Automated merges of version bump MRs
Background
We use Renovate to automate keeping project dependencies up-to-date. Renovate scans for new versions and automatically opens MRs which bump those dependencies. We use this mechanism to manage both internal and external dependencies.
Currently merging Renovate MRs requires a human to review the dependency bump.
Problem
This human review adds a lot of overhead which takes time and focus away from reviewers which could be spent more productively. It also arguably does not add much value, as in the vast majority of cases, the changes are internal and thus have already been reviewed in the source repo. We can also rely on CI to provide confidence that the change is safe.
One of the reasons for requiring reviews is due to compliance requirements.
Discussion
I would like to explore the possibility of propagating reviews to allow MRs to be automatically merged.
We may want to differentiate between internal and external changes.
- Internal: The change has already been reviewed in the source repo. If we can prove that this has occurred, does that review carry over to the version bump? And can we effectively prove this to auditors?
- External: Here we need to be a bit more careful. We could explore having an internal registry of vetted versions. Once a version has been vetted, it can be automatically upgraded to.
Controls
- We may want to make this opt-in, since some projects may have specific requirements around reviews of certain dependencies (e.g. maintaining BC).
- We may want to rely on semantic versioning to require reviews for bumps across a major version boundary.
- We may want to collaborate with feature groups around SBOMs, since this is something our customers could benefit from as well.