Save time on managing package dependencies…
At work we have been wrestling for years on how to keep our npm and nuget package dependencies up to date in our apps. New features often take priority over this aspect of ‘keeping the lights on’ but is an important part of the software lifecycle.
Pros
- Latest security patches
- Staying afloat with the direction of the package (not finding yourself 4 major versions adrift with the adoption of the latest version taking days rather than hours)
- Latest features
Cons
- Potential to adopt bleeding packages with new vulnerabilities
- Routine manual effort/resource to make the changes, test and deploy through the environments
One option to realise all of these benefits without the burden of routine effort is to automate the process. I’d like to share what we have been trialling on a GitHub repository.
The goal…
- Automate the upgrade of the dependencies
- Automate the check to ensure quality hasn’t been affected
- Auto merge non major changes into master
- Allow major changes to be approved before merging into master
Tools…
- GitHub Repo
- Renovate (dependency management tool) executed via GitHub Actions
- AWS CodeBuild
Goal 1. Automate the upgrade of the dependencies
To process of automating the dependencies upgrades is managed by Renovate . Renovate is responsible for the magic of the upgrade process and is based on the details you provide in the renovate config file. Based on the config Renovate will create a pull request with the changes. See pull request images below.
Goal 2. Automate the check to ensure quality hasn’t been affected
To realise this goal we have a CodeBuild project configured in AWS which will trigger when a pull request is created or updated.
This build will -
- Compile apps
- Run unit tests
- Produce assets
- Create an isolated temporary stack in a sandbox environment.
- Run integration tests against the temporary stack.
The status of the check is reported back to the pull request in GitHub and will prevent the pull request from being merged unless the check returns a success (configured as a branch protection rule on master). This check is highlighted in the image of the pull request.
Goal 3. Auto merge non major changes into master
Renovate’s config allows you to choose which configurations can be auto merged. We have set non-major to auto merge, this paired with the rennovate-approve app will make this happen if the check returns a success.
Goal 4. Allow major changes to be approved before merging into master
This sanity check allows the team to review the changes before clicking approve and is the default configuration.
**Manual Intervention**
All of the above focuses on the positive flow, if the updates applied to the repository cause any error then the team will be notified and the pull request will wait for human intervention. We have set the concurrency limit on a Renovate pull request to 1 to prevent being spammed!
Summary
Although we have only just started our journey on the automation of dependency upgrades, it is easy to see the benefits gained by automatically ‘keeping the lights on’.
I hope you enjoyed the read and welcome further discussion or experiences on the topic.
A note on Dependabot
Before trying out Renovate we experimented with GitHub’s Dependabot. Same concept however, we found Dependabot was very limiting as you can only make one package update per pull request. This wouldn’t work for us as we use the AWS SDK which has multiple packages and their versions should stay aligned. Plus grouping upgrades is computationally more efficient.
