Dependabot Support
Dependabot can be used to keep Brightspot up to date by automatically submitting pull requests to update any outdated dependencies.
Example Pull Request
Prerequisites
In order for Dependabot to update Java dependencies managed by the Brightspot Gradle Plugins, version 3.0.0 or later is required.
Conventions
Resolve # XXX comments
Comments prefixed with XXX are there for you, the reader of this guide, to review, resolve, and remove before committing changes to the file.
- ✅ Right:
brightspotVersion = 4.5.15.8 - ❌ Wrong:
brightspotVersion = 4.5.15.8 # XXX Copy this version number from the legacy build.gradle - 🤡 Extra Wrong:
brightspotVersion = 4.5.x # XXX Copy this version number from the legacy build.gradle
In all cases, any comment starting with # XXX must be deleted after satisfying the advice within.
Recommended Configuration
Our recommended configuration employs Dependabot to streamline the deployment of patch releases for:
- Brightspot
- Brightspot Go
- Component-Lib
- Brightspot Migration Framework
- Brightspot-Cloud Tomcat Container
- Brightspot Styleguide
- Brightspot Gradle Plugins
- Github Actions Workflows
- Other third-party dependencies
We do not recommend its use for upgrading major or minor releases of any of the above, as those generally warrant additional manual review.
Setup
This file belongs in /.github/dependabot.yml, not /.github/workflows/dependabot.yml.
dependabot.yml
version: 2
registries:
bsp-cloud-tomcat:
type: docker-registry
url: __________.dkr.ecr.______.amazonaws.com # XXX Consult the first line of
# XXX /etc/container/Dockerfile for this URL.
# XXX The account ID and region must match
# XXX the URL in the `FROM` line.
username: ${{secrets.DEPENDABOT_AWS_ACCESS_KEY_ID}}
password: ${{secrets.DEPENDABOT_AWS_SECRET_ACCESS_KEY}}
brightspot-artifactory:
type: maven-repository
url: https://artifactory.psdops.com/public/
updates:
- package-ecosystem: "docker"
directory: "/etc/container"
registries:
- bsp-cloud-tomcat
schedule:
interval: "daily"
ignore:
- dependency-name: '*'
update-types: ["version-update:semver-major", "version-update:semver-minor"] # ignores tomcat updates for major versions (9 -> 10) and minor versions (8 -> 8.5)
commit-message:
prefix: "[bsp-tomcat]"
- package-ecosystem: "gradle"
directory: "/"
registries:
- brightspot-artifactory
schedule:
interval: "daily"
groups:
brightspot-dependencies:
patterns:
- "com.psddev*"
- "com.brightspot*"
ignore:
- dependency-name: "*"
update-types: [ "version-update:semver-major", "version-update:semver-minor" ] # ignores updates for major and minor versions
- package-ecosystem: "npm"
directory:
directories:
- "/frontend/bundles/bundle-default" # XXX If you have multiple frontend bundles, list them here.
schedule:
interval: "daily"
groups:
frontend-dependencies:
patterns:
- "*"
ignore:
- dependency-name: "*"
update-types: [ "version-update:semver-major", "version-update:semver-minor" ] # ignores updates for major and minor versions
- package-ecosystem: "github-actions"
directory: "/"
schedule:
interval: "daily"
groups:
workflow-dependencies:
patterns:
- "*"
Additional Documentation
See Github’s documentation on Dependabot for more options.