Developer docs
Table of contents

Manage Ruby dependencies with Dependabot

We’re obliged to keep our software current.

To help with this, we use a service called Dependabot to perform automated dependency upgrades.

Who can merge Dependabot PRs

  • GOV.UK-owned gems (govuk_app_config, govspeak for example) need 1 reviewer
  • Gems found in the test block in the Gemfile (Capybara for example) need 1 reviewer
  • All other gems (Rails for example) are considered to be from a external contributor and need 2 reviews

You can ignore pull requests from the bot by replying @dependabot ignore this major version, but you have to add the PR to the tech debt Trello board

Add Dependabot to a repo

  1. Give Dependabot access to the repo (only GitHub org owners can do this)
  2. Go to Dependabot admin and click “Add project”

Ask Dependabot to bump dependencies

By default Dependabot will bump dependencies once a day, but you can ask it to bump manually:

Go to Dependabot admin and click “Bump now” for your project

Security

There are 2 safeguards to prevent unauthorised code changes. Firstly, Dependabot can only update the repositories that we explicitly allow on GitHub. This prevents code changes to other repos. Secondly, we’ve set up branch protection for all repos with the govuk label. This prevents Dependabot from writing directly to master.

More in the Dependencies section

Learn

How to...

This page was last reviewed on 3 September 2018. It needs to be reviewed again on 3 March 2019 by the page owner #govuk-developers .
This page was set to be reviewed before 3 March 2019 by the page owner #govuk-developers. This might mean the content is out of date.