR(required): Author for Renovate commits in formatName <email@example.com>(e.g.,Renovate Bot <renovate@example.com>) Location: Settings > Secrets and variables > Actions > Repository variables
Optional environment variables
These can be created to customize behavior (will use defaults if not set):
RENOVATE_REPOSITORIES: Repository to run Renovate on in formatyourorg/repo(default: uses current repository)RENOVATE_DRY_RUN: Set totrueto test runs without making changes (default:false)RENOVATE_DEPENDENCY_DASHBOARD: Set totrueto enable the dependency dashboard (default:false)
Note that triggering actions from the self-hosted service is not supported.
Manual trigger
The Renovate job in GitHub Actions can be triggered manually from the Actions tab in the GitHub repository UI using the workflow dispatch feature.
Debug logging
Debug logging is available and can be enabled by setting the LOG_LEVEL environment
variable to debug in the workflow configuration for detailed troubleshooting.
Dependency dashboard
The Renovate Dependency Dashboard is a GitHub issue that provides visibility into:
- Available dependency updates that are scheduled for later execution
- Updates that have been filtered out due to configuration rules
- Failed update attempts and their reasons
The dashboard is created with the title "RenovateBot Dependency Dashboard (self-hosted)" when running in self-hosted mode. This dashboard is particularly useful for understanding why certain updates might not be applied immediately due to scheduling constraints or configuration rules.