From 8545e5aed7204786b1da605d13e2d47572c96d42 Mon Sep 17 00:00:00 2001 From: Daz DeBoer Date: Tue, 27 Sep 2022 07:53:44 -0600 Subject: [PATCH] Document the process to merge Dependabot upgrades --- CONTRIBUTING.md | 14 ++++++++++++++ 1 file changed, 14 insertions(+) create mode 100644 CONTRIBUTING.md diff --git a/CONTRIBUTING.md b/CONTRIBUTING.md new file mode 100644 index 0000000..677c94a --- /dev/null +++ b/CONTRIBUTING.md @@ -0,0 +1,14 @@ +### How to merge a Dependabot PR + +The "distribution" for a GitHub Action is checked into the repository itself. +In the case of the `gradle-build-action`, the transpiled sources are committed to the `dist` directory. +Any production dependencies are inlined into the distribution. +So if a Dependabot PR updates a production dependency (or a dev dependency that changes the distribution, like the Typescript compiler), +then a manual step is required to rebuild the dist and commit. + +The simplest process to follow is: +1. Checkout the dependabot branch locally eg: `git checkout dependabot/npm_and_yarn/actions/github-5.1.0` +2. Run `npm install` to download and the new dependencies and install locally +3. Run `npm run build` to regenerate the distribution +4. Push the changes to the dependabot branch +5. If/when the checks pass, you can merge the dependabot PR