Saturday, 23 September 2023

Automating dependency updates with Dependabot

Sprout Social’s Android mobile app is a powerful native application that keeps our customers plugged in to their social media presence on the go. As part of our Android app, we maintain over 35 dependencies managed by the open source community that provide useful building blocks for our application.

Our dependencies provide myriad functionality such as frameworks for making network calls, async image loading, testing tools and other existing solutions that solve common Android development challenges. Some of these dependencies are required to leverage core Android libraries while others help solve common software challenges without having to write all the code from scratch. Each dependency allows us to leverage functionality without having to reinvent the wheel.

At the same time, each comes with a responsibility to keep them current to ensure we know of new performance, security, and feature updates. This sounds great on paper, but as any mobile developer knows, manually tracking these updates can be a real burden.

One of our values on Sprout’s engineering team is to act with purpose and focus. In that spirit, we decided to implement a smarter solution so we could spend more time building impactful features for our customers. To accomplish this, we used the automated dependency management first party plugin, Dependabot. Dependabot reduces our volume of outdated dependencies, simplifies the effort needed to update them, and streamlines our overall development process.

Moving away from manual dependency maintenance

In native Android development, dependencies are declared in a build.gradle file. By specifying the dependency we need with its version, Gradle will resolve it from a central repository and retrieve it for us to be able to use within the application. If an Android app is multi-module, each module has its own build.gradle file that declares the dependencies for that module.

Maintaining these dependencies efficiently is critical for a smooth development process and providing customers with an effective social media management application that can keep up with the speed of social. But keeping dependencies up to date becomes a daunting task that requires an assessment of work, version compatibility checks, potential code changes and testing.

Before Dependabot, we had a manual dependency management process. As the complexity of our application increased, so did our time spent on dependency management. It took significant effort for the team to identify the need for a dependency, then process it through our agile development workflows to get it prioritized and up to date. We’d often discover that dependencies needed updates during feature development, which introduced the always dreaded project scope-creep. We needed a better way.

Introducing: Dependabot

Dependency management is not a new concept. Given that most of the work required to manage dependencies is repetitive and monotonous, our team thought this would be the perfect candidate for something that could be automated (without falling into the trap of having to write the automation ourselves).

We found Dependabot suited our needs well—it is a GitHub first-party tool that automatically detects newer versions of dependencies and accounts for any compatibility issues that may be caused by upgrading them. It surfaces any version upgrades as they become available and creates pull requests (PRs) containing information about the upgrade, which we were able to seamlessly integrate into our normal engineering workflow. Suddenly, we didn’t have to spend long hours manually making sure everything was current.

Implementation

Dependabot intelligently analyzes our build.gradle files to determine our dependency tree and creates PRs for any dependencies that need to be updated. In order for the implementation to be a success, we needed a way to carefully review each PR and streamline the merges of the PRs.

A graphic of the decision tree Dependabot uses to identify any dependencies that need to be updated.

During any application release of our Android app, we assign a release manager. We decided to integrate this responsibility into the release manager’s process, with the expectation that up to five dependency upgrades be completed during each release cycle. The release manager reviews the dependency updates uncovered by Dependabot, ensures that our continuous integration tests on the PR pass and there are no breaking library changes, then reviews the upgrades provided by this version bump, and brings the list of PRs to the team for approval to be merged.

The benefits of automation

Automated dependency management is a powerful tool that significantly enhances our development process, and the quality of life of our engineers. It also provides users with high value and the latest features within our native mobile application. With a tool like Dependabot, we streamlined the retrieval, integration and versioning of dependencies, reducing the amount of manual effort engineers have to spend and lowering the chance of conflicts in our dependency tree.

As the complexity of Android projects continues to grow, adopting automated dependency management was a high-value step in order to ensure a world-class development process for our team, and a world-class Android application for our customers.

To learn more about Sprout’s engineering team and culture, visit our careers site.

The post Automating dependency updates with Dependabot appeared first on Sprout Social.



from Sprout Social https://ift.tt/V3W1T5x
via IFTTT

No comments:

Post a Comment