From b10388e968fabe93d760c6917cdf686064755d0b Mon Sep 17 00:00:00 2001 From: Ben Thorner Date: Fri, 15 May 2020 14:10:44 +0100 Subject: [PATCH] Add extra notes that detail how we use Dependabot Previously we had regular discussion on GOV.UK about how we can make Dependabot less burdensome. This adds and consolidates the notes on Dependabot to record the outcome of those discussions, so we don't keep having them again, and again, and... --- source/standards/tracking-dependencies.html.md.erb | 11 +++++++++-- 1 file changed, 9 insertions(+), 2 deletions(-) diff --git a/source/standards/tracking-dependencies.html.md.erb b/source/standards/tracking-dependencies.html.md.erb index b4373a1a..d5111563 100644 --- a/source/standards/tracking-dependencies.html.md.erb +++ b/source/standards/tracking-dependencies.html.md.erb @@ -20,13 +20,18 @@ Update your dependencies frequently rather than in ‘big bang’ batches. This There are tools which scan GitHub repositories and raise PRs when they find dependency updates. Teams at GDS are using: -* [Dependabot][] - used by GOV.UK, GOV.UK Pay and GovWifi. The GOV.UK team manual contains [guidance on using Dependabot][] and [how the PRs raised should be reviewed][] +* [Dependabot][] - used by GOV.UK, GOV.UK Pay, GovWifi and Digital Marketplace. The GOV.UK docs contain [guidance on using Dependabot][] and [how the PRs raised should be reviewed][] + > Note: this is separate from the [security-only updates provided automatically by GitHub Dependabot]. + + > Note: repos requiring at least one approving review for PRs cannot, and should not, use [Dependabot's auto-approve-and-merge facility]. + + > Note: we have not enabled "Treat PR approval as a request to merge", as this would lead to a surprising behaviour at the point of approval. + * [PyUp][] - a Python dependency checker. Used by Digital Marketplace and GOV.UK Notify, PyUp will monitor for updates and vulnerabilities * [Greenkeeper][] - an npm dependency checker used by the GOV.UK Verify team on the [Node.js client for the Verify Service Provider][] All the above tools are free to use on public repositories. -GitHub has turned on Dependabot for all repositories which are active, public and have not been forked. The Cyber Security team will review the repositories that do not have dependency management in use and will turn on Dependabot where required. Service teams are free to use a different tool such as [Snyk](https://snyk.io/), but will need to add a `no-dependabot` tag to their repository for monitoring purposes. You can [contact Cyber Security](https://gds.slack.com/archives/CCMPJKFDK) if you have any questions or need help. @@ -70,6 +75,8 @@ Also consider managed solutions where possible. For example: This guidance is in line with the GDS Reliability Engineering strategic principle of [use fully managed cloud services by default][]. +[Dependabot's auto-approve-and-merge facility]: https://dependabot.com/blog/automatic-pull-request-merging/ +[security-only updates provided automatically by GitHub Dependabot]: https://help.github.com/en/github/managing-security-vulnerabilities/about-security-alerts-for-vulnerable-dependencies#alerts-and-automated-security-updates-for-vulnerable-dependencies [GDS supported programming languages]: /standards/programming-languages.html#content [managing software dependencies in the Service Manual]: https://www.gov.uk/service-manual/technology/managing-software-dependencies [programming language style guides]: /manuals/programming-languages.html