From cd70326cfe9552002c5bf165996a62f235d8efe4 Mon Sep 17 00:00:00 2001 From: Tomasz Barwicki Date: Thu, 4 Jan 2024 15:52:54 +0100 Subject: [PATCH 1/9] docs(trg-2.6): draft init --- docs/release/trg-0/trg-2-6.md | 13 +++++++++++++ 1 file changed, 13 insertions(+) create mode 100644 docs/release/trg-0/trg-2-6.md diff --git a/docs/release/trg-0/trg-2-6.md b/docs/release/trg-0/trg-2-6.md new file mode 100644 index 00000000000..811f0f78341 --- /dev/null +++ b/docs/release/trg-0/trg-2-6.md @@ -0,0 +1,13 @@ +--- +title: TRG 2.06 - Dependabot +--- + +| Status | Created | Post-History | +|--------|--------------|-----------------| +| Draft | 4-Jan-2024 | Initial release | + +## Why + +## Description + +## Example From b6418557f3ad6a7149bdceb2cb7f67d97fe04951 Mon Sep 17 00:00:00 2001 From: Tomasz Barwicki Date: Fri, 5 Jan 2024 11:36:12 +0100 Subject: [PATCH 2/9] docs(trg-2.6): fill WHY section --- docs/release/trg-0/trg-2-6.md | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/docs/release/trg-0/trg-2-6.md b/docs/release/trg-0/trg-2-6.md index 811f0f78341..04ac614a121 100644 --- a/docs/release/trg-0/trg-2-6.md +++ b/docs/release/trg-0/trg-2-6.md @@ -8,6 +8,14 @@ title: TRG 2.06 - Dependabot ## Why +GitHub Dependabot is a powerful tool designed to help keep your project's dependencies up-to-date. By automating the process of checking for updates and creating pull requests when new versions are available, Dependabot ensures that your project benefits from the latest features, bug fixes, and security patches. + +Key Benefits: + + - Security: Receive timely updates for security vulnerabilities in your project's dependencies. + - Stability: Keep your project stable by staying current with the latest releases. + - Efficiency: Automate the time-consuming task of manually checking for updates and creating pull requests. + ## Description ## Example From 6fd6a65309161e90dd5dad16cde4efcf23e4eab7 Mon Sep 17 00:00:00 2001 From: Tomasz Barwicki Date: Mon, 8 Jan 2024 11:51:46 +0100 Subject: [PATCH 3/9] docs(trg-2.6): fill Description section --- docs/release/trg-0/trg-2-6.md | 19 +++++++++++++++++++ 1 file changed, 19 insertions(+) diff --git a/docs/release/trg-0/trg-2-6.md b/docs/release/trg-0/trg-2-6.md index 04ac614a121..87a55f39b22 100644 --- a/docs/release/trg-0/trg-2-6.md +++ b/docs/release/trg-0/trg-2-6.md @@ -18,4 +18,23 @@ Key Benefits: ## Description +Dependabot is an excellent fit for application dependencies/vulnerabilities. By regularly checking for updates, it allows you to seamlessly integrate the latest improvements into your application. + +For Docker images, Dependabot ensures that your base images and dependencies are regularly updated, reducing the risk of using outdated or vulnerable components. + +Dependabot can also assist in keeping your GitHub Actions workflows up-to-date. This is crucial for ensuring that your continuous integration and delivery processes leverage the latest GitHub Actions features and improvements. + +### Version updates + +To enable Dependabot for version updates, create a dependabot.yml file in the root of your repository. See provided example below. +More information: + + + +### Security updates + +To enable Dependabot for security updates, you can leverage GitHub's Security tab. Go to the "Security" tab in your repository and follow the prompts to enable automated security updates. +More information: + + ## Example From 6db0ccb194c1fe50b24cfe77f62376515c956650 Mon Sep 17 00:00:00 2001 From: Tomasz Barwicki Date: Mon, 8 Jan 2024 12:28:18 +0100 Subject: [PATCH 4/9] fix(trg-2.6): wording and new lines --- docs/release/trg-0/trg-2-6.md | 16 ++++++++-------- 1 file changed, 8 insertions(+), 8 deletions(-) diff --git a/docs/release/trg-0/trg-2-6.md b/docs/release/trg-0/trg-2-6.md index 87a55f39b22..c2fa10f6829 100644 --- a/docs/release/trg-0/trg-2-6.md +++ b/docs/release/trg-0/trg-2-6.md @@ -12,9 +12,9 @@ GitHub Dependabot is a powerful tool designed to help keep your project's depend Key Benefits: - - Security: Receive timely updates for security vulnerabilities in your project's dependencies. - - Stability: Keep your project stable by staying current with the latest releases. - - Efficiency: Automate the time-consuming task of manually checking for updates and creating pull requests. +- Security: Receive timely updates for security vulnerabilities in your project's dependencies. +- Stability: Keep your project stable by staying current with the latest releases. +- Efficiency: Automate the time-consuming task of manually checking for updates and creating pull requests. ## Description @@ -22,19 +22,19 @@ Dependabot is an excellent fit for application dependencies/vulnerabilities. By For Docker images, Dependabot ensures that your base images and dependencies are regularly updated, reducing the risk of using outdated or vulnerable components. -Dependabot can also assist in keeping your GitHub Actions workflows up-to-date. This is crucial for ensuring that your continuous integration and delivery processes leverage the latest GitHub Actions features and improvements. +Dependabot can also assist in keeping used GitHub Actions up to date. This is crucial for ensuring that your workflows leverage the latest GitHub Actions features and improvements. ### Version updates To enable Dependabot for version updates, create a dependabot.yml file in the root of your repository. See provided example below. -More information: - +More information: + ### Security updates To enable Dependabot for security updates, you can leverage GitHub's Security tab. Go to the "Security" tab in your repository and follow the prompts to enable automated security updates. -More information: - +More information: + ## Example From 9da4deef0ee6f15cba9307d9cfb4cdb80ec31246 Mon Sep 17 00:00:00 2001 From: Tomasz Barwicki Date: Thu, 11 Jan 2024 11:58:13 +0100 Subject: [PATCH 5/9] docs(trg-2.6): provide config example --- docs/release/trg-0/trg-2-6.md | 48 +++++++++++++++++++++++++++-------- 1 file changed, 38 insertions(+), 10 deletions(-) diff --git a/docs/release/trg-0/trg-2-6.md b/docs/release/trg-0/trg-2-6.md index c2fa10f6829..cefb7b967ad 100644 --- a/docs/release/trg-0/trg-2-6.md +++ b/docs/release/trg-0/trg-2-6.md @@ -8,13 +8,13 @@ title: TRG 2.06 - Dependabot ## Why -GitHub Dependabot is a powerful tool designed to help keep your project's dependencies up-to-date. By automating the process of checking for updates and creating pull requests when new versions are available, Dependabot ensures that your project benefits from the latest features, bug fixes, and security patches. +GitHub Dependabot is a powerful tool designed to help keep your project's dependencies up to date. By automating the process of checking for updates and creating pull requests when new versions are available, Dependabot ensures that your project benefits from the latest features, bug fixes, and security patches. Key Benefits: - Security: Receive timely updates for security vulnerabilities in your project's dependencies. - Stability: Keep your project stable by staying current with the latest releases. -- Efficiency: Automate the time-consuming task of manually checking for updates and creating pull requests. +- Efficiency: Automate the time consuming task of manually checking for updates and creating pull requests. ## Description @@ -24,17 +24,45 @@ For Docker images, Dependabot ensures that your base images and dependencies are Dependabot can also assist in keeping used GitHub Actions up to date. This is crucial for ensuring that your workflows leverage the latest GitHub Actions features and improvements. -### Version updates - -To enable Dependabot for version updates, create a dependabot.yml file in the root of your repository. See provided example below. -More information: - - - ### Security updates To enable Dependabot for security updates, you can leverage GitHub's Security tab. Go to the "Security" tab in your repository and follow the prompts to enable automated security updates. More information: -## Example +### Version updates + +To enable Dependabot for version updates, create a dependabot.yml file in .github directory the root of your repository. In order to reduce number of generated bump Pull Requests, recommendation is to change default interval to i.e. weekly, as well as limit open PRs. See provided example below. + +### Example + +This configuration checks for Maven, GitHub Action and Docker updates on a weekly basis and creates pull requests for up to 5 updates at a time. + +```yaml +version: 2 +updates: + # Maintain dependencies for Maven + - package-ecosystem: "maven" + directory: "/" + schedule: + interval: "weekly" + open-pull-requests-limit: 5 + + # Maintain dependencies for GitHub Actions + - package-ecosystem: "github-actions" + directory: "/" + schedule: + interval: "weekly" + open-pull-requests-limit: 5 + + # Maintain dependencies for Docker + - package-ecosystem: "docker" + directory: "/" + schedule: + interval: "weekly" + open-pull-requests-limit: 5 +``` + +More information: + + From 430d442a0cbfae8950540d6a486c36c31f2a308e Mon Sep 17 00:00:00 2001 From: Tomasz Barwicki Date: Thu, 11 Jan 2024 12:05:04 +0100 Subject: [PATCH 6/9] docs(trg-2.6): add importance info on test coverage --- docs/release/trg-0/trg-2-6.md | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/docs/release/trg-0/trg-2-6.md b/docs/release/trg-0/trg-2-6.md index cefb7b967ad..d8366c30793 100644 --- a/docs/release/trg-0/trg-2-6.md +++ b/docs/release/trg-0/trg-2-6.md @@ -66,3 +66,9 @@ updates: More information: + +:::info +Importance of Implemented Tests: + +Ensure that your project has comprehensive test coverage. Automated tests are crucial for quickly validating that updates do not introduce regressions or break existing functionality. +::: \ No newline at end of file From b4c931b0a1ccbcb6b4ee526a7ec0663ee6016eaf Mon Sep 17 00:00:00 2001 From: Tomasz Barwicki Date: Thu, 11 Jan 2024 12:06:33 +0100 Subject: [PATCH 7/9] fix(trg-2.6): remove space --- docs/release/trg-0/trg-2-6.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/docs/release/trg-0/trg-2-6.md b/docs/release/trg-0/trg-2-6.md index d8366c30793..25ec0c98188 100644 --- a/docs/release/trg-0/trg-2-6.md +++ b/docs/release/trg-0/trg-2-6.md @@ -70,5 +70,5 @@ More information: :::info Importance of Implemented Tests: -Ensure that your project has comprehensive test coverage. Automated tests are crucial for quickly validating that updates do not introduce regressions or break existing functionality. -::: \ No newline at end of file +Ensure that your project has comprehensive test coverage. Automated tests are crucial for quickly validating that updates do not introduce regressions or break existing functionality. +::: From a8fa4273838abbc885b85c1e4fbf6c190ed3e9dc Mon Sep 17 00:00:00 2001 From: Tomasz Barwicki Date: Mon, 15 Jan 2024 10:39:46 +0100 Subject: [PATCH 8/9] chore: add DEPENDENCIES file caution --- docs/release/trg-0/trg-2-6.md | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/docs/release/trg-0/trg-2-6.md b/docs/release/trg-0/trg-2-6.md index 25ec0c98188..73dd4db62aa 100644 --- a/docs/release/trg-0/trg-2-6.md +++ b/docs/release/trg-0/trg-2-6.md @@ -67,6 +67,11 @@ More information: +:::caution +Be careful, Dependabot PR merge can lead to out of date DEPENDENCIES file. +Make sure DEPENDENCIES file is updated by DASH tool. +::: + :::info Importance of Implemented Tests: From cc352d9561ba5ef7c887aee4ff3b826c77ff201d Mon Sep 17 00:00:00 2001 From: Tomasz Barwicki Date: Tue, 16 Jan 2024 10:25:19 +0100 Subject: [PATCH 9/9] fix: move caution box and add base image TRG link --- docs/release/trg-0/trg-2-6.md | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/docs/release/trg-0/trg-2-6.md b/docs/release/trg-0/trg-2-6.md index 73dd4db62aa..8d5d089c3ab 100644 --- a/docs/release/trg-0/trg-2-6.md +++ b/docs/release/trg-0/trg-2-6.md @@ -20,7 +20,7 @@ Key Benefits: Dependabot is an excellent fit for application dependencies/vulnerabilities. By regularly checking for updates, it allows you to seamlessly integrate the latest improvements into your application. -For Docker images, Dependabot ensures that your base images and dependencies are regularly updated, reducing the risk of using outdated or vulnerable components. +For Docker images, Dependabot ensures that your [base images](https://eclipse-tractusx.github.io/docs/release/trg-4/trg-4-02) and dependencies are regularly updated, reducing the risk of using outdated or vulnerable components. Dependabot can also assist in keeping used GitHub Actions up to date. This is crucial for ensuring that your workflows leverage the latest GitHub Actions features and improvements. @@ -38,6 +38,11 @@ To enable Dependabot for version updates, create a dependabot.yml file in .githu This configuration checks for Maven, GitHub Action and Docker updates on a weekly basis and creates pull requests for up to 5 updates at a time. +:::caution +Be careful, Dependabot PR merge can lead to out of date DEPENDENCIES file. +Make sure DEPENDENCIES file is updated by DASH tool. +::: + ```yaml version: 2 updates: @@ -67,11 +72,6 @@ More information: -:::caution -Be careful, Dependabot PR merge can lead to out of date DEPENDENCIES file. -Make sure DEPENDENCIES file is updated by DASH tool. -::: - :::info Importance of Implemented Tests: