You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Dependabot and autobumper are two tools we are using to automatically maintain up to date dependencies and lower reported CVEs in test-infra repository. Both tools are configured using config files stored in test-infra repo. These files must contain up to date configuration to let the tools update dependencies in all files. Process of updating tools configuration to reflect changes in test-infra repository must run in automated way to minimise latency.
Alternative approach to solve this problem is to use the tools with capability of automatic detection of files for dependency update.
Reasons
Manual, configuration update for dependabot and autobumper doesn't happen with acceptable frequency. Additionally, manual process is prone to the errors and unnecessary delays. This leads to usage of old and vulnerable images, libraries and tools. This situation is causing increased amount of CVEs detected for our software.
Acceptance Criteria
Dockerfiles dependencies are automatically updated in all files.
All OCI image versions are automatically updated when new versions is available.
All GitHub actions used in workflows are using newest versions.
Golang dependencies are updated for all modules existing in a repo.
Python dependencies are updated fro all modules existing in a repo.
The text was updated successfully, but these errors were encountered:
Description
Dependabot and autobumper are two tools we are using to automatically maintain up to date dependencies and lower reported CVEs in test-infra repository. Both tools are configured using config files stored in test-infra repo. These files must contain up to date configuration to let the tools update dependencies in all files. Process of updating tools configuration to reflect changes in test-infra repository must run in automated way to minimise latency.
Alternative approach to solve this problem is to use the tools with capability of automatic detection of files for dependency update.
Reasons
Manual, configuration update for dependabot and autobumper doesn't happen with acceptable frequency. Additionally, manual process is prone to the errors and unnecessary delays. This leads to usage of old and vulnerable images, libraries and tools. This situation is causing increased amount of CVEs detected for our software.
Acceptance Criteria
The text was updated successfully, but these errors were encountered: