You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: CONTRIBUTING.md
+65Lines changed: 65 additions & 0 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -280,6 +280,71 @@ The project includes automated license compliance checking:
280
280
281
281
All dependencies are automatically scanned using Google's `go-licenses` tool in CI, which classifies licenses by type and identifies potential compliance issues. Note that `go-licenses` is not actively maintained, so we install it on-demand rather than as a regular build dependency.
282
282
283
+
## 🤖 Automated Dependency Updates (Dependabot)
284
+
285
+
This project uses GitHub Dependabot to automatically keep dependencies up-to-date with weekly security patches and version updates.
286
+
287
+
### What Dependabot Monitors
288
+
289
+
Dependabot is configured in `.github/dependabot.yml` to monitor:
290
+
291
+
1.**Go modules** (`/go.mod`) - Weekly updates for Go dependencies
- Directory paths must match locations of dependency files
325
+
- Ecosystem names must be exact: `gomod`, `npm`, `pip`
326
+
327
+
3.**Check for rate limits**: Dependabot may be rate-limited if there are too many updates
328
+
329
+
4.**Manual trigger**: You can manually trigger Dependabot from repository Settings → Security → Dependabot
330
+
331
+
### Handling Dependabot PRs
332
+
333
+
When reviewing Dependabot PRs:
334
+
335
+
1.**Review the changes**: Check the changelog and compatibility score
336
+
2.**Let CI run**: Wait for all GitHub Actions checks to pass
337
+
3.**Test if needed**: For major version updates, test locally or let the agent verify
338
+
4.**Merge quickly**: Security updates should be merged as soon as CI passes
339
+
5.**Batch updates**: For minor version updates, you can merge multiple PRs at once
340
+
341
+
### Security Patches
342
+
343
+
Dependabot prioritizes security patches:
344
+
- Security vulnerabilities are updated **immediately** (not weekly)
345
+
- PRs are tagged with severity level (critical, high, medium, low)
346
+
- Security PRs should be reviewed and merged within 24-48 hours
347
+
283
348
## 🧪 Testing
284
349
285
350
For comprehensive testing guidelines including assert vs require usage, table-driven test patterns, and best practices, see **[specs/testing.md](specs/testing.md)**.
0 commit comments