Bump Dependencies Automatically

As a Release Engineer, one of the most time consuming tasks is to make sure that updated dependencies are shipped to customers. It's a crucial part of the release process as it helps customers get access to recent and up-to-date security patches. Important bug fixes and improvements are also shipped in dependencies that can be leveraged by customers in the product.

Typically, a workflow for bumping dependencies can be quite manual. This can vary from bumping each version manually to running commands repeatedly that bump the dependencies using a package manager.

Regardless of the level of convenience, working at this abstraction from the Release Engineering perspective feels like toil.

So it's important to design tooling and pipelines to automate this process. As part of the build process, the system should technically be able to bring in updated dependencies automatically and incorporate those in the next release train.

For TAS, we have a fairly complex dependency system that spans across the underlying operating system, libraries, Docker images, and the product code itself. Because the surface area of these is so large and can have huge impact to the product if gone wrong, we implemented a Dependabot plugin that allows each meaningful dependency bump to go through our pull request system so these changes are also tested independently and incorporated into the product only if they are functionally and operationally sound.

Before that, the TAS Release Engineering team used to bump dependencies manually in a Concourse pipeline config. Not only was this error prone, but it always required the Release Engineers to be on top and involved in the bumping process. With the Dependabot based system, the component engineers can set their own version criteria for inclusion into the product and the system handles the rest gracefully.