Manage Ruby dependencies with Dependabot
RFC 126 describes the custom configuration we have for Dependabot to reduce the number of PRs it opens, and therefore the number of deployments and effort required to keep our apps up to date.
Reviewing Dependabot PRs
Dependabot updates occur relatively soon after a new version is published, which means there’s a risk of updating to a rogue version. Some updates also contain breaking changes, irrespective of when they are published.
When reviewing a Dependabot PR you should do the following:
CHANGELOGfor any breaking changes or upgrade instructions.
Use “See full diff in compare view” to verify the version bump in the repo matches the one for the PR, from RubyGems.
Verify the author of the version bump commit is a regular contributor to the repo, and otherwise review the commits in more detail.
For these reasons we’re not planning to enable auto-merge for Dependabot PRs.
Add Dependabot to a repo
- Give Dependabot access to the repo (only GitHub org owners can do this)
- Go to Dependabot admin and click “Add project”
Ask Dependabot to bump dependencies
By default Dependabot will bump dependencies once a day, but you can ask it to bump manually:
Go to your project in GitHub and click on “Insights”, then “Dependency graph”, then “Dependabot”, then “Last checked X minutes ago” next to the package manager of choice (e.g. Gemfile). Then you can click “Check for updates”.
Audit Dependabot PRs
We have the govuk-dependencies app to monitor outstanding Dependabot PRs on govuk repos.
There are 2 safeguards to prevent unauthorised code changes. Firstly, Dependabot can only update the repositories that we explicitly allow on GitHub. This prevents code changes to other repos. Secondly, we’ve set up branch protection for all repos with the
govuk label. This prevents Dependabot from writing directly to main.