Skip to content

Add dependency auditing to AWBW #76

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
lenikadali merged 4 commits into from
Sep 17, 2025
Merged

Add dependency auditing to AWBW #76

lenikadali merged 4 commits into from
Sep 17, 2025

Conversation

@lenikadali
Copy link
Collaborator

@lenikadali lenikadali commented Sep 10, 2025
edited
Loading

What is the goal of this PR and why is this important?

Adding dependency auditing using GitHub's dependabot

How did you approach the change?

Looked at the Homeward Tails implementation here and the Dependabot documentation here with the interval initially set to weekly to test the workflow. If we are comfortable with a more frequent upgrade schedule, the configuration can be changed to daily.

Anything else to add?

Maybe we want to use renovate? My impression is that is meant for non-GitHub repositories (e.g. it would be useful if we were on GitLab or Codeberg) but happy to use that if it fits 😊

P.S: We can merge and do a test run. If it doesn't work the way we would like, then we can revert the change and/or push up a fix for the workflow.

@lenikadali
Add dependency auditing to AWBW
0170eea 
Adds dependency auditing using GitHub's dependabot
Based on the Homeward Tails implementation here
https://github.com/rubyforgood/homeward-tails/blob/main/.github/dependabot.yml
with the interval initially set to weekly to test the workflow.

If we are comfortable with a more frequent upgrade schedule,
the configuration can be changed to daily.
@elasticspoon
Copy link
Collaborator

elasticspoon commented Sep 10, 2025
edited
Loading

I left this comment on the issue but ill duplicate it here:

This is great! Dependabot is probably the best approach but I would say this should wait until we get the app to rails 8. So many of the dependencies are out of date that if dependabot starts opening PR it's gonna create a crazy amount of noise.

Some other notes too:

  • once a week sounds great.
  • I think we should group the patch and minor versions together to open fewer PRs

@maebeale
Copy link
Collaborator

maebeale commented Sep 10, 2025

I left this comment on the issue but ill duplicate it here:

This is great! Dependabot is probably the best approach but I would say this should wait until we get the app to rails 8. So many of the dependencies are out of date that if dependabot starts opening PR it's gonna create a crazy amount of noise.

Some other notes too:

  • once a week sounds great.
  • I think we should group the patch and minor versions together to open fewer PRs

fwiw, I agree with @elasticspoon re waiting until we've done some more of the upgrade work. AND, very excited to get this added to this project -- thanks, @lenikadali!

@lenikadali
Copy link
Collaborator Author

lenikadali commented Sep 10, 2025
edited
Loading

I think we should group the patch and minor versions together to open fewer PRs

Makes sense. Will add 👌

this should wait until we get the app to rails 8.

No worries 😎 I think we can discuss this in the Upgrade and Stuff to Do #3 issue

This was referenced Sep 10, 2025
Open
Closed
johnpaulashenfelter
johnpaulashenfelter reviewed Sep 11, 2025
View reviewed changes
@johnpaulashenfelter
Copy link
Collaborator

johnpaulashenfelter commented Sep 12, 2025

Partially handled in #110. Can add Rails after upgrades are over to reduce the noise.

@lenikadali
Add limit for open pull requests
cf0c87c
@lenikadali
Merge branch 'main' into add-dependency-audits-to-awbw
4c80074 
Merged main branch as it contains PR rubyforgood#110
rubyforgood#110
that completes the addition of dependency audits
to AWBW with the exception of Rails.
@lenikadali
Copy link
Collaborator Author

lenikadali commented Sep 16, 2025

Partially handled in #110. Can add Rails after upgrades are over to reduce the noise.

Nice! 😇 In which workflow should I put the TODO for this? I thought maybe the sanity-check workflow but wasn't sure.

I think we should group the patch and minor versions together to open fewer PRs

@elasticspoon for now, I think I will put a TODO in the dependabot workflow so that it doesn't get forgotten but not sure how grouping will fit with the current structure of the workflows. Probably for a follow-up PR so that this one doesn't get too long to review ☺️

maebeale
maebeale approved these changes Sep 16, 2025
View reviewed changes
Copy link
Collaborator

@maebeale maebeale left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Agree we can start weekly and go from there. Thanks for getting this into the project, @lenikadali !

@lenikadali
Add TODO for group updates to dependabot
4962961 
Added a TODO for adding group updates to dependabot in the dependabot workflow so that it doesn't get forgotten since we are not sure how grouping will fit with the current structure of the workflows.
@lenikadali lenikadali merged commit 4f5cfb6 into rubyforgood:main Sep 17, 2025
2 checks passed
@lenikadali lenikadali deleted the add-dependency-audits-to-awbw branch September 17, 2025 16:43
@lenikadali lenikadali mentioned this pull request Sep 18, 2025
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@johnpaulashenfelter johnpaulashenfelter johnpaulashenfelter left review comments

@maebeale maebeale maebeale approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@lenikadali @elasticspoon @maebeale @johnpaulashenfelter