Skip to content
GG Docs

CI info

.github/workflows/main.yml

  • Directory.github/
    • Directoryworkflows/
      • main.yml
    • dependabot.yml

The ‘main.yml’ github action is triggered on every push to the repo. It builds the project and conditionally runs the related Sonarqube scans depending on if any files have changed. See more here for how that works Source helper.

Dependabot

Dependabot runs every workday in the morning. It checks for any dependency updates and creates a PR if it finds any. It also checks for any security vulnerabilities and creates a PR if it finds any.

Updates are then manually reviewed and merged in the following order:

  1. Security updates (Any change to Dependabot or CodeQL github-actions counts as a security update).
  2. Breaking updates.
  3. Non-breaking ‘github-actions’ updates.
  4. Non-breaking ‘dependency’ updates.
  5. Non-breaking ‘devDependency’ updates.

If after merging a PR a Dependabot PR has a conflict, Dependabot will automatically update the PR with the latest changes and rebase it. This can take a few minutes. To see the progress of these updates they can be found here.

CI secrets

Dependabot doesn’t get access to repo secrets to be able to deploy the various web projects after a dependency changes. These secrets are duplicated here.

Syncpack

Syncpack is an NPM tool to help keep a monorepo consistent. It is able to scan all the package.json files, make them consistent, sort items alphabetically and spot dependencies where one project is using a different version to another.

Occasionally run the ‘syncpack’ script in the root package.json to keep things consistent. However dependency consistency is enforced via dependabot.

Tokens and Certificates

Most project certificates automatically renew themselves. However the cloudflare tokens to deploy need updating every 90 days. On a solo project like this it isn’t really necessary, but just a good habit to keep.