In T244001 we (Wikidata/Wikibase) evaluated the state of automatic and manual checking of npm audit for Wikibase projects.
A working patch was trailed with WikibaseManifest showing that this works in practice https://gerrit.wikimedia.org/r/691265
You can see the patches that have been created at https://gerrit.wikimedia.org/r/q/owner:addshorewiki%252Baddbot-dependabot%2540gmail.com
We should enable such patch mirroring by introducing an action like this to all of our Gerrit repos.
We should look at how to share the workflow between multiple repositories to avoid copy paste stuff, errors, and update pain. (Could be turning it into an action, OR sharing the workflow?)
Acceptance Criteria 🏕️🌟 (September 2021)
- Reduce copy paste requirement of this task (see above)
- Enable dependabot patch mirroring for all of our Gerrit repos that have things that can be updated by dependabot https://wmde.github.io/wikidata-wikibase-team/repositories/