Enable automerging of external dependencies #4064
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This will only merge minor and patch releases, as explained in one of the examples at the end of the following document: https://github.com/alphagov/govuk-rfcs/blob/main/rfc-167-auto-patch-dependencies.md#examples-govuk-dependabot-merger-configs
unoduetre
deleted the
2585-upgrade-govuk-dependabot-merger-configuration-in-our-apps-to-version-2-s-m
branch
Merged
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This will only merge minor and patch releases, as explained in one of the examples at the end of the following document: https://github.com/alphagov/govuk-rfcs/blob/main/rfc-167-auto-patch-dependencies.md#examples-govuk-dependabot-merger-configs
What
Enable automatic merging of external dependencies by dependabot (only minor and patch versions).
Why
Trello card
The criteria mentioned in the following document have been evaluated. They are repeated below. The linked document provides further explanations of them.
MUST ensure it has sufficient security scanning
SNYK has been removed. Dependency Review Scan and Dependabot will be the the only SCA tools for the main branch. The security impact of that is being discussed (see the link above).
Nevertheless, the following comment has been made in the document linked above: "However as outlined in 2023-06-18 SCA tool evaluation for GOV.UK our current tool Dependabot outperformed other scans. Hence it’s unlikely that other options (Semgrep, Bundler Audit) will add value.".
In my opinion this shows sufficient security scanning is being done, and the teams responsible for the infrastructure can easily add additional SCA tools in the future, if the decision is made that a single tool is not enough.
MUST only be applied where there is no manual deployment step
There is no manual step for this repository.
MUST ensure that branch protection rules are in place that prevent pushes to main if required status checks fail
There is a branch protection rule for the main branch which checks if "Dependency Review scan / dependency-review-pr" was successful for the branch being merged.
SHOULD ensure it has sufficient test coverage
The test coverage as measured by
simplecovis 96.28%. This is above 95% mentioned in the linked document.SHOULD only automatically patch where the dependency version bump is patch or minor
This change only merges patch and minor releases, as explained in the comment to one of the examples in the linked document.