weekly builds
Opened this issue · 4 comments
a regularly refreshed image is needed to address security issues.
I've added this dependabot config to track the upstream OS and the python packages used.
I haven't used dependabot before but it appears to be checking things correctly based off of this requirements.txt check and the related dockerfile check
It appears that dependabot can tell when the whole debian image is updated, but it is not clear to me it could tell that e.g., the optional libxmlsec1 we install got updated and so a new image should be built. I don't think docker cacheing can help here because something in the large swath of the debian packages will most assuredly updated each week.
Are you aware of anything fancy that can do that or should I just bundle a weekly build script as well?
Interesting, I was thinking of using the features of the repo here on Github, as opposed to a yaml file, but I don't know if there is an advantage one way or the other.
This link isn't going to work for anyone else without developer level access but now I'm curious which might be better.
My original comment was in the context of security, and getting alerts in a timely fashion. Not so much version updates which in my mind was a poetry thing, but of course we don't have poetry on this app right now, so let's forge ahead with what you have and see what all we can get out of dependabot if that sounds good to you.
On the docker side, our base image we're relying on seems to have about a monthly refresh cycle so if we're doing latest and building weekly, we'll pick that up rapidly enough (sans major security events).
dependabot version updates and security updates
You can see what it's like to interact with dependabot here: https://github.com/UWIT-UE/slack-user-reconcile/pulls?q=is%3Apr+is%3Aclosed
In UWIT-UE/slack-user-reconcile#14 you can see me conversing with dependabot.