Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Retime JS dependency update cron, and make new dependabot alert issue #239

Closed
GuySartorelli opened this issue May 6, 2024 · 4 comments
Closed

Retime JS dependency update cron, and make new dependabot alert issue #239

GuySartorelli opened this issue May 6, 2024 · 4 comments
Assignees
@emteknetnz
Labels
type/other

Comments

@GuySartorelli
Copy link
Member

GuySartorelli commented May 6, 2024
edited
Loading

In a recent CMS Squad retrospective we identified that the cron for creating the "JS pull-requests" GitHub issue is out-of-sync with our release schedule.

Currently this issue is created quarterly, with the second one being created shortly after a minor release. We do a minor release every 6 months.

Acceptance criteria

  • Retime cron in js-prs-issue.yml to run every 6 months, roughly 1 month before we'd schedule a beta release
  • Retime cron in update-js workflows for all supported modules to run every 6 months, roughly 1 month before we'd schedule a beta release
  • Double check that the information in the generated issue is still accurate with the new timing.
  • Either make a separate workflow or update the current one so that a separate issue is created explicitly only for checking dependabot alerts. This should be run either:
    • every 3 months, completely separately from the one that's currently created (and remove dependabot from the one that's currently created)
    • every 6 months, with a 3 month offset from the one that's currently created (and leave dependabot in the one that's currently created)
  • The dependabot-only issue should state to do:
    • a quick spot check to see if anything needs to be handled via security process
    • merge whatever can be merged
    • backport anything that seems like it needs to be patched immediately
  • Check if it’s possible to configure dependabot to look at more than the default branch. If it is:
    • make dependabot check the correct branch even for repos we don't own (some of these have the wrong default branch)
    • Document somewhere (maybe in the release process) that when we do a major release we need to have dependabot checking both the default branch and the previous major branch, while both are supported

PRs

Module Standardiser PRs
@GuySartorelli GuySartorelli changed the title Retime JS dependency update cron Retime JS dependency update cron, and make new dependabot alert issue May 6, 2024
@emteknetnz emteknetnz assigned emteknetnz and unassigned emteknetnz May 20, 2024
@GuySartorelli GuySartorelli self-assigned this May 29, 2024
This was referenced May 29, 2024
Merged
Merged
@GuySartorelli
Copy link
Member Author

We can configure the branch dependabot uses - but it's a bit confusing. It looks like it'll still use the default branch for dependabot alerts but then create pull requests against the branches you define? I'd rather not mess with this. It's more consistent to get alerts and PRs for the same branch.

@GuySartorelli GuySartorelli removed their assignment May 29, 2024
@emteknetnz
Copy link
Member

Reassigning to Guy to:

  • Manually run the new workflow to check the dependabot issue is created as expected
  • Run module standardisers to update the crons on update-js workflows

@GuySartorelli
Copy link
Member Author

Both actions work well.

@GuySartorelli GuySartorelli mentioned this issue May 29, 2024
Merged
@GuySartorelli GuySartorelli removed their assignment May 29, 2024
@emteknetnz emteknetnz self-assigned this May 30, 2024
@emteknetnz
Copy link
Member

PRs merged

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@emteknetnz emteknetnz

Labels
type/other
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@emteknetnz @GuySartorelli