Right now we get notified of vulnerabilities by gem_security.sh, which fails builds. This makes it difficult to see other test failures.
If we use Dependabot, we will get notified of gem vulnerabilities by pull requests that modified Gemfile/Gemfile.lock. The new workflow would be like:
The bot open pull requests for gem updates. The bot can be configured to use the necessary labels: "Gem Updates" and "Awaiting Reviews".
We create JIRA issues and edit the issue IDs into the bot's PR titles. After that, the workflow goes on as normal. As long as the issue is in JIRA and the PR is open, we won't forget about the update.
To switch to the bot, we need to:
Modify gem_security.sh to stop "exit 1".
Modify the Gemfile to use the Ruby version explicitly: the bot cannot resolve File.read.
Sign up for an account on the bot site (any staffer can do it).
Set the bot to run daily, and only include security updates.
On the first PR by the bot, set the default labels for future PRs.