Boost VA.gov: Dependabot & Drupal Module Upgrade Guide

by Admin 55 views
Boost VA.gov: Dependabot & Drupal Module Upgrade Guide

Hey folks! Keeping our VA.gov projects humming along smoothly means staying on top of updates, and that's where Dependabot PRs and Drupal module upgrades come in. This guide breaks down the steps to ensure our systems are secure, stable, and ready for action. Let's dive in and make sure we're all on the same page, ya?

Next-Build Repo: Keeping it Lean and Mean

First up, let's talk about the Next-Build repo. This is where we manage our front-end builds, and keeping its dependencies updated is crucial for performance and security. Here's the lowdown on how to handle those Dependabot PRs:

Step 1: Scope out the Scene

  • Check out the PRs: The first thing you'll do is open the PRs for the Next-Build repo. This will show you all the proposed changes and updates from Dependabot. Get familiar with the changes and what they are trying to implement.

Step 2: Merge the Green Lights

  • Merge passing tests: Are the tests passing? Great! If the automated tests are all green, it means the update is likely safe and sound. Merge those tickets right away. Easy peasy!

Step 3: Handle the Troubles

  • Investigate failures: If a PR has failed tests, don't panic! It just means a little more digging is needed. You'll need to figure out why the tests are failing. Is it a compatibility issue? A bug? Once you have investigated the situation, determine whether the work required is less than or greater than 2 story points.
  • Create tickets for bigger issues: If fixing the failing tests is going to be a significant amount of work (more than 2 story points), create a ticket to address the PR. This helps us track the work and prioritize it. It is best practice to notify your product manager to let them know the updates will be implemented in a future sprint.

By following these steps, we'll keep the Next-Build repo up to date and reduce the number of Dependabot PRs. This helps to make sure our site is secure, and performs at its best.

CMS Repo (For Drupal Engineers Only): Diving into Drupal Module Upgrades

Alright, Drupal engineers, this section is for you. We're going to break down how to handle those Dependabot PRs and Drupal module upgrades in the CMS repo. It's important to keep our Drupal modules current for security and functionality. So here's how we're going to do it.

Step 1: Review Dependabot PRs

  • Review Dependabot PRs: Examine the Dependabot PRs for the CMS repo. Review the proposed changes and assess their potential impact. At the moment, Dependabot is TBD, so we will skip this step for now. But keep an eye on these once they become active.

Step 2: Cross-Reference with Composer Audit & Updates Report

  • Compare with composer audit: Run composer audit to identify any security vulnerabilities in our dependencies. This helps us ensure we're not missing any critical updates.
  • View the updates report: Check out the updates report at https://prod.cms.va.gov/admin/reports/updates. This report provides a comprehensive view of available module updates. This view helps with visibility.

Step 3: Prioritize Security Updates

  • Focus on security: Always give security updates top priority. These are critical for protecting our site from vulnerabilities. If a security update is available, implement it as soon as possible, ideally after reviewing it.

Step 4: UI and Accessibility Checks

  • Check for UI impact: If an upgrade could potentially impact the user interface (UI), loop in @skirkman16 for a visual QA review to make sure everything looks good. We want to be certain the updates improve the look and feel.
  • Accessibility check: Also, make sure to involve @laflannery for an accessibility check. This ensures that the updates are still accessible to all users.

Step 5: Minor Updates

  • Handle minor updates: Work on minor updates, prioritizing older updates. These updates can help resolve any potential dependencies and improve the overall stability of our modules.
  • Time Allocation: Try to keep the work on minor updates to a maximum of 3 story points.

Step 6: Identify Additional Updates

  • Run Composer Outdated: Run composer outdated 'drupal/*' to check for any additional updates that may not be caught by Dependabot PRs. This helps to ensure we are not missing anything.
  • Check the Updates Report: Alternatively, you can view the updates report at https://prod.cms.va.gov/admin/reports/updates.
  • Dependabot PRs Limit: Keep in mind that Dependabot may have a limit on the total number of PRs it creates. Always keep an eye out for potential missed updates.

Step 7: Address Major Version Updates

  • Create tickets for major updates: If there are major version updates, create separate tickets for these. Major updates often involve significant changes and require more thorough testing. Create a ticket to allow a dedicated resource to manage the update.
  • Link the ticket: In the Dependabot PR, add a link to the ticket you created.
  • Close the PR: Once the ticket is created, close the Dependabot PR.

Acceptance Criteria: What Success Looks Like

So, what does success look like here? Let's break down the acceptance criteria:

  • Reduced Dependabot PRs: The number of Dependabot PRs for Next-Build should be reduced. This indicates that we're keeping up with the updates and keeping the code base fresh.

  • (For Drupal Engineers Only) Upgraded Drupal Modules: All outstanding Drupal Modules should be upgraded. This means that we're addressing security vulnerabilities, improving functionality, and making sure the site runs efficiently.

  • Identified and Ticketed Larger PRs: Any larger Dependabot PRs should be identified, and tickets should be created for future work. This helps us manage complex updates and plan for future sprints.

By following these steps, we'll keep the Next-Build repo and Drupal modules up to date, ensuring a secure, stable, and high-performing VA.gov experience. Keep up the great work, everyone!