Transition from GitHub Actions Dependency Bump Workflow to Centralized Autofixes #93
+0
−23
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Dependabot Autofixes
Hey folks 👋
We've noticed this repo is using GitHub Actions to bump dependencies. While automation certainly helps reduce toil, it also introduces additional risks for Shopify—so this approach should no longer be used.
InfraSec now has a centralized solution for automating dependency bumps: the upgrade-umpire bot. It's already working for all services for security patches, but you can—and should—use it for regular dependency bumps, too. It's safer, designed for Shopify needs, and incorporates additional security layers, like dependency analyzer scans and a soak period.
You can read more about how Autofixes works here, and watch this video on how to opt in.
You now have two options:
You have 7 days to decide. After that, any automerging workflow used to bump dependencies will be removed.
We highly recommend you switch to Autofixes—it's built to keep your repos secure and reduce risk across the company. If you need a hand migrating, check out the doc or reach out to #dependabot-security-autofix-support for help. Make sure to check the FAQ section below before sending us your question.
Thanks for helping keep Shopify safe! 💚
Dependabot Autofixes FAQ
How does Autofixes handle major version updates?
Autofixes now allows users to select Major version bumps for automerging, though we recommend careful consideration before enabling this option. Major version updates:
If you opt into Autofixes with the "all updates" setting, you can select whether you want only Minor and/or Patch version updates to be automatically merged. These selected updates will be automatically merged after they've undergone a 2-week soak period (specifically for non-security bumps) and dependency analyzer scanning.
Can I prevent certain packages from being automatically merged?
Yes! When opting in to Autofixes for all updates, you can specify packages that should not be automatically merged. This gives you fine-grained control over which dependencies you prefer to review manually, even if they're minor or patch updates.
This is particularly useful for dependencies that might require additional testing or consideration, even for seemingly minor changes.
How does Autofixes handle grouped updates in my dependabot.yml?
Autofixes doesn't currently support grouped updates. If your dependabot.yml includes a groups section, PRs containing multiple package bumps within those groups won't be automatically merged.
If you want your dependency updates to be eligible for automerging, you'll need to remove the groups section from your dependabot.yml. This will result in individual PRs for each dependency, which Autofixes can then process one by one.
In some cases, you may want to maintain certain package groups despite the automerge limitation. For example, tightly coupled packages like React and React DOM (which was a popular feature request back in the day, link), should typically be updated together to ensure compatibility and successful CI builds.
Feel free to keep these strategic groupings in your dependabot.yml, with the understanding that these grouped PRs will require manual review and merging.
What about other actions in my existing workflow, like triggering RBI updates?
Keep any essential CI processes from your current workflow! If you have actions like triggering RBI updates for validations that ensure the safety of dependency bumps, you should definitely retain these.
A good approach is to: