Three years of automated Drupal core updates

By Kevin , March 1st, 2025

We're coming up on almost three years of automated Drupal core updates for my personal site. 

In June of 2022, I hooked up Renovate (you can read a deep dive here) and ever since then I had enabled both scheduled updates with GitLab CI and for Drupal core updates I have set Renovate to automerge those. That means any time a new version of Drupal core is available, Renovate will fetch the update, open a pull request, run build check(s) and merge it back to the main branch automatically at which point it is deployed to my platform.sh instance (great service, too!).

That means that for 3 years, the core updates to this site have been hands off and worry free. Regular updates or security updates are deployed automatically through GitLab and platform.sh. I intervened once to upgrade from 10 to 11, since my Composer file was locked to 10.x only. It has been very smooth sailing. Granted, my personal site is not large and I have around 20 contributed modules installed - but it is possible to do this. I would feel just as confident on a site with triple the modules - although at Velir I am very dogmatic on 'small core' projects, using fewer, not more, contributed modules.

This year we will likely start rolling it out to candidate projects. We have enough rigor in place to catch any potential issues, starting with CI/CD, and the worst that can happen is something gets caught and stuck on a lower environment. That would already happen anyway even if it were not automatic, only you see issues sooner than later. Staying on top of updates helps the process be easier instead of harder. For years we have been running enough automation to open pull requests when a new release of Drupal core or contributed module is available - I am now confident we can start allowing automerges to happen for Drupal core (an automerge is when Renovate pulls an available update, opens a pull request, then automatically merges it back to the main branch).

I often hear of teams who do updates a few times a year, instead of several times per month (or as soon they as available). This can make the process harder as updates pile up as well as leave you (or clients) open to potential security vulnerabilities. Automate it!

Renovate is free and there is plenty of literature out there on configuring and using it. I implore you to try it out for yourself today - it works well beyond just Drupal. In the article I linked above, I had automated updates rolling for NPM packages and Docker images. It supports just about every major package manager and platform. While Drupal now has Automated Updates module in core, that is scoped to just Drupal (obviously) and tools like Renovate can cover your entire software stack.

 

Tags