You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: CONTRIBUTING.md
+26
Original file line number
Diff line number
Diff line change
@@ -25,3 +25,29 @@ The [tests](.github/workflows/tests.yml) are [end-to-end black box tests](http:/
25
25
There is no need for a separate language for the tests - as we are running the actual GitHub Action we are able to use the [GitHub Action workflow syntax](https://docs.github.com/en/actions/reference/workflow-syntax-for-github-actions), which gives us what we need (e.g. [expressions](https://docs.github.com/en/actions/reference/context-and-expression-syntax-for-github-actions#about-contexts-and-expressions)) to write clean tests.
26
26
27
27
28
+
## Updating dependencies
29
+
30
+
We use [GitHub Dependabot](https://docs.github.com/en/github/administering-a-repository/keeping-your-dependencies-updated-automatically)
31
+
([bought by GitHub in 2019](https://dependabot.com/blog/hello-github/) and now
32
+
[baked into GitHub](https://github.blog/2020-06-01-keep-all-your-packages-up-to-date-with-dependabot/))
33
+
to manage our dependencies.
34
+
35
+
Whenever possible, we let Dependabot update our dependencies automatically (by
36
+
[automatically creating a PR](https://docs.github.com/en/github/administering-a-repository/managing-pull-requests-for-dependency-updates#about-github-dependabot-pull-requests)
37
+
for us to merge).
38
+
39
+
Dependabot will
40
+
[automatically update non-Docker dependencies in our GitHub Actions](https://github.blog/2020-06-25-dependabot-now-updates-your-actions-workflows/).
41
+
42
+
For our other dependencies which cannot be updated automatically by Dependabot, we employ a bit of a hack.
43
+
We have a [`dependabot_hack.yml`](.github/workflows/dependabot_hack.yml) GitHub Action which triggers a Dependabot PR when these other dependencies have a new version to update to. This GitHub Action is set to never actually run; it exists just so that Dependabot can do its thing. The `dependabot_hack.yml` documents where in our codebase that we then need to **update to the new version manually** (we then **add this manual update as another commit to the PR that Dependabot creates**). NB we are able to use this hack to **manage _any_ dependency that uses
44
+
[GitHub releases](https://docs.github.com/en/github/administering-a-repository/about-releases)** - we are not limited to just dependencies which are themselves GitHub Actions (this is because Dependabot doesn't care
45
+
whether the dependencies are valid GitHub Actions, it just parses the file and updates any versions that are
46
+
managed through GitHub releases).
47
+
48
+
We could in theory automate this entirely (by e.g. having a GitHub Action that is triggered by Dependabot PRs,
49
+
which updates the version in the requisite files and then adds the change in a new commit to the Dependabot PR),
50
+
but that would be overkill for now.
51
+
52
+
Eventually as Dependabot adds more features we may be able to remove this workaround.
0 commit comments