I update my installation roughly daily, but I have a relatively small (and forgiving) community and I generally have the time to work out small errors or appropriately convey my panic in the forum of a #bug report here.
Exceptions are made in the case of particularly large updates (e.g. the recent vdom update) or ones that I’ve decided are in some way likely to give me an unusual amount of trouble.
Updating this way though isn’t really necessary at all, I just like shiny new things, and it rarely gives me any trouble (and so far no trouble that hasn’t been resolved in short order).
Discourse alone once a week. Every two months I recommend SSH’ing in and doing
./launcher rebuild app
As far as Ubuntu updates, make sure you have automatic security updates enabled for your Ubuntu. I don’t find apt-get dist-upgrade to be that risky, despite what @webeindustry said, but it shouldn’t be necessary very often. So to summarize:
update Discourse weekly (if you want) via web updater
update the container every two months
update the OS every six months
You could double these numbers and still be fairly safe, e.g. update container every 4 months, OS once every 12 months, and so on.
But you really, really want automatic security updates enabled in Ubuntu – all our DO installs that I touch already have this but the command is dpkg-reconfigure -plow unattended-upgrades.
As long as you don’t do it too frequently and go over which packages will be removed and upgraded you take little risk. The fairly high risk would be in setting up a policy to dist-upgrade without inspecting at a high interval like daily or weekly. Personally I would setup my own repository of specific package versions need be for rigs with an identical test rig to try out individual new package upgrades. If success, pull the new branch of packages on the production rigs, but that’s beyond the scope of your average single vps forum hoster.