Automation of Django security patches?

Tomorrow a Django security update is expected (3.2.11). I will be applying it to Maple semi-manually as I have usually done (for example: Django 2.2.19 security update). In the past, people have mentioned automating this process somehow.

Is anyone interested in trying this? It wouldn’t be for tomorrow’s patch, but the idea keeps coming up, so maybe in time for the next one?

Will be looking at this with @Maksim_Sokolskiy. What time works for you Tuesday 8th of Feb?

On Tuesday we successfully updated Django to 3.2.14 3.2.12 on the maple release branch.

A couple of things we had to figure out on the fly during the process:

  • How to clone all the release repos - We used a modified version of Can we had a script in the repo-tools to do that?
  • We had to edx-certificates in the list of repos which is archived. Let’s make sure we have an up-to-date list of repos easy to access.
  • The script made changes to edx-app-ios (@Maksim_Sokolskiy did you find out why?

Going forward, we’re looking to automate this process using GitHub actions. The process will still require a manual “approval” step where one (or two) BTR members will need to review the changes made before they get pushed.

Next step

I think the next step for us is to figure out how to create a GitHub action flow with a manual step in the middle. What do you think @Maksim_Sokolskiy?


In the repo-tools repo is a “clone_org” command which clones entire organizations, with some options. It doesn’t yet have a way to limit to repos that need tagging.

But: do you need to clone the repos? Maybe I’m forgetting, but I thought tag_release worked entirely on the GitHub API and not with local repos.

It’s not about tagging a release but for security patching flow. So we need to have all repos in place to commit new things. And yes - also understood the clone_org do the thing after seeing this PR feat(clone_org): a --forks-only flag by nedbat · Pull Request #259 · openedx/repo-tools · GitHub

Don’t yet dive into this. Will try to re-do the flow and analyse what had happed. (we had a lot of deleted .pyc files in the edx-app-ios repo and gittreeif commited it w/o any questions).

It’s totally it - we will try to automate the flow in GitHub Actions with one extra step to confirm all commits are going to be pushed.