User story

As a PSD team, we would like to fine tune the configuration for Dependabot to to reduce noise and make dependency management easier.

Who are the primary contacts for this story

@harrietc52
@BenTopping

Who is the nominated tester for UAT

PSD Team

Acceptance criteria

To be considered successful the solution must allow:

• For all configured PSD Python repos, create a new label named Security Update (or something similar) with a Red colour
• For all configured PSD Python repos, update dependabot config to add the security label to security update PRs.
• Investigate what happens to dependencies which are both development and runtime (if they exist), when dependabot config enables automatically merging in development dependencies, which have minor and patch updates only.
• Agree with the team which Python application can be used to trial Automatic merging.
• For the agreed application, update dependabot config to automatically merge in development dependencies, which have minor and patch updates only.
• For all configured PSD Python repos, update dependabot config to customise PR titles or commit messages, so that it is clear if the PR includes development or runtime dependency updates, and if they are a security PR.
• Create a calendar event, for in 1 month after implementation, to reflect on how this is going and specifically:
• Whether we should rollout this changes to other Python repos.
• Consider grouping development dependencies
• If we group development dependencies, update the text of the PR or commit message to include the text “Group"

References

Enabling automerge on a pull request

Additional context

Depfu Automatic Merge Research
Y25-160 - Update defpu settings #517