Skip to main content

Automatic Security Updates (even with patches)

Backend & Dev-ops
Albert Albala
Audience Experience Level
Drupal Intermediate

Applying security updates, indeed any update, is cringe-inducing. We apply security updates manually, check if some previous developer hacked whatever module we're updating (or core), we have to remember to look inside a /patches directory; then, when we're done update, we somehow have to confirm that nothing is broken, without any guidance of what we need to check -- so we click around our site aimlessly before determining that an update works.

In this talk we will look at a Docker-based approach to managing site assets for local development which guarantees your site is always up-to-date, and fails in case a new version of a module (or core) has an unmet dependency or a patch which no longer applies.

We will look at the idea of build step which generates code for remote hosting only when needed; we will look at how to write end-to-end tests which guarantee that your critical site functionality never breaks, and how to keep everything under continuous integration.

Finally we will look at how Drupalgeddon-type events can be managed in such a workflow.

To get the most out of this talk, you are encouraged to fork the Dcycle Drupal 8 Starterkit, and open a free Circle CI account.