From 75c0f1409f8ab727908f8039fa0bf6b7d5563558 Mon Sep 17 00:00:00 2001 From: Miguel Martinez Trivino Date: Mon, 8 Jun 2026 11:04:45 +0200 Subject: [PATCH] chore(deps): add dependabot config with 7-day cooldown Adds a Dependabot version-update configuration, which the repository did not previously have. Enables weekly version updates for the root Go module with a 7-day cooldown so newly published versions are not proposed immediately, reducing exposure to freshly released or potentially compromised releases. Minor and patch bumps are grouped into a single PR to reduce noise; major updates remain individual PRs. Assisted-by: Claude Code Signed-off-by: Miguel Martinez Trivino Chainloop-Trace-Sessions: 8d8f7537-5f10-42f6-b252-41decfb16de5 --- .github/dependabot.yml | 31 +++++++++++++++++++++++++++++++ 1 file changed, 31 insertions(+) create mode 100644 .github/dependabot.yml diff --git a/.github/dependabot.yml b/.github/dependabot.yml new file mode 100644 index 000000000..d05673ace --- /dev/null +++ b/.github/dependabot.yml @@ -0,0 +1,31 @@ +# Dependabot configuration for version updates. +# Docs: https://docs.github.com/code-security/dependabot/dependabot-version-updates/configuration-options-for-the-dependabot.yml-file +version: 2 + +updates: + # Go modules. The root go.mod is a single module covering the control plane, + # CLI, artifact CAS, and the shared pkg/ libraries. + - package-ecosystem: "gomod" + directory: "/" + schedule: + interval: "weekly" + day: "monday" + open-pull-requests-limit: 10 + # Wait 7 days after a version is published before proposing it. This limits + # exposure to freshly released (and potentially compromised) versions. + cooldown: + default-days: 7 + # Bundle minor and patch bumps into a single PR to cut noise; majors stay + # as individual PRs so they get reviewed on their own. + groups: + go-minor-and-patch: + patterns: + - "*" + update-types: + - "minor" + - "patch" + labels: + - "dependencies" + - "go" + commit-message: + prefix: "chore(deps)"