Suggestion / request: use Dependabot to automatically update gems

First of all, thanks for Zammad!

I’ve got a suggestion / request: would you be up for using Dependabot to automatically create dependency update PRs? I ran it against my fork and it generated these PRs. I’ll port the webmock one across to the zammad/zammad repo now.

I built Dependabot, but I’m honestly only suggesting it because I hope it can save you some time. I’d love any feedback, and obviously having open source projects using Dependabot helps boost its profile, but if it’s not helpful to you then it’s not really worth anything.

You can install it from here or here if you decide to give it a try. It’s been through GitHub’s security testing (to be allowed in the GitHub Marketplace) and is used by a few thousand organisations, and the source code is here.


I think that’s up to @thorsteneckel :slight_smile:

Thanks @MrGeneration. @thorsteneckel - that is a truly terrifying avatar!

FYI, Dependabot generated a PR to update Nokogiri last night which I’ve ported across too, since the update was a security fix.

Hi @greysteil - sorry for my way to late response! I think Dependabot is a great software improving the life of maintainers a lot. Thanks for that. I’d love to use/activate for Zammad but sadly we have kind of a different workflow. Maybe you can help me find the best way how we could integrate it:
Our main git repository is hosted on an internal GitLab server. We do this to perform broader tests and do it faster. After a branch is ready we merge it into develop. This commit is then synced over to GitHub and a small subset of your tests run again on the TravisCI env.
So from my understanding Dependabot will check our dependencies frequently for (regular) updates and create a pull request for it. Then the TravisCI tests run for this PR verifying the basic functionalities. We would then sync the PR over to our GitLab server where the whole test suite runs and verifying the whole functionality. After that we merge the changes into develop which starts the sync back to GitHub. This will close the Dependabot PR for all cases where no manual fixes are needed.

Did I get it right?

Hey @thorsteneckel,

My turn to apologise for a late response - the notification hit my spam filter for some reason (now fixed).

Yes, that flow sounds right to me. For now Dependabot can only create PRs on GitHub, but adding GitLab support is on my list, and should be ready by the end of the year (assuming my priorities don’t get derailed, which happens more often than I’d like!).

So yes, for now if you want to use Dependabot the flow would have to be to have it create PRs on GitHub, and for you then to sync them over. Do you have an automated way to do so?

In future, once I add GitLab support to Dependabot, you’ll be able to get the Merge Requests directly in GitLab :slight_smile:

Sounds great! How do we get the news? Is there an issue or something to subscribe to?

Currently we have no automatic way to sync pull requests over to Gitlab.

If you subscribe to this issue then I’ll post updates there, but I’ll also try to remember to come back here and comment, too :slight_smile:

Thanks! I’m a subscriber :inbox_tray:

This topic was automatically closed 120 days after the last reply. New replies are no longer allowed.