Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Enable automerging of external dependencies #4064

Conversation

unoduetre
Copy link
Contributor

@unoduetre unoduetre commented May 16, 2024

This will only merge minor and patch releases, as explained in one of the examples at the end of the following document: https://github.com/alphagov/govuk-rfcs/blob/main/rfc-167-auto-patch-dependencies.md#examples-govuk-dependabot-merger-configs

⚠️ This repo is Continuously Deployed: make sure you follow the guidance ⚠️

What

Enable automatic merging of external dependencies by dependabot (only minor and patch versions).

Why

Trello card

The criteria mentioned in the following document have been evaluated. They are repeated below. The linked document provides further explanations of them.

  1. MUST ensure it has sufficient security scanning
  2. MUST only be applied where there is no manual deployment step
  3. MUST ensure that branch protection rules are in place that prevent pushes to main if required status checks fail
  4. SHOULD ensure it has sufficient test coverage
  5. SHOULD only automatically patch where the dependency version bump is patch or minor

MUST ensure it has sufficient security scanning

SNYK has been removed. Dependency Review Scan and Dependabot will be the the only SCA tools for the main branch. The security impact of that is being discussed (see the link above).

Nevertheless, the following comment has been made in the document linked above: "However as outlined in 2023-06-18 SCA tool evaluation for GOV.UK our current tool Dependabot outperformed other scans. Hence it’s unlikely that other options (Semgrep, Bundler Audit) will add value.".

In my opinion this shows sufficient security scanning is being done, and the teams responsible for the infrastructure can easily add additional SCA tools in the future, if the decision is made that a single tool is not enough.

MUST only be applied where there is no manual deployment step

There is no manual step for this repository.

MUST ensure that branch protection rules are in place that prevent pushes to main if required status checks fail

There is a branch protection rule for the main branch which checks if "Dependency Review scan / dependency-review-pr" was successful for the branch being merged.

SHOULD ensure it has sufficient test coverage

The test coverage as measured by simplecov is 96.28%. This is above 95% mentioned in the linked document.

SHOULD only automatically patch where the dependency version bump is patch or minor

This change only merges patch and minor releases, as explained in the comment to one of the examples in the linked document.

This will only merge minor and patch releases, as explained in one
of the examples at the end of the following document:
https://github.com/alphagov/govuk-rfcs/blob/main/rfc-167-auto-patch-dependencies.md#examples-govuk-dependabot-merger-configs
@govuk-ci govuk-ci temporarily deployed to govuk-frontend-app-pr-4064 May 16, 2024 14:19 Inactive
@unoduetre unoduetre marked this pull request as ready for review May 16, 2024 15:14
Copy link
Contributor

@beccapearce beccapearce left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🚀

@unoduetre unoduetre merged commit ad3d4bb into main May 17, 2024
13 checks passed
@unoduetre unoduetre deleted the 2585-upgrade-govuk-dependabot-merger-configuration-in-our-apps-to-version-2-s-m branch May 17, 2024 09:42
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

None yet

3 participants