Create automation tool that updates cookiecutter whenever a pypi or node package upgrades

[smcalilly]

Similar to dependabot with security updates, we could create a github action that upgrades python and javascript dependencies for the django cookiecutter. This would obsolete the manual, tedious process where we upgrade those dependencies whenever we notice they're old (which isn't the best method).

Here's one downside to this approach: what if the bot upgrades the dependencies and the changes break something in the cookiecutter? For example, IIRC, in the past a React upgrade broke how we render the react components and we had to upgrade React + change something in the cookiecutter. To address this problem, we can review the changes with a review app deployed to heroku (fully automated by gh actions!), and add some automated tests to ensure all parts of the cookiecutter app still works.

Are there any other downsides to this?

[fgregg]

i think some CI for the cookie cutter is brilliant.

[hancush]

I have used npm-check-updates for this exact task: https://www.npmjs.com/package/npm-check-updates

[xmedr]

The new github workflow was merged in and successfully upgraded dependencies this past Sunday!

The concern about dependencies breaking each other makes sense. And I do like the idea of tests to make sure things still run well with the upgrades, but what would that look like?

[fgregg]

as a one test, we could instantiate the cookie cutter instances and check that the main page loads?

[antidipyramid]

@xmedr will try CI integration with Heroku/Github Actions next.