# Workflow : BUMP DEPENDENCIES Process de mise a jour des dependances (Dependabot PRs, bumps manuels, CVE security fixes). ## Trigger L'un des suivants : - Dependabot PR auto (configure dans `.github/dependabot.yml`) - CVE alert GitHub Security - Bump manuel decide (ex: passer Docmost de v0.8.x a v0.9.x) - Cron mensuel review (Corentin oncall) ## Acteurs - **acadenice-devops** (orchestrateur) - **bridge-tester** (validation post-bump) - **bridge-dev** (fix si breaking change dans deps) - **Corentin** (decideur sur bumps majeurs) ## Categories de bumps | Type | Frequence | Process | |------|-----------|---------| | **Security patch** (CVE high/critical) | ASAP | Auto Dependabot + auto-merge si CI vert | | **Patch** (1.2.3 → 1.2.4) | Hebdo | Auto Dependabot + review 5 min + merge | | **Minor** (1.2.x → 1.3.0) | Hebdo | Auto Dependabot + review + tests + merge | | **Major** (1.x.x → 2.0.0) | Manuel | Branche feat dediee, test exhaustif, decision Corentin | | **Docmost upstream** | Mensuel ou sur signal Yan/Corentin | Process specifique fork (cf docmost-fork-dev) | | **Baserow upstream** | Mensuel ou sur changelog interessant | Pin nouvelle version, test compose, deploy staging | | **Postgres major** | Annuel max, planifie | Backup obligatoire + migration test + restore + deploy carefull | | **Node LTS** | Tous les 2 ans (changement LTS) | Test exhaustif bridge, possible refactor | ## Sequence — Patch / Minor (auto Dependabot) ``` [1] Dependabot PR cree (auto, hebdo lundi 06:00) - Configure dans .github/dependabot.yml - PR avec changelog du package + diff - Output : PR ouverte sur Forgejo + GitHub mirror [2] CI auto execute - Workflow ci.yml lance sur la PR - Tests + lint + security scan + docker build - Output : CI status [3] Review humaine (Corentin, 5-10 min) - Lire le changelog du package - Verifier impact potentiel - Si nouveau type / breaking : check tests - Output : decision merge / hold / close [4] Si CI vert + review OK : merge (squash) - Auto-delete branch - Output : commit sur main [5] Deploy auto staging (workflow deploy-staging.yml) - Phase 0/1 : workflow_dispatch only - Phase 2+ : auto sur push main - Output : staging fonctionnel ou alerte si fail ``` ## Sequence — Major (manuel) ``` [1] Decision (Corentin) - Lire le changelog upgrade guide officiel du package - Identifier breaking changes - Decider : on bump ou on attend - Output : go/no-go [2] Branche feat (bridge-dev) - feat/bump--vX.Y - Bump dans package.json - npm install + commit lockfile - Output : branche avec bump [3] Migration code (bridge-dev) - Adapter le code aux breaking changes - Run tests : npm test - Fix iteratif jusqu'a vert - Output : code adapte [4] Tests exhaustifs (bridge-tester) - Run unit + integration : npm test - Run E2E sur staging si Phase 2.3+ - Verifier coverage maintenu (>= 80% domain) - Output : test report [5] Validation staging (Corentin) - Deploy staging - Tester flows critiques - Output : sign-off staging [6] PR + merge (cf workflow build-story.md etapes [4]-[7]) [7] Deploy prod (cf workflow release.md) - Suit le process release standard avec watch period - Output : prod deployee ``` ## Sequence — Docmost / Baserow upstream ``` [1] Detect new version (Corentin via GitHub release watch) [2] Lire release notes officielles [3] Test sur env clone : pull image + restore data backup → smoke [4] Si OK : update compose.yml ou Dockerfile.fork [5] Process release standard (cf release.md) [6] Si KO : reporter au upstream (issue) ou attendre prochaine release ``` Cf workflow BYAN `docker-stack-safe-upgrade` (id `75abc7aa-8ba7-47ce-b6b8-bf5573e82f62`) pour les bumps stateful en prod (12 phases avec gates). ## Gates humains | Gate | Decision | Owner | |------|----------|-------| | Review Dependabot PR (3) | merge / hold / close | Corentin | | Decision major (1) | go / no-go | Corentin | | Validation staging (5) | OK / RETOUR | Corentin | ## Rollback / gestion d'erreurs | Scenario | Action | |----------|--------| | CI rouge sur Dependabot PR | hold PR, analyser logs, decider fix ou close | | Major bump introduit regression non detectee en CI | rollback (revert commit + redeploy) + add regression test | | Docmost upgrade casse data | restore backup pre-upgrade + downgrade image + investigate | ## Frequence et planning - **Lundi matin** : review Dependabot PRs (15-30 min Corentin) - **1er du mois** : audit security alerts + capacity planning + DR test - **Trimestriel** : review major bumps possibles (Node, Postgres, Hono, Tiptap, etc.) ## Outputs - package.json + lock file a jour - CI vert post-bump - Tests + coverage maintenus - CHANGELOG.md update si user-facing - Si major bump : doc migration interne dans `docs/migrations/-vX.md` ## Notes - Dependabot configure dans `.github/dependabot.yml` (deja fait) : * Ecosystem npm (bridge/) : weekly * Ecosystem github-actions : weekly * Ecosystem docker (compose) : weekly - Limite open PRs Dependabot : 10 max (eviter spam) - Group production-deps + dev-deps separement - **Pas de bump prod le vendredi** (tradition + meme reason que release)