Skip to content

Latest commit

 

History

History
67 lines (37 loc) · 4.07 KB

dependabot-updates.md

File metadata and controls

67 lines (37 loc) · 4.07 KB

Dependabot automatically scans the composer.json, composer.lock, package.json, and package-lock.json files to make sure packages are up to date. This document describes the process for reviewing and merging dependabot updates. Dependabot functionality is described on the Github documentation page

Determine the source

va-gov/content-build

The package va-gov/content-build is the va.gov content build. This PR can be merged if all tests pass. No other work is needed.

Packagist/NPM with release note

Updates from packagist and npm with release notes will have collapsed sections containing the details release notes and commits.

Example PR: department-of-veterans-affairs#6069

image

Review the release notes and determine if manually testing is required. Most of the time if all tests pass then the PR can be merged but this is a case by case basis. If you have any questions please reach out to your tech lead.

Packagist/NPM without release notes

Most of the time the release notes will be automatically added. In the cases where they are not, go to packagist/npm/github and add links to the release notes.

Here is an example: department-of-veterans-affairs#5665

image

To find the release notes, first start with the packagist/npm package which will link to the source code repository. For the example above, phpmailer is found here: https://packagist.org/packages/phpmailer/phpmailer

Drupal

Dependabot PRs created for Drupal packages will not have release notes or diff. These can be created manually using the following pattern:

Release Notes: (one link to each of the releases between current and suggested)
- https://www.drupal.org/project/<project>/releases/<release>

Diff: https://git.drupalcode.org/project/<project>/-/compare/<current_release>...<suggested_release>

Example: department-of-veterans-affairs#5651

Blazy module updating from version 8.x-2.2 to 8.x-2.4

Release Notes: 
* https://www.drupal.org/project/blazy/releases/8.x-2.4
* https://www.drupal.org/project/blazy/releases/8.x-2.3

Diff: https://git.drupalcode.org/project/blazy/-/compare/8.x-2.2...8.x-2.4?from_project_id=59405

image

Review the release notes and determine if manually testing is required. Most of the time if all tests pass then the PR can be merged but this is a case by case basis. If you have any questions please reach out to your tech lead.

It's also useful to review the code diff to look for any API/method changes and see if we use any of the changed code.

When Tugboat Fails to Deploy

The pull request events dispatched from GitHub to Tugboat cross the TIC; therefore, they are subject to inspection and rejection for possibly harmful content. As of now (February 2023), a rejected request still has a 200 HTTP status code, making this difficult to detect.

If a pull request's body contains code, it is possible that this will be interpreted as an attempt at server-side code injection. For instance, if the message contains "We started using filter_var() to check if a variable is boolean.", it may be flagged as attempting PHP code injection and rejected transparently, regardless of the surrounding text.

The result is that Tugboat will not receive the message and consequently will not know to deploy a PR preview environment, and so the complete suite of tests will not run.

In this case, commenting @dependabot recreate will probably not have any effect. Rather, enter the Tugboat interface, find the branch in the "available to build" list, and build it manually. The tests will run and work should proceed normally from that point.