Add Dependabot configuration

In accordance with [RFC 126], we're configuring Dependabot to only raise Pull Requests for the following three categories: 1. Security updates 2. Internal libraries 3. Framework libraries Things have moved on slightly since the RFC; we're now using [GitHub native] configs rather than the legacy `.dependabot` approach. The syntax is slightly different to the example config provided in the RFC but most of it is easily transferable. For (1), there is no longer a config option, as [security updates are configured in the GitHub repository][security] 'security' settings tab itself. We've handled (2) and (3) in config, and have set it to only raise PRs for direct updates, i.e. updates to subdependencies of the named dependencies will not raise PRs. Unfortunately the [default behaviour would be to update all dependencies in the lockfile][need-specify-direct-updates]. We've chosen a `govuk*` wildcard to cover things like `gds-api-adapters` and `govuk_app_config` and other unknown future dependencies. Having `govuk` as a [suffix is not encouraged][wildcards] so instead of a `*govuk` wildcard we've named `rubocop-govuk` explicitly. We explicitly name dependencies beginning with `gds` [for the same reason][discussion]. Trello: https://trello.com/c/uPoriyfJ/2049-add-dependabot-configuration-to-each-repo-blitz-pair [discussion]: alphagov/content-store#750 (comment) [GitHub native]: https://docs.github.com/en/github/administering-a-repository/enabling-and-disabling-version-updates [need-specify-direct-updates]: https://docs.github.com/en/github/administering-a-repository/configuration-options-for-dependency-updates#allow [security]: https://github.community/t/how-to-get-dependabot-to-trigger-for-security-updates-only/117257/5 [RFC 126]: https://github.com/alphagov/govuk-rfcs/blob/master/rfc-126-custom-configuration-for-dependabot.md [wildcards]: alphagov/content-store#750 (comment)
alphagov-mirror · Jul 16, 2020 · f6bfc18 · f6bfc18
1 parent 36adeb3
commit f6bfc18
Showing 1 changed file with 22 additions and 0 deletions.
diff --git a/.github/dependabot.yml b/.github/dependabot.yml
@@ -0,0 +1,22 @@
+version: 2
+updates:
+  - package-ecosystem: bundler
+    directory: /
+    schedule:
+      interval: daily
+    allow:
+      # Security updates
+      - dependency-name: brakeman
+        dependency-type: direct
+      # Internal gems
+      - dependency-name: "govuk*"
+        dependency-type: direct
+      - dependency-name: rubocop-govuk
+        dependency-type: direct
+      # Framework gems
+      - dependency-name: rack-test
+        dependency-type: direct
+      - dependency-name: rspec
+        dependency-type: direct
+      - dependency-name: sinatra
+        dependency-type: direct