8 Practical GitHub Tips To Help Streamline Development | by Wenqi Glantz | Jan, 2022

#3 – Enable alerts for vulnerabilities

Winky Glantz
Photo wallpaper by the author
#1 Dependabot
#2 GitHub Actions
#3 Enable Alerts for Vulnerabilities
#4 Auto Merge
#5 Auto Assign
#6 Auto Release
#7 Release Notes Automation
#8 Enable Branch Protection

The Log4j CVE-2021–44228 vulnerability issue that rocked the web last December taught us a lesson about how important it is to keep our dependency libraries updated.

  • Guide: “/”defines the root directory
  • Interval: “daily”, tells Dependabot how often to check for updates, in this case, per day. Other values ​​can be “weekly” (on Monday), or “monthly” (the first of every month).
  • Open withdrawal request limit: 10, defines the limits of public relations. The default is 5 for updates.

GitHub Actions is a CI/CD platform that allows us to automate our build, test, and deploy pipeline. There are ample articles/guidelines about GitHub routines online to explore its rich features. For this story, we’ll just focus on how to use CI to help with Dependabot dependency upgrades.

How to exclude upgrades that contain intermittent changes

For failed Dependabot deployments, we know that there are sudden changes introduced by the upgraded library. Two actions we need to take:

Dependabot runs a scan to detect weak dependencies and sends Dependabot alerts when:

  • The dependency graph for the repository changes. For example, when a contributor pays a commitment to change packages or versions it depends on, or when the code for a dependency changes.

Increase the speed of development by enabling automatic merging of a pull request so that the pull request is automatically merged when all consolidation requirements are met. PRs provided by Dependabot that have passed the CI pipeline are ideal candidates for automatic integration.

Auto Assign is a Probot app that adds reviewers to pull requests when pull requests are opened. Installation steps:

  1. Add to Github
  2. Choose the warehouse
  3. Creates .github/auto_assign.yml in your warehouse
# Set to true to add reviewers to pull requests
addReviewers: true
# Set to true to add assignees to pull requests
addAssignees: true
# A list of reviewers to be added to pull requests (GitHub user name)
reviewers:
- reviewerA
- reviewerB
- reviewerC
# A list of keywords to be skipped the process that add reviewers if pull requests include it
skipKeywords:
- wip
# A number of reviewers added to the pull request
# Set 0 to add all the reviewers (default: 0)
numberOfReviewers: 0

There are quite a few auto-release routines on the GitHub Marketplace. We will explore automatic GitHub releases. This action simplifies the GitHub release process by auto-loading assets, creating changelogs, working with previous versions, etc. A typical usage scenario includes when pushing tags to the repository, this action will automatically launch the GitHub version. After building and testing your project:

  1. Create a new version and associate it with this tag.
  2. Loading LICENSE.txt and any jar Files as release assets.

Auto-generated release notes provide an alternative to manually writing release notes for your GitHub releases. With the automatically generated release notes, you can create a quick overview of the release contents. You can also customize automatic release notes, using labels to create custom categories to organize which pull requests you want to include, and to exclude specific labels and users from appearing in the output.

You can create a branch protection rule to enforce specific workflows for one or more branches, such as requesting an approved audit or passing state checks on all pull requests integrated into the protected branch.

  • Request to pass status checks before merging.
  • Select the required number of approvals before merging
  • Rejection of meaningless withdrawal requests approvals when paying new deposits.
  • Request to update branches before merging.

Leave a Comment