Dependabot
Dependabot is now enabled, ensuring that VRO dependencies (Java, Python, Docker, and GitHub Actions) remain up-to-date. Daily scheduled checks automatically generate pull requests to upgrade library versions, like these examples. Additionally, the updates are auto-merged when safe to do so.
This setup helps keep VRO code secure by staying ahead of vulnerabilities and reduces the effort needed to resolve SecRel alerts, which is critical for production deployments.
The on-call developers, as assigned through PagerDuty, is responsible for monitoring and managing Dependabot pull requests and any related issues. If Dependabot encounters a problem or raises an update that requires attention:
- The on-call team members should review the PR, address any conflicts, and ensure that all tests and checks pass.
- If manual intervention is required due to the complexity of the PR or its potential impact on other dependent services:
- Create a new issue to track the change.
- Bring the issue to the team's attention during the daily scrum or in the Slack engineering channel for further discussion and prioritization.
- Regularly check for any alerts or notifications from Dependabot during your on-call shift to ensure smooth updates.
This ensures that dependency updates are managed efficiently, minimizing risks and delays in keeping the codebase secure and up-to-date.
UPDATE: Based on Configuring access to private registries for Dependabot and Github action accessing secrets, PR #454 fixes this issue by:
- Adding a
ACCESS_TOKENsecret to Dependabot's secrets - Updating Dependabot config to use the secret to retrieve jars from the VA's repo (
starterBootPkgshttps://maven.pkg.github.com/department-of-veterans-affairs/lighthouse-di-starter-boot) in order to build
Dependabot-generated PRs can be found under the Pull Requests tab by searching on open PRs with the dependencies label
Also check for and address Code scanning and Secret scanning alerts.
If the proposed update seems minor or straightforward, follow these steps:
- Locate the Dependabot PR in the repo and ensure that all automated unit and integration tests and container health checks run successfully and pass.
- Perform a SecRel run on private repo side. Address any SecRel issues and update the public repo PR if needed.
- Optionally, conduct additional manual API testing based on the complexity of the update.
Sometimes, the auto-generated PR might miss some necessary changes to fully update the dependencies. After successful functional testing, push any additional changes to the branch and re-run SecRel to confirm no new security issues are introduced.
Whenever possible, update the constraints section in shared.java.vro-dep-constraints.gradle so that other project dependencies can be kept current.
If everything checks out with the generated (or updated) PR:
- Comment on the PR confirming that all tests have passed, and tag the Engineering Lead (or another relevant developer) for final approval.
- Since Dependabot authored the PR, only one additional reviewer is required for approval.
- Once approved, merge the PR into the
developbranch.
If the proposed update is a significant or potentially breaking change that could require extensive testing and/or refactoring, you may choose to postpone it (similar to these PRs). In such cases:
- Close the PR with a detailed comment explaining the rationale, and tag the Engineering Lead and/or relevant developers.
- Create an issue to track the update for future consideration (see instructions below).
- Navigate to the Issues tab and click "New Issue."
- Select “Open a blank issue.”
- Complete the ticket details, using this issue as a reference (include a Description and Acceptance Criteria). Be sure to link relevant PRs so they appear in the issue comments.
- Apply the Engineer and vro-issue labels under the Labels section.
- Add the issue to the ABD VRO Project in the Projects section.