Add a dependency management bot to Hyrax - Githubissues

samvera / hyrax

Hyrax is a Ruby on Rails Engine built by the Samvera community. Hyrax provides a foundation for creating many different digital repository applications.

http://hyrax.samvera.org/

Apache License 2.0

184 stars 124 forks source link

Add a dependency management bot to Hyrax #5357

Open mcritchlow opened 2 years ago

mcritchlow commented 2 years ago

Descriptive summary

There are several automated dependency management solutions available today.

We should adopt one for Hyrax (and perhaps Samvera more broadly?)

Rationale

In addition to the Ruby dependencies declared in the gemspec, the following files (at least) would benefit from automated dependency management:

Dockerfile
docker-compose
Helm chart

Keeping on top of this manually feels unsustainable, and there are great solutions in place for this.

Some solutions that I have personal experience with and are fairly easily installed as Github Apps.

Renovate: https://github.com/marketplace/renovate
Dependabot: https://github.blog/2020-06-01-keep-all-your-packages-up-to-date-with-dependabot/ (I am not sure if Dependabot supports Helm chart updates)

Related work

Some related tickets that have come up recently in this context: #5192

mcritchlow commented 2 years ago

Trying to surface this again, I'm not sure dependabot is an option. As far as I can tell from https://github.com/dependabot/dependabot-core/issues/2237 it doesn't support Helm chart dependency updates. Which is quite surprising, and of high value (from my standpoint) for this repo.