Posted by matijs 10/10/2020 at 14h32
For a long time, part of my weekend routine has been updating the dependencies of all my open source Ruby projects. I had set up some tooling to automatically run
bundle outdated on all my project directories and make a nice report. For good measure, it would also run RuboCop and tell me if any work was needed on that front.
I would then go through the list of needed work, adjust the dependencies (using KeepUp where possible), activate new RuboCop cops, fix new RuboCop offenses, create pull requests, wait for builds to be done and then merge. There actually was a certain satisfaction in keeping things up-to-date, keeping things neat.
A few weeks ago, I’d had enough. The process of keeping things up-to-date was starting to become tedious, and it was keeping me from writing actual new software. Having had good experience at work with Dependabot I decided to automate dependency updates for all my open source repo’s.
After some experimenting I made the following changes to my repositories:
I added a separate named RuboCop job as part of each repository’s Travis CI configuration. To do this requires using the
jobskey instead of
rvm, like so:
jobs: include: - rvm: 2.5 - rvm: 2.6 - rvm: 2.7 - rvm: 2.7 name: "RuboCop" script: bundle exec rubocop
I configured GitHub’s native version of Dependabot to create pull requests daily, using a file
.github/dependabot.ymlin each repository:
version: 2 updates: - package-ecosystem: bundler directory: "/" schedule: interval: daily time: "04:23" open-pull-requests-limit: 10
All this means is that the manual part has been reduced to just checking that the builds are green for the pull requests produced by Dependabot, and potentially any new issues found by newer versions of RuboCop.