Channels
chaos
loc-france
loc-angola
loc-russia
platformscript
loc-seattle
test2
azure
loc-australia
envoyz
it-meetups-organizers
platform-coffee
team
platform-engineering-in-edge-computing
loc-japan
loc-norway
loc-singapore
idp-resources
idp-architectural-design
aws
loc-bulgaria
gcp
loc-netherlands
loc-boston
events
loc-hong-kong
loc-irvine
loc-ireland
loc-philadelphia-chapter
platform-blueprints
platform-impact
loc-usa-eastcoast-chapter
docker-at-platformcon23
ant-group-at-platformcon23
zeet-at-platformcon23
vmware-tanzu-at-platformcon23
rafay-at-platformcon23
stormforge-at-platformcon23
cortex-at-platformcon23
loc-portland
loc-oslo
azure
loc-uk
security
outages
winners
observability
courier-com-at-plarformcon23
loc-india
loc-austin
loc-southern-caifornia
loc-belgium
building-our-platform-engineering-team
loc-vietnam
documentation
platform-tech
kubernetes
back-end
metrics
platformcon-news
marketing
platform-data
loc-dallas
opslevel-at-platformcon23
olxautos-orion-at-platformcon23
yotascale-at-platformcon23
loc-finland
loc-chicago
loc-portugal
loc-sweden
serverless
gitops
loc-brazil
mychannel-
loc-italy
verisure-commonservice-datastax
loc-turkey
loc-sfbayarea
loc-dcmetro
platformk8sathome
entryleveldevops-jobs
loc-israel
loc-myanmar
loc-ukraine
loc-scotland
loc-atlanta
loc-canada
platform-leadership
loc-bangalore
support
qualityassurance
product_management
devex
testrsetserfsdf
loc-korea
loc-germany
loc-switzerland
loc-poland
envoys
loc-china
platform-design
platform-stories
platform-culture
terraform
product-management
general
intros
jobs
Title
k
Kyle Campbell
05/11/2023, 11:03 AMI'd thought I'd ask how people manage "Dependabot hell" in their organizations. We have a feature team based model, so there's not clear ownership on any particular repo. Keeping up with Dependabot updates for 3rd parties is a struggle. We've debated auto merging minor version updates, but given how bad actors have tried to exploit bad package updates it feels wrong to go this way, but the volume of updates is hard to keep up with
l
Liora Milbaum
05/13/2023, 9:50 AMI’m using Renovate which is doing the same as dependabot but more and better.
From my experience, there is no one way fit all. There are many considerations to take into account. My idea is to start small (MVP) and continuously improve according to the feedback/requirements which pile up.
p
Phillip Verheyden
05/17/2023, 2:56 PMwe did a lot of hand-wringing around turning on automated dependabot approvals but once we did, we never looked back. It has become pretty crucial to our process.
We have the advantage though of having fantastic automated test coverage (> 85%) across every one of our services. I would feel a lot less good about it if we did not have good test coverage.
We’ve been operating with auto-approving both minor and patch updates for > 1yr. In that year, there is only a single breaking change that was merged in (an upgrade to boto) across thousands of merged PRs. We caught it before it made it to customers though via some manual testing.
We have been really happy with it but as @Liora Milbaum said, YMMV
but the volume of updates is hard to keep up withanother strategy could be to tone down the frequency of updates, for instance only have dependabot check for updates once a week
if you’re interested in auto-approve, this is the GitHub action we use:
name: Dependabot auto-approve
on: pull_request_target
permissions:
pull-requests: write
# From the docs at <https://github.com/dependabot/fetch-metadata#enabling-auto-merge>
jobs:
dependabot:
runs-on: ubuntu-latest
if: ${{ github.event.pull_request.user.login == 'dependabot[bot]' }}
steps:
- name: Dependabot metadata
id: metadata
uses: dependabot/fetch-metadata@v1.3.0
with:
github-token: "${{ secrets.GITHUB_TOKEN }}"
- name: Auto-approve minor or patch updates
if: |
steps.metadata.outputs.update-type == 'version-update:semver-minor'
|| steps.metadata.outputs.update-type == 'version-update:semver-patch'
run: gh pr review --approve "$PR_URL"
env:
PR_URL: ${{github.event.pull_request.html_url}}
GITHUB_TOKEN: ${{secrets.GITHUB_TOKEN}}name: Dependabot auto-merge
on: pull_request
permissions:
pull-requests: write
contents: write
# Mostly from <https://docs.github.com/en/code-security/supply-chain-security/keeping-your-dependencies-updated-automatically/automating-dependabot-with-github-actions#enable-auto-merge-on-a-pull-request>
jobs:
dependabot:
runs-on: ubuntu-latest
if: ${{ github.event.pull_request.user.login == 'dependabot[bot]' }}
steps:
- name: Dependabot metadata
id: metadata
uses: dependabot/fetch-metadata@v1.3.0
with:
github-token: "${{ secrets.GITHUB_TOKEN }}"
- name: Enable auto-merge for Dependabot PRs
run: gh pr merge --auto --squash "$PR_URL"
env:
PR_URL: ${{github.event.pull_request.html_url}}
GITHUB_TOKEN: ${{secrets.GITHUB_TOKEN}}k
Kyle Campbell
05/17/2023, 4:31 PMThanks! We're still in the hand wringing phase, we did turn down to once a week but it's still a lot of PRs. We were thinking of doing the auto approve like you are doing @Phillip Verheyden, but glad to hear that it's worked well for you.
We had thought about Renovate also a while ago, but it may also be worth a rethink
l
Liora Milbaum
05/17/2023, 7:45 PMWith renovate, you can generate one PR for multiple updates. That saves us a lot of effort.
j
Jim Park
05/19/2023, 8:31 PMThanks for the suggestions in this 🧵 dependabot hell is real!
m
Michel Loiseleur
05/23/2023, 6:48 AMWe're using renovate, here too. Like @Liora Milbaum, this capacity to group multiple updates in one consistent PR really helped us.
For some dependencies that are updated multiple times per day, we grouped AND limit schedule to one PR per week.