Updating pre-commit additional dependencies using Renovate¶
I am a huge fan of Renovate Bot to automatically update dependencies in projects. I use it in all my projects. At the time when I discovered it, we were using GitLab so we could not use dependabot.
In general, I quickly realized that Renovate Bot has significant advantages over dependabot (which, if I am not mistaken, is restricted to running on GitHub). Renovate is fully open source (and can be self-hosted), highly configurable, supports many dependency managers, supports custom managers with regex, and much more.
Renovate has been having beta pre-commit support for quite some time which needs to be enabled explicitly.
I have been using it for a while and it works great in keeping up-to-date with updates to pre-commit hooks (it is generally recommended to pin dependencies).
pre-commit hooks can have additional dependencies.
These additional dependencies are specific to the language the hook uses.
For example, let's assume you are using mdformat to format your Markdown files which supports additional plugins.
mdformat is a Python tool so the additional dependencies are Python packages.
Here is an example pre-commit config that this website uses as of this writing:
- repo: https://github.com/executablebooks/mdformat
rev: 1.0.0
hooks:
- id: mdformat
language: python
args: [--number, --sort-front-matter, --strict-front-matter]
additional_dependencies:
- mdformat-mkdocs==5.1.4
- mdformat-front-matters==2.0.0
- mdformat-footnote==0.1.3
- mdformat-gfm-alerts==2.0.0
- mdformat-ruff==0.1.3
- ruff==0.15.4
- mdformat-config==0.2.1
- Specifying the language is optional but important here as you will see when you keep reading.
How can we ensure that the additional dependencies receive get updated automatically as well?
There has been a long-standing issue to add support for additional_dependencies.
The main challenge is basically to know which dependency manager
At some point, someone contributed support for updating additional dependencies for Python.
The trick is to add the language property to the hook.
This is already defined in the definition of the hook itself.
However, specifying it here helps Renovate in determining what dependency manager to use for package lookups.
At some point, support was also added to node additional dependencies.
Which now brings me to my latest contribution to Renovate.
I use actionlint to statically check GitHub Action workflows in many projects.
The amazing thing is that actionlint has an integration for shellcheck for run: scripts.
Via the pre-commit config of the ruff project I initially came across actionlint and also saw how shellcheck can be used.
Basically, there is a Go package for shellcheck.
- repo: https://github.com/rhysd/actionlint
rev: v1.7.11
hooks:
- id: actionlint
language: golang
additional_dependencies:
# see also: https://github.com/rhysd/actionlint/pull/482
- github.com/wasilibs/go-shellcheck/cmd/shellcheck@v0.11.1
The problem I had is that when go-shellcheck got updated I missed it.
And Renovate had no support for Go additional dependencies at the time.
I only noticed that there was a new version when pipelines started failing sporadically due to a memory violation coming from the shellcheck invocation.
To get updates in the future, I looked at how support for node was added and replicated the same concept for Go.
I opened a PR that got accepted and support has been available since version 42.76.0.
It then took a few days for this version to be used by the GitHub app.
Thanks to some backlinks in the PR I saw that ruff and ty updated the go-shellcheck version manually in their pre-commit config.
I noticed that the language property was missing in their pre-commit config so I raised PRs (ruff PR, ty PR) so they get automatic updates for this additional dependency by Renovate in the future :).