Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Enable automerging of external dependencies #3217

Merged
merged 1 commit into from
Jun 7, 2024
Merged

Enable automerging of external dependencies #3217

merged 1 commit into from
Jun 7, 2024

Conversation

unoduetre
Copy link
Contributor

@unoduetre unoduetre commented Jun 6, 2024
edited
Loading

⚠️ This repo is Continuously Deployed: make sure you follow the guidance ⚠️

Follow these steps if you are doing a Rails upgrade.

What

Enable automerging of external dependencies

Why

To enable automerging of external dependencies in order to lessen the maintenance burden of developers.

Trello ticket

The criteria mentioned in the following document have been evaluated. They are repeated below. The linked document provides further explanations of them.

  1. MUST ensure it has sufficient security scanning
  2. MUST only be applied where there is no manual deployment step
  3. MUST ensure that branch protection rules are in place that prevent pushes to main if required status checks fail
  4. SHOULD ensure it has sufficient test coverage
  5. SHOULD only automatically patch where the dependency version bump is patch or minor

MUST ensure it has sufficient security scanning

SNYK has been removed. Dependency Review Scan and Dependabot will be the the only SCA tools for the main branch. The security impact of that is being discussed (see the link above).

Nevertheless, the following comment has been made in the document linked above: "However as outlined in 2023-06-18 SCA tool evaluation for GOV.UK our current tool Dependabot outperformed other scans. Hence it’s unlikely that other options (Semgrep, Bundler Audit) will add value.".

In my opinion this shows sufficient security scanning is being done, and the teams responsible for the infrastructure can easily add additional SCA tools in the future, if the decision is made that a single tool is not enough.

MUST only be applied where there is no manual deployment step

There is no manual step for this repository.

MUST ensure that branch protection rules are in place that prevent pushes to main if required status checks fail

There is a branch protection rule for the main branch which checks if "Dependency Review scan / dependency-review-pr" was successful for the branch being merged.

SHOULD ensure it has sufficient test coverage

The test coverage as measured by simplecov is 98.98%. This is above 95% mentioned in the linked document.

SHOULD only automatically patch where the dependency version bump is patch or minor

This change only merges patch and minor releases, as explained in the comment to one of the examples in the linked document.

@govuk-ci govuk-ci temporarily deployed to government-frontend-pr-3217 June 6, 2024 14:08 Inactive
@unoduetre unoduetre marked this pull request as ready for review June 6, 2024 14:15
@unoduetre unoduetre merged commit cdead00 into main Jun 7, 2024
12 checks passed
@unoduetre unoduetre deleted the 2612-increase-test-coverage-of-government-frontend-and-enable-automerging-of-external-dependencies-l branch June 7, 2024 08:22
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@hannako hannako hannako approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@unoduetre @hannako @govuk-ci