Merge pull request #2897 from transcom/cg_configure_dependabot

Configure dependabot
transcom · Nov 1, 2019 · e5631ef · e5631ef
2 parents 0ae146c + 6570685
commit e5631ef
Show file tree

Hide file tree

Showing 5 changed files with 74 additions and 16 deletions.
diff --git a/.dependabot/config.yml b/.dependabot/config.yml
@@ -0,0 +1,46 @@
+# Settings found in https://dependabot.com/docs/config-file/
+version: 1
+update_configs:
+
+  # Keep package.json (& lockfiles) up to date as soon as
+  # new versions are published to the npm registry
+  - package_manager: "javascript"
+    directory: "/"
+    update_schedule: "live"
+    default_labels:
+      - dependencies
+      - automerge
+    default_reviewers:
+      - tinyels
+      - chrisgilmerproj
+      - jacquelineIO
+      - sarboc
+      - chrisrcoles
+
+  # Keep go.mod (& go.sum) up to date daily
+  - package_manager: "go:modules"
+    directory: "/"
+    update_schedule: "daily"
+    default_labels:
+      - dependencies
+      - automerge
+    default_reviewers:
+      - tinyels
+      - chrisgilmerproj
+      - jacquelineIO
+      - sarboc
+      - chrisrcoles
+
+  # Keep Dockerfile up to date, batching pull requests daily
+  - package_manager: "docker"
+    directory: "/"
+    update_schedule: "daily"
+    default_labels:
+      - dependencies
+      - automerge
+    default_reviewers:
+      - tinyels
+      - chrisgilmerproj
+      - jacquelineIO
+      - sarboc
+      - chrisrcoles
diff --git a/.spelling b/.spelling
@@ -520,19 +520,5 @@ Fargate
 ecs-tasks-app-staging
 Devlocal
 MacBookPro
-# Put all custom terms BEFORE this comment, lest 'pre-commit' and 'make spellcheck' yield different errors.
- - /usr/local
- - docs/data/tspp-data-creation.md
- - docs/backend.md
- - docs/adr/0007-swagger-client.md
- - docs/adr/0027-pdf-generation.md
- - README.md
- - docs/frontend.md
- - ./README.md
- - ./docs/data/tspp-data-creation.md
- - ./docs/data/tariff400ng-yearly-import.md
- - ./scripts/README.md
- - ./docs/how-to/run-storybook.md
- - ./docs/database.md
- - ./docs/._database.md
- - ./docs/how-to/test-virus-scanning.md
+Dependabot
+dependabot
diff --git a/docs/README.md b/docs/README.md
@@ -36,6 +36,7 @@ If you are looking to understand choices made in this project, see the list of [
 * [Deploy to Experimental](how-to/deploy-to-experimental.md#how-to-deploy-to-experimental)
 * [display dates and times](how-to/display-dates-and-times.md#how-to-display-dates-and-times)
 * [Generate Mocks with Mockery](how-to/generate-mocks-with-mockery.md#how-to-generate-mocks-with-mockery)
+* [Manage Dependabot](how-to/manage-dependabot.md#how-to-manage-dependabot)
 * [Manage Dependencies With go mod](how-to/manage-dependencies-with-go-mod.md#how-to-manage-dependencies-with-go-mod)
 * [Manage Docker Locally](how-to/manage-docker-locally.md#how-to-manage-docker-locally)
 * [Migrate the Database](how-to/migrate-the-database.md#how-to-migrate-the-database)

diff --git a/docs/adr/0002-go-package-management.md b/docs/adr/0002-go-package-management.md
@@ -1,5 +1,7 @@
 # Use dep to manage go dependencies
 
+**NOTE:** Golang has explicitly moved to `go mod` and this project has as well, making this ADR obsolete.
+
 ## Considered Alternatives
 
 * glide

diff --git a/docs/how-to/manage-dependabot.md b/docs/how-to/manage-dependabot.md
@@ -0,0 +1,23 @@
+# How to Manage Dependabot
+
+[Dependabot](https://dependabot.com) is used to monitor the repository dependencies and update them with automatic
+pull requests against the `master` branch in the repo. The configuration is done via a file named
+`.dependabot/config.yml`. Read more about [dependabot configuration](https://dependabot.com/docs/config-file/) in the
+docs.
+
+## Security
+
+We use dependabot as part of our security measures. It ensures that the repository dependencies are up to date and
+that any security vulnerabilities are caught as soon as new versions are published. Dependabot will even
+add security release information in the text of the PR.
+
+## Organization Level Settings
+
+The settings for the Transcom organization can be found in the [Account Settings](https://app.dependabot.com/accounts/transcom/settings)
+page. These manage settings for all repos under Transcom.
+
+## Repo Management
+
+Repo management should be done in the `.dependabot/config.yml` file. However, you can view and interact with
+settings temporarily via the [repo management page](https://app.dependabot.com/accounts/transcom/repos/114694829).
+This is a good place to try out new features without having to push a PR to the repository.