You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
To be considered successful the solution must allow:
For all configured PSD Python repos, create a new label named Security Update (or something similar) with a Red colour
For all configured PSD Python repos, update dependabot config to add the security label to security update PRs.
Investigate what happens to dependencies which are both development and runtime (if they exist), when dependabot config enables automatically merging in development dependencies, which have minor and patch updates only.
Agree with the team which Python application can be used to trial Automatic merging.
For the agreed application, update dependabot config to automatically merge in development dependencies, which have minor and patch updates only.
For all configured PSD Python repos, update dependabot config to customise PR titles or commit messages, so that it is clear if the PR includes development or runtime dependency updates, and if they are a security PR.
Create a calendar event, for in 1 month after implementation, to reflect on how this is going and specifically:
Whether we should rollout this changes to other Python repos.
Consider grouping development dependencies
If we group development dependencies, update the text of the PR or commit message to include the text “Group"
User story
As a PSD team, we would like to fine tune the configuration for Dependabot to to reduce noise and make dependency management easier.
Who are the primary contacts for this story
@harrietc52
@BenTopping
Who is the nominated tester for UAT
PSD Team
Acceptance criteria
To be considered successful the solution must allow:
Security Update(or something similar) with a Red colourdevelopmentandruntime(if they exist), when dependabot config enables automatically merging in development dependencies, which have minor and patch updates only.References
Enabling automerge on a pull request
Additional context
Depfu Automatic Merge Research
Y25-160 - Update defpu settings #517