Schedule a Demo

Automating CIRCLECI ORB Updates

Rhys Arkins December 17, 2018 3 min read
Developer
Table of Contents

Using Orbs

Add an Orb’s definition to your .circleci/config.yml file.

Like any good package registry, each Orb is versioned, e.g. like:

cypress-io/cypress@volatile
cypress-io/cypress@1
cypress-io/cypress@1.1
cypress-io/cypress@1.1.0

Orb versioning

If you like a little danger in your software delivery, you can use the volatile tag to mean “give me the latest version”, and every time the Orb runs it will use the latest version even if it’s a non-backwards compatible major update compared to the last time you ran it. Doesn’t seem like a good idea in most cases.

Alternatively you could use a range as version, like cypress-io/cypress@1 which means: “it’s OK to use whatever is the latest 1.x version” and rely on the author retaining semver compatibility and also doesn’t introduce any new features you find unexpected.

Finally, you can “pin” to an exact version for maximum predictability, e.g. cypress-io/cypress@1.1.0.

Getting updates to Orb versions

Until now, you had three choices for getting Orb updates:

  • Use the high-risk volatile tag and take any update that comes
  • Use a medium-risk “range” and assume the Orb author honors semver compatibility
  • Pin to an exact version for low risk, and make updates manually

Now with Renovate you have another option: use a low-risk exact version, and receive automated updates whenever a new version is released.

Using Renovate to update CircleCI Orbs

Renovate automatically detects CircleCI configuration files and parses them to detect dependencies, including Orbs and Docker images.

When an Orb definition is found, Renovate can do different things depending on your current version:

  • if you have defined your Orb as volatile, then Renovate skips over it
  • if you have defined your Orb with a “range”, then Renovate creates a PR to “pin” it (e.g. from cypress-io/cypress@1 to cypress-io/cypress@1.2.0)
  • If you have defined an exact version, then Renovate checks if there are any updates for it on the Orb registry and proposes a PR if so (e.g. from cypress-io/cypress@1.1.0 to cypress-io/cypress@1.2.0)

Viewing changelogs

If the Orb has been published with a home URL pointing to a GitHub repository, or the source has been added to Renovate manually, then Renovate will locate and extract the relevant release notes to embed them in the PR, so that you can see what’s changed.

About the author

Rhys Arkins

Rhys Arkins is Vice President of Product Management, responsible for developer solutions at Mend.io. He was the founder of Renovate Bot – an automated tool for software dependency updating, which was acquired by Mend.io in 2019. Rhys is particularly fond of automation and a firm believer in never sending humans to do a machine’s job.

Recent resources

What is LDAP Injection? Types, Examples and How to Prevent It

Tom Abai 21 Mar 2024
Developer

Learn what LDAP Injection is, its types, examples, and how to prevent it. Secure your applications against LDAP attacks.

Read more

How to Use Dependency Injection in Java: Tutorial with Examples

Itay Badichi 13 Feb 2024
Developer

Learn how to use Dependency Injection in Java with this comprehensive tutorial. Discover its benefits, types, and practical examples.

Read more

Idempotency: The Microservices Architect’s Shield Against Chaos

Avner Lewenstein 22 Jan 2024
Developer

Discover the power of idempotency in microservices architecture. Learn how to maintain data consistency and predictability.

Read more

© 2024 Mend.io (White Source Ltd.) All rights reserved.