Dependency updates

Hosted Renovate keeps your dependencies current automatically. Enable it for an org and fremforge opens grouped, reviewable PRs every month: npm, gomod, Terraform providers, Dockerfile base images, Helm charts, and any custom regex pin you add to renovate.json. Vulnerability-triggered PRs route out-of-cycle on a weekly cadence, so a fresh CVE in a transitive dep gets a fix PR within hours of disclosure.

Built into the €30/seat plan. No add-on tier, no third-party action minutes, no GitHub-the-company in the data path.

What you get

Automatic PRs for outdated dependencies, grouped sensibly, one PR per related package set rather than dozens of one-line bumps.
Vulnerability-triggered PRs for HIGH / CRITICAL CVE advisories, routed out-of-cycle on a weekly cadence rather than waiting for the monthly cycle.
Renovate Dependency Dashboard issue in each repo, see status at a glance.
Full Renovate config schema, every option at docs.renovatebot.com works on fremforge unchanged.
Per-tenant bot user, scoped to your org only, token never crosses tenant boundaries.
EU-sovereign, runs on T Cloud CCE; no third-party SaaS in the data path.

Enabling

Org admin UI → Dependency updates tab.
Click Enable hosted Renovate.
fremforge provisions a per-tenant bot user (e.g. your-org-renovate-bot) and grants it write access to your org’s repos.
The first run fires within 30 days; subsequent runs follow the schedule in your renovate.json.

The bot user is fremforge-managed. You don’t need to create it, rotate its credentials, or worry about lost passwords. The token lives in our DEW CSMS and rotates on the same 90-day cadence as our other platform secrets.

Disabling

Org admin UI → Dependency updates → Disable hosted Renovate.
fremforge revokes the bot’s token immediately and removes the bot from your org.
PRs already opened by Renovate stay open. Merge or close them as you would any other PR.
The org’s renovate.json stays in your repos; fremforge doesn’t touch it.

Re-enabling provisions a fresh bot. The previous bot username is tombstoned (not reused) so audit history stays clean.

Configuring

Per-repo configuration is via renovate.json in the repo root. Without it, Renovate uses sensible defaults, which is usually fine for the first month while you’re seeing what kinds of PRs roll in.

A minimal starter:

{
  "$schema": "https://docs.renovatebot.com/renovate-schema.json",
  "extends": ["config:recommended", ":dependencyDashboard"],
  "schedule": ["before 4am on the first day of the month"]
}

A more opinionated config that groups OpenTelemetry packages, auto-merges patch and lockfile bumps, and requires human review for major bumps:

{
  "$schema": "https://docs.renovatebot.com/renovate-schema.json",
  "extends": ["config:recommended", ":dependencyDashboard", ":semanticCommits"],
  "timezone": "Europe/Copenhagen",
  "schedule": ["before 4am on the first day of the month"],
  "vulnerabilityAlerts": {
    "labels": ["security"],
    "schedule": ["at any time"]
  },
  "packageRules": [
    {
      "matchPackagePatterns": ["^@opentelemetry/"],
      "groupName": "opentelemetry"
    },
    {
      "matchUpdateTypes": ["patch", "pin", "digest", "lockFileMaintenance"],
      "automerge": true,
      "platformAutomerge": true
    },
    {
      "matchUpdateTypes": ["major"],
      "automerge": false,
      "labels": ["major-bump"]
    }
  ]
}

The full Renovate configuration reference is at docs.renovatebot.com/configuration-options/.

What gets bumped

Renovate auto-detects most ecosystems without configuration. Auto-detected ecosystems on fremforge:

npm / pnpm / yarn, package.json + lockfile maintenance
Go modules, go.mod
OpenTofu / Terraform, provider versions in versions.tf
Dockerfile, FROM lines, with digest pinning option
Helm, chart versions in values.yaml and Chart.yaml
Custom regex pins, for any version string in any file (great for pinning shell-script-installed binaries)

For the full ecosystem matrix see docs.renovatebot.com/modules/manager/.

Out-of-cycle runs

Need a Renovate run before the next scheduled cycle (e.g. you just published a new renovate.json and want to see what it produces)?

Org admin UI → Dependency updates → Run now.
Rate-limited to one out-of-cycle run per hour per org.
Results appear in the Recent runs table within a few minutes.

Vulnerability-triggered PRs already route out-of-cycle automatically. You don’t need to click “Run now” when a new CVE drops; Renovate’s own vulnerability scheduler handles it.

Cadence customisation

Renovate’s schedule field accepts cron-shaped expressions. A few common patterns:

["before 4am on the first day of the month"], once a month, fremforge default.
["before 4am every weekday"], daily on weekdays.
["after 9pm and before 5am"], only outside business hours.
[], never; rely on vulnerability-triggered runs only.

The vulnerabilityAlerts.schedule field overrides for security PRs:

{
  "vulnerabilityAlerts": {
    "schedule": ["at any time"]
  }
}

Cost

Included in the €30/seat plan. No metering, no per-PR charge, no separate runner-minute line.

For comparison: GitHub’s Dependabot is free, but Dependabot Updates that run on Actions consume your Actions minutes. fremforge’s hosted Renovate runs on fremforge-managed CCE Jobs that don’t count against your runner-minute pool. That’s the practical difference.

Why Renovate, not Dependabot

Renovate is the OSS tool we run against our own repositories, same config, same cadence, same PR shape, and chose to expose as the hosted dependency-updates feature. Renovate has native Forgejo support since v37; its config schema is broader than Dependabot’s; it works with custom regex pins which Dependabot doesn’t. Most teams who use both prefer Renovate.

You can also self-host Renovate against your own fremforge repos without enrolling in the hosted version. Just drop a renovate.json and run Renovate yourself in CI. The hosted version is the convenience layer; the OSS Renovate config you write is identical either way.

Troubleshooting

My PRs aren’t getting opened

First check: the Recent runs table on the dashboard. If runs are at status ok but prs_opened: 0, your repos really don’t have anything to bump (or your renovate.json filters out everything).
Bot lost write access: re-enabling fixes this. Disable then re-enable; the bot is re-created with a fresh token.
Rate-limited PRs: Renovate’s prHourlyLimit defaults to 2 PRs/hour. Bump it in your config if needed.

A PR is wrong / shouldn’t have been opened

Add the package to your renovate.json ignore list:

{
  "packageRules": [
    {
      "matchPackageNames": ["the-thing-i-dont-want-bumped"],
      "enabled": false
    }
  ]
}

Renovate picks up the change on the next run.

A run failed

Click the run’s Error detail dropdown on the dashboard. Most failures are transient (network blip on the npm registry; recover automatically next cycle).
If a specific repo fails repeatedly, check whether the bot user has access. Re-enabling re-grants write.

Cross-references

Renovate documentation (upstream), full config reference.
Security and supply chain, how Renovate fits into the broader supply-chain story.
Webhooks, Renovate’s PRs fire the same pull_request webhook events as any other PR.