We use dependencies.io to monitor external repositories, and open a merge request to the appropriate project when an upgrade is release.
The projects currently using this are
Each repository contains at least two files
When a merge request for the project is opened, it should automatically assign to
mention the Distribution team. The pipelines are configured to automatically build and test (where appropriate)
a project using the new software.
It is the responsibility of the entire Distribution team to ensure the merge requests are handled in a timely fashion. Team members should assign available merge requests to themselves when they are going to work on them. The team member needs to determine the appropriate milestone to target for the upgrade, and verify the new software version works as expected. If everything looks good, a CHANGELOG entry should be added, and the merge request assigned to a maintainer.
The pipeline for the merge requests should run a triggered pipeline, which will build a package, and run gitlab-qa against the package. Depending on the software, manual testing may be required. Once satisfied, a CHANGELOG entry should be made, and the merge request should be assigned to a maintainer.
The pipeline will build a new set of images using the required software. An instance of the helm charts should be started, and testing done against that instance. Once complete, the MR should be assigned to a maintainer for merging.