Page MenuHomePhabricator
Create Task
Maniphest T362865

[Proposal] Experiment with Dependabot self-merging updates
Open, Needs TriagePublic
Actions

Description

The problem

Our applications are built on numerous tools and libraries. All of them need to be kept up to date, security issues are real.

Current situation

Updating dependencies manually is not feasible.
We also use Dependabot which checks for possible updates in our repos on a configured interval and will open PRs for updates in case they are available and applicable.

Problems with the current situation

While Dependabot is convenient, we still need to manually check whether updates break any of our functionality, integration test coverage is not sufficient to auto-merge PRs on a green CI status.
As demonstrated by the sheer number of open PRs on our repos, it's not realistic we incorporate this additional workload into our day to day work.

How it could work

We harden our CI setup in a way that we can be as sure as possible that a green build means the application is still working as intended.
Once this is done, we allow Dependabot to self-merge PRs, possibly even creating releases after doing so.

Testing this approach

Getting to good enough test coverage for everything in one step is not realistic, which is why we have to pick a "test bed" for this approach.

Option 1: picking an ecosystem

A good option would be to pick an "ecosystem" as defined by Dependabot and try getting all repos into a state where Dependabot PRs could either be self merged or by team members, but without requiring any additional checking.

If we'd for example pick the docker ecosystem that updates Docker base images, we could:

  • Harden the Hadolint setup to be as strict as possible
  • Add a basic integration test setup that checks whether the application starts and stays up and responds to HTTP requests
  • Allow Dependabot to self merge PRs for that ecosystem

Option 2: picking a repo

If we wanted to exemplify this based on a single repository, but all Dependabot ecosystems, we could pick the ui repository and do the following:

  • Set up integration tests for application, working against the mocked API
  • Run these in CI
  • Allow Dependabot to self merge PRs for that repository
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL