From 7fc0921ab9c6c2f780fe38972422140a1fbc3f0f Mon Sep 17 00:00:00 2001 From: Sebastian Scherer <59142915+scherersebastian@users.noreply.github.com> Date: Mon, 4 Mar 2024 01:11:20 +0100 Subject: [PATCH 1/6] docs: update dependabot trg --- docs/release/trg-2/trg-2-6.md | 15 +++++---------- 1 file changed, 5 insertions(+), 10 deletions(-) diff --git a/docs/release/trg-2/trg-2-6.md b/docs/release/trg-2/trg-2-6.md index 3620aa692994..3631e1565d8f 100644 --- a/docs/release/trg-2/trg-2-6.md +++ b/docs/release/trg-2/trg-2-6.md @@ -2,21 +2,16 @@ title: TRG 2.06 - Dependabot --- -| Status | Created | Post-History | -|--------|--------------|-----------------| -| Active | 12-Feb-2024 | Publish TRG | -| Draft | 4-Jan-2024 | Initial release | +| Status | Created | Post-History | +|--------|--------------|-----------------------| +| Update | 04-Mar-2024 | Move & update TRG | +| Active | 12-Feb-2024 | Publish TRG | +| Draft | 4-Jan-2024 | Initial release | ## Why GitHub Dependabot is a powerful tool designed to help keep your project's dependencies up to date. By automating the process of checking for updates and creating pull requests when new versions are available, Dependabot ensures that your project benefits from the latest features, bug fixes, and security patches. -Key Benefits: - -- Security: Receive timely updates for security vulnerabilities in your project's dependencies. -- Stability: Keep your project stable by staying current with the latest releases. -- Efficiency: Automate the time consuming task of manually checking for updates and creating pull requests. - ## Description Dependabot is an excellent fit for application dependencies/vulnerabilities. By regularly checking for updates, it allows you to seamlessly integrate the latest improvements into your application. From 8b87e60e90dfd4c544ab59de57a46b70026fab27 Mon Sep 17 00:00:00 2001 From: Sebastian Scherer <59142915+scherersebastian@users.noreply.github.com> Date: Mon, 4 Mar 2024 01:45:46 +0100 Subject: [PATCH 2/6] docs: move and update dependabot trg --- docs/release/trg-8/trg-8-2.md | 68 +++++++++++++++++++++++++++++++++++ 1 file changed, 68 insertions(+) create mode 100644 docs/release/trg-8/trg-8-2.md diff --git a/docs/release/trg-8/trg-8-2.md b/docs/release/trg-8/trg-8-2.md new file mode 100644 index 000000000000..ee062ddcdd94 --- /dev/null +++ b/docs/release/trg-8/trg-8-2.md @@ -0,0 +1,68 @@ +--- +title: TRG 8.02 - Dependabot +--- + +| Status | Created | Post-History | +|--------|--------------|-----------------------| +| Update | 04-Mar-2024 | Move & update TRG | +| Active | 12-Feb-2024 | Publish TRG | +| Draft | 4-Jan-2024 | Initial release | + +## Why + +Dependabot automates dependency updates, generating PRs for new versions to keep your project current with latest features, bug fixes, and security patches. + +## Description + +Dependabot can be used for repositories with dependencies managed by package managers for languages like [JavaScript, Python, Ruby, Java, etc., and for applications using Docker images or GitHub Actions](https://docs.github.com/en/code-security/dependabot/dependabot-version-updates/configuration-options-for-the-dependabot.yml-file#package-ecosystem). + +To enable Dependabot for version updates, create a `dependabot.yml` file in `.github` directory the root of your repository. + +Schedule Dependabot to run at least once a week with `interval: "weekly"`. + +Customize the `open-pull-requests-limit` to your preference. + +:::caution[Keep the dependencies file up to date] +Be careful, Dependabot PR merge can lead to out of date `DEPENDENCIES` file. +Make sure `DEPENDENCIES` file is updated by DASH tool. +::: + +Dependabot alerts are displayed in the GitHub Security Alerts section. Mark vulnerabilities as non-exploitable or false positives with required justification directly within the alert. Resolve high severity alerts within 30 days; addressing medium severity alerts is also strongly recommended. + +Adjust the workflow example below to match the [dependencies](https://docs.github.com/en/code-security/dependabot/dependabot-version-updates/configuration-options-for-the-dependabot.yml-file#package-ecosystem) in your repository. + +Example Dependabot workflow: + +```yaml +version: 2 +updates: + # Maintain dependencies for Maven + - package-ecosystem: "maven" + directory: "/" + schedule: + interval: "weekly" + open-pull-requests-limit: 5 + + # Maintain dependencies for GitHub Actions + - package-ecosystem: "github-actions" + directory: "/" + schedule: + interval: "weekly" + open-pull-requests-limit: 5 + + # Maintain dependencies for Docker + - package-ecosystem: "docker" + directory: "/" + schedule: + interval: "weekly" + open-pull-requests-limit: 5 +``` + +More information: + + + +:::info[Importance of Implemented Tests] + +Ensure that your project has comprehensive test coverage. Automated tests are crucial for quickly validating that updates do not introduce regressions or break existing functionality. +::: From 3e5e9217a4e15d2c6a92b177258c4d8a303b4e99 Mon Sep 17 00:00:00 2001 From: Sebastian Scherer <59142915+scherersebastian@users.noreply.github.com> Date: Mon, 4 Mar 2024 01:46:33 +0100 Subject: [PATCH 3/6] docs: rename trg-8-2.md to trg-8-02.md --- docs/release/trg-8/{trg-8-2.md => trg-8-02.md} | 0 1 file changed, 0 insertions(+), 0 deletions(-) rename docs/release/trg-8/{trg-8-2.md => trg-8-02.md} (100%) diff --git a/docs/release/trg-8/trg-8-2.md b/docs/release/trg-8/trg-8-02.md similarity index 100% rename from docs/release/trg-8/trg-8-2.md rename to docs/release/trg-8/trg-8-02.md From 8aa743f558199df126df7e617da44785fc5f41d3 Mon Sep 17 00:00:00 2001 From: Sebastian Scherer <59142915+scherersebastian@users.noreply.github.com> Date: Mon, 4 Mar 2024 01:50:10 +0100 Subject: [PATCH 4/6] docs: PRs from Dependabot --- docs/release/trg-8/trg-8-02.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/release/trg-8/trg-8-02.md b/docs/release/trg-8/trg-8-02.md index ee062ddcdd94..cab97400a3e0 100644 --- a/docs/release/trg-8/trg-8-02.md +++ b/docs/release/trg-8/trg-8-02.md @@ -20,7 +20,7 @@ To enable Dependabot for version updates, create a `dependabot.yml` file in `.gi Schedule Dependabot to run at least once a week with `interval: "weekly"`. -Customize the `open-pull-requests-limit` to your preference. +When configured, Dependabot automatically opens PRs with updates. Customize the open-pull-requests-limit according to your preference. :::caution[Keep the dependencies file up to date] Be careful, Dependabot PR merge can lead to out of date `DEPENDENCIES` file. From f646c2f3690902bba8a5cb3b23b456b2017e41c8 Mon Sep 17 00:00:00 2001 From: Sebastian Scherer <59142915+scherersebastian@users.noreply.github.com> Date: Mon, 4 Mar 2024 01:55:56 +0100 Subject: [PATCH 5/6] docs: remove trailing space --- docs/release/trg-8/trg-8-02.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/release/trg-8/trg-8-02.md b/docs/release/trg-8/trg-8-02.md index cab97400a3e0..5cda1892be22 100644 --- a/docs/release/trg-8/trg-8-02.md +++ b/docs/release/trg-8/trg-8-02.md @@ -16,7 +16,7 @@ Dependabot automates dependency updates, generating PRs for new versions to keep Dependabot can be used for repositories with dependencies managed by package managers for languages like [JavaScript, Python, Ruby, Java, etc., and for applications using Docker images or GitHub Actions](https://docs.github.com/en/code-security/dependabot/dependabot-version-updates/configuration-options-for-the-dependabot.yml-file#package-ecosystem). -To enable Dependabot for version updates, create a `dependabot.yml` file in `.github` directory the root of your repository. +To enable Dependabot for version updates, create a `dependabot.yml` file in `.github` directory the root of your repository. Schedule Dependabot to run at least once a week with `interval: "weekly"`. From f34eafe1e9c375ca035490c25192779cd6becf58 Mon Sep 17 00:00:00 2001 From: Sebastian Scherer <59142915+scherersebastian@users.noreply.github.com> Date: Thu, 7 Mar 2024 19:18:11 +0100 Subject: [PATCH 6/6] docs: add caution box --- docs/release/trg-8/trg-8-02.md | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-) diff --git a/docs/release/trg-8/trg-8-02.md b/docs/release/trg-8/trg-8-02.md index 5cda1892be22..ece8bf4d6908 100644 --- a/docs/release/trg-8/trg-8-02.md +++ b/docs/release/trg-8/trg-8-02.md @@ -27,7 +27,13 @@ Be careful, Dependabot PR merge can lead to out of date `DEPENDENCIES` file. Make sure `DEPENDENCIES` file is updated by DASH tool. ::: -Dependabot alerts are displayed in the GitHub Security Alerts section. Mark vulnerabilities as non-exploitable or false positives with required justification directly within the alert. Resolve high severity alerts within 30 days; addressing medium severity alerts is also strongly recommended. +Dependabot alerts are displayed in the GitHub Security Alerts section. Mark vulnerabilities as non-exploitable or false positives with required justification directly within the alert. + +:::caution + +Address high severity findings; it is recommended to also address medium severity findings. + +::: Adjust the workflow example below to match the [dependencies](https://docs.github.com/en/code-security/dependabot/dependabot-version-updates/configuration-options-for-the-dependabot.yml-file#package-ecosystem) in your repository.