We're updating the issue view to help you get more done. 

Automate gem updates with Dependabot

Description

Right now we get notified of vulnerabilities by gem_security.sh, which fails builds. This makes it difficult to see other test failures.

If we use Dependabot, we will get notified of gem vulnerabilities by pull requests that modified Gemfile/Gemfile.lock. The new workflow would be like:

  • The bot open pull requests for gem updates. The bot can be configured to use the necessary labels: "Gem Updates" and "Awaiting Reviews".

  • We create JIRA issues and edit the issue IDs into the bot's PR titles. After that, the workflow goes on as normal. As long as the issue is in JIRA and the PR is open, we won't forget about the update.

To switch to the bot, we need to:

  • Modify gem_security.sh to stop "exit 1".

  • Modify the Gemfile to use the Ruby version explicitly: the bot cannot resolve File.read.

  • Sign up for an account on the bot site (any staffer can do it).

  • Set the bot to run daily, and only include security updates.

  • On the first PR by the bot, set the default labels for future PRs.

Environment

None

Status

Assignee

redsummernight

Reporter

redsummernight

Roadmap

Misc

Priority

Medium

Affects versions

0.9.226

Fix versions

Components

AutomatedTests

Difficulty

Medium

Required Access Level

None

Milestone

Internal 0.9