Manage Ruby dependencies with Dependabot
RFC 126 describes the custom configuration we have for Dependabot to reduce the number of PRs it opens, and therefore the number of deployments and effort required to keep our apps up to date.
Reviewing Dependabot PRs
Dependabot updates occur relatively soon after a new version is published, which means there’s a risk of updating to a rogue version. Some updates also contain breaking changes, irrespective of when they are published.
When reviewing a Dependabot PR you should do the following:
CHANGELOGfor any breaking changes or upgrade instructions.
Use “See full diff in compare view” to verify the version bump in the repo matches the one for the PR, from RubyGems.
Verify the author of the version bump commit is a regular contributor to the repo, and otherwise review the commits in more detail.
For these reasons we’re not planning to enable auto-merge for Dependabot PRs.
Add Dependabot to a repo
Any GOV.UK developer with production access can enable GitHub for a repo.
- Navigate to the repo on GitHub, click “Insights”.
- Choose the “Dependency graph” menu item.
- Select the “Dependabot” tab.
- Click “Enable Dependabot”.
- To configure Dependabot, a PR will need to be created that adds a configuration file. In RFC #126 it was decided that a custom configutation would be used for GOV.UK applications. Once you have written a
.github/dependabot.ymlconfiguration file, create a pull request and merge this into the repo. Dependabot will automatically run following the merge.
Ask Dependabot to bump dependencies
By default Dependabot will bump dependencies at the frequency specified in the configuration file, but you can ask it to bump manually:
Go to your project in GitHub and click on “Insights”, then “Dependency graph”, then “Dependabot”, then “Last checked X minutes ago” next to the package manager of choice (e.g. Gemfile). Then you can click “Check for updates”.
Audit Dependabot PRs
We have the govuk-dependencies app to monitor outstanding Dependabot PRs on govuk repos.
There are 2 safeguards to prevent unauthorised code changes. Firstly, Dependabot can only update the repositories that we explicitly allow on GitHub. This prevents code changes to other repos. Secondly, we’ve set up branch protection for all repos with the
govuk label. This prevents Dependabot from writing directly to main.