Dependabot was a hoarder.
I have tried various things to make use of Dependabot, and I will summarize them here.
I decided to work on the Dependabot merge at the beginning of the month.
If you are set as a reviewer, you have to review. If you set a milestone with a date, you will be motivated to do it in time. Maybe.
So, I set the following.
Item | Value |
---|---|
Reviewer | All |
milestone | security-update-<month> (8th of each month) |
The most important thing to be aware of is to set the maximum number of reviewers. We have clearly stated our policy to increase the number of human eyes as much as possible. However, depending on the nature of the team, it is possible that reviews may be arranged.
Also, it was difficult to set up Github Actions for each repository, so we decided to create one repository for Dependabot countermeasures and set it up from there by hitting the API.
I made a TODO list of Dependabot PRs to be worked on for the month in an Issue. This will help us get a better overview and make it easier to look back**.
We have a set of uniform rules for working on Dependabot as a team.
Libraries related to static site generators were skipped at this time as they are not subject to user input and therefore low risk.
These were the initiatives. Future issues to be addressed are.
I would like to have an award for a lot of reviews. Thank you very much.