How to setup renovate in Azure DevOps to keep your project dependencies up to date


TLDNR: What is renovate and how to setup Azure DevOps


Renovate is an open source tool that helps you to keep your dependencies up to date. When renovate bot runs, it …

  1. detects the dependencies in a repository,
  2. checks whether there are newer versions which can be updated to,
  3. anf if there are new versions, creates commits and pull requests to apply the updates.

Automatically running renovate on regular schedule, helps you to keep your project dependencies up to date.

Renovate supports a lot of package managers, like nuget for dotnet, npm for javascript, gradle or maven for java, or even terraform providers and a lot more.

Azure DevOps SetUp

Create a new YAML Pipeline

create a new YAML pipeline azure-pipelines.yml in Azure DevOps

  - cron: "0 3 * * *"
    displayName: "Every day at 3am"
      include: [main]

trigger: none

  vmImage: ubuntu-latest

  - group: "renovatebot"

  - bash: |
      git config --global ''
      git config --global 'Renovate Bot'
      npx renovate      
      TOKEN: $(System.AccessToken)
      GITHUB_COM_TOKEN: $(githubtoken) # get a token from and save it in the 'renovatebot' variables group
      #RENOVATE_CONFIG_FILE: "./pipelines/renovate/config.js" # use this environment variable if you prefer to have the renovate pipeline definition and the config file in it's own dictionary instead of the repository root.

Create the renovate bot config.js file

create a config.js file in the same repository as the yaml pipeline

module.exports = {
  platform: 'azure',
  endpoint: '',
  token: process.env.TOKEN,
  hostRules: [
      "azureAutoApprove": true,
      "automerge": true
  repositories: ['YOUR-PROJECT/YOUR-REPO'], // list of repos that should be watched by renovate bot

Create a variable group to store the GitHub Token

create the renovatebot variable group and add a GitHub Token as secret. The token is used in order to increase the GitHub API limit and there does not need any special permissions, read only is sufficient.

Variable Group

run the pipeline for the first time and authorize the pipeline to use the renovate variable group.

authorize pipeline to use variable group

Authorize the Build Service Account

The first run of your pipeline will probably fail with the message You need the Git 'GenericContribute' permission to perform this action because the service account that runs the pipeline is not authorized to contribute to the repositories in your projects.

Failed pipeline run

Thats because renovate contributes to your project by creating commits, branches and pull requests, therefore it’s necessary to authorize the service account which runs your YAML pipeline with the required permissions.

As seen in the screenshot you need to authorize the Build Service Account account with the Contribute, Contribute to pull requests and Create branch permissions to all repositories.

Authorize the Build Service Account with Contribute, Contribute to pull requests and Create branch permissions

Which is the correct Build Service identity? By default, the collection-scoped identity Project Collection Build Service ({OrgName}) is used to run your YAML pipeline. If your project is configured to Limit job authorization scope to current project for non-release pipelines as described in the Azure DevOps Pipelines Docs, the project-scoped identity {Project Name} Build Service ({Org Name}) is used to run your YAML pipeline.

Hint: By authorizing the Build Service Account to all git repos, as described above, you can use a single pipeline to update all of your repositories configured in config.js.

Onboarding Pull Request

After the first successful run of renovate bot, you will get a pull request for each repository configured in config.js. This pull request (PR) is used to list what dependencies was detected and give a preview what PRs you have to expect after accepting and merging this pull request to your repository.

Initial Pull Request by Renovate

In the onboarding PR, renovate will create a renovate.json file for your repository. This is used to further configure renovate.

File changes in the Onboarding Pull Request

Renovate in Action

From now on you get pull requests from your new co-worker renovate bot.

Pull Request by Renovate

Lernen Sie uns kennen

Das sind wir

Wir sind ein Software-Unternehmen mit Hauptsitz in Karlsruhe und auf die Umsetzung von Digitalstrategien durch vernetzte Cloud-Anwendungen spezialisiert. Wir sind Microsoft-Partner und erweitern Standard-Anwendungen bei Bedarf – egal ob Modernisierung, Integration, Implementierung von CRM- oder ERP-Systemen, Cloud Security oder Identity- und Access-Management: Wir unterstützen Sie!

Mehr über uns

Der Objektkultur-Newsletter

Mit unserem Newsletter informieren wir Sie stets über die neuesten Blogbeiträge,
Webcasts und weiteren spannenden Themen rund um die Digitalisierung.

Newsletter abonnieren