Pin packages in ansible roles

[micheelengronne]

This is different than pining ansible role (that should wait for https://github.com/ansible/mazer).

Renovate should be able to update packages dependencies used in an ansible role.

These packages often are listed as yaml variables (for instance https://github.com/geerlingguy/ansible-role-postgresql/blob/master/vars/Debian-7.yml the __postgresql_packages variable).

The ansible task for package install supports pining:

https://docs.ansible.com/ansible/latest/modules/apt_module.html
https://docs.ansible.com/ansible/latest/modules/yum_module.html

Using the renovate.json, we should be able to declare the yaml variables listing the packages and alter them to add the version.

[dlouzan]

I had been wondering about how to integrate renovate into our ansible playbooks, in which we have several vars files with a bunch of package version variables. The different packages come from different data sources, most of them are referenced by docker compose files, but not exclusively. From the linked #3722 issue seems the following approach could be a candidate:

• Setup a regex rule similar to the repology example with a custom comment format.
• Then for each of our variables in the ansible file, set the comment content pointing to the appropriate data source and versioning policy.

Does that sound like a feasible approach, or do you know if anybody is / has tried to use it? Feedback would be welcome before testing this :-)

[HonkingGoose]

To the Renovate developers: what's the status of this issue?

[dlouzan]

FYI we have been using internally the approach I outlined above for a couple of months now. It's not perfect and the setup requires some fiddling, but it has worked quite nicely.

[secustor]

We are using a similar approach for our roles which contain mostly docker containers. As we use a separate variable for the image and the tag, I have implement the matchStringsStrategy for the Regex manager to allow an easier configuration in this scenario.

• Roles are getting upgraded using the Regex manager
• semantic-release creates a new release, if the dependency is upgraded
• and finally renovate picks up the new Ansible role defined in the playbooks and suggest an upgrade.

[mueller-ma]

You can use the Debian datasource, which works with all apt repositories: https://docs.renovatebot.com/modules/datasource/deb/