Manage Ruby dependencies with Dependabot
To help with this we’re currently trialling a service called Dependabot to perform automated dependency upgrades.
- PRs from Dependabot are considered to be from a external contributor and need 2 reviews
- You can ignore pull requests from the bot by replying
@dependabot ignore this major version, but you have to add the PR to the tech debt Trello board
Add Dependabot to a repo
- Give Dependabot access to the repo (only GitHub org owners can do this)
- Go to Dependabot admin and click “Add project”
Ask Dependabot to bump Dependencies
By default Dependabot will bump dependencies once a day, but you can ask it to bump manually:
Go to Dependabot admin and click “Bump now” for your project
There are 2 safeguards to prevent unauthorised code changes. Firstly, Dependabot can only update the repositories that we explicitly allow on GitHub. This prevents code changes to other repos. Secondly, we’ve set up branch protection for all repos with the
govuk label. This prevents Dependabot from writing directly to master.