Document the process to merge Dependabot upgrades

gradle · Sep 27, 2022 · 8545e5a · 8545e5a
1 parent d923957
commit 8545e5a
Showing 1 changed file with 14 additions and 0 deletions.
diff --git a/CONTRIBUTING.md b/CONTRIBUTING.md
@@ -0,0 +1,14 @@
+### How to merge a Dependabot PR
+
+The "distribution" for a GitHub Action is checked into the repository itself. 
+In the case of the `gradle-build-action`, the transpiled sources are committed to the `dist` directory. 
+Any production dependencies are inlined into the distribution. 
+So if a Dependabot PR updates a production dependency (or a dev dependency that changes the distribution, like the Typescript compiler), 
+then a manual step is required to rebuild the dist and commit.
+
+The simplest process to follow is:
+1. Checkout the dependabot branch locally eg: `git checkout dependabot/npm_and_yarn/actions/github-5.1.0`
+2. Run `npm install` to download and the new dependencies and install locally
+3. Run `npm run build` to regenerate the distribution
+4. Push the changes to the dependabot branch
+5. If/when the checks pass, you can merge the dependabot PR