Dependabot - department-of-veterans-affairs/abd-vro GitHub Wiki

Dependabot has been enabled, and VRO dependencies (for Java, Python, Docker, and GH Actions) are currently up-to-date. On a daily basis or when we manually run it, it will automatically create PRs to upgrade library versions (like these). Having this will help keep VRO code patched against vulnerabilities and will reduce the work in resolving SecRel alerts, required for deploying to production.

Known problems

Checks (GitHub Actions) fail on Dependabot-generated PR

UPDATE: Based on https://docs.github.com/en/code-security/dependabot/working-with-dependabot/managing-encrypted-secrets-for-dependabot and https://docs.github.com/en/code-security/dependabot/working-with-dependabot/automating-dependabot-with-github-actions#accessing-secrets, PR #454 fixes this issue by:

Original problem

Certain checks fail because Dependabot doesn't have access to the GitHub Actions secrets -- see https://github.com/dependabot/dependabot-core/issues/3253#issuecomment-795101596 and in https://docs.github.com/en/code-security/dependabot/working-with-dependabot/automating-dependabot-with-github-actions#responding-to-events ("GitHub Actions secrets are not available.").

A workaround is to merging the develop branch into the PR or manually committing to the PR branch. See example resolution in PR #386.

Error during Dependabot update

Error is shown in logs on the Dependabot tab. Example PR that resolves the error. Once the PR was merged, Dependabot created the PR, which is no longer relevant. Manually re-running Dependabot shows no errors.

Dependabot Processing Guide

Checking for new Dependabot PRs

Dependabot-generated PRs can be found under the Pull Requests tab by searching on open PRs with the dependencies label

dependabot 1 - open PRs

Also check for and address Code scanning and Secret scanning alerts.

Deciding to accept the update

If the proposed update seems relatively minor or trivial, then

  1. Navigate to the mirrored dependabot PR in the internal repo, and check the PR actions for a SecRel run. Address any SecRel issues and update the PR in the public repo if necessary.
  2. In the dependabot PR in the public repo, be sure that all testing actions along with container health checks both run and pass.
  3. Optionally, perform additional manual API testing as needed depending on the complexity of the change.

Sometimes, the generated PR does not have all the changes necessary to truly update the references successfully. Once functional testing passes the branch, you should push up your changes and run it through SecRel again to make sure you haven't introduced unforeseen security issues.

When possible, update the constraints section in shared.java.vro-dep-constraints.gradle so that other projects dependencies can be updated.

If all looks well with the generated (or new) PR, then

  1. Comment on the PR that all testing passes, and tag the Eng Lead (or some other relevant developer) for an additional approval.
  2. Dependabot authors the PR, so only one additional reviewer other than you is required.
  3. Once approved, merge the PR into the develop branch

Deciding to skip the update

If the proposed update seems like a relatively major change that could take non-trivial testing and/or refactoring, you may decide to delay it for a future date (as with these PRs). If that's the case, then

  1. Close the PR with a detailed comment explaining why, tagging the Eng Lead (and/or some other relevant developers)
  2. Open an issue so that it can be tracked and updated at a future date (see below)

Opening an issue

  1. Goto the Issues tab, and click New Issue
  2. Click “Open a blank issue”
  3. Fill in ticket, perhaps using this as a model (Description + A.C. sections). Be sure to link to specific PRs when applicable, so that they will be linked to the issue in their comments
  4. Add the Engineer and vro-issue labels under Labels section
  5. Add ABD VRO Project under the Projects section