From 19c367d0c46ac3a646b4a41273939628b323823b Mon Sep 17 00:00:00 2001
From: Eric Pickard <piceri@github.com>
Date: Tue, 2 Jun 2026 16:48:49 -0400
Subject: [PATCH] harden supply chain by adding dependabot cooldowns and goflag
 readonly

Signed-off-by: Eric Pickard <piceri@github.com>
---
 .github/dependabot.yml      | 11 +++++++++++
 .github/workflows/build.yml |  4 ++++
 .github/workflows/lint.yml  |  2 ++
 3 files changed, 17 insertions(+)

diff --git a/.github/dependabot.yml b/.github/dependabot.yml
index d902552..4e9d323 100644
--- a/.github/dependabot.yml
+++ b/.github/dependabot.yml
@@ -9,6 +9,8 @@ updates:
         update-types:
           - "minor"
           - "patch"
+    cooldown:
+      default-days: 3
 
   - package-ecosystem: "github-actions"
     directory: "/"
@@ -19,8 +21,17 @@ updates:
         update-types:
           - "minor"
           - "patch"
+    cooldown:
+      default-days: 3
 
   - package-ecosystem: "docker"
     directory: "/"
     schedule:
       interval: "weekly"
+    groups:
+      minor-patch:
+        update-types:
+          - "minor"
+          - "patch"
+    cooldown:
+      default-days: 3
diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml
index 030b18a..05f8439 100644
--- a/.github/workflows/build.yml
+++ b/.github/workflows/build.yml
@@ -12,6 +12,8 @@ jobs:
   build:
     name: build
     runs-on: ubuntu-latest
+    env:
+      GOFLAGS: "-mod=readonly"
     permissions:
       contents: read
     steps:
@@ -30,6 +32,8 @@ jobs:
   test:
     name: Test
     runs-on: ubuntu-latest
+    env:
+      GOFLAGS: "-mod=readonly"
     permissions:
       contents: read
     steps:
diff --git a/.github/workflows/lint.yml b/.github/workflows/lint.yml
index 8cd44c1..b88849b 100644
--- a/.github/workflows/lint.yml
+++ b/.github/workflows/lint.yml
@@ -12,6 +12,8 @@ jobs:
   golangci-lint:
     name: lint
     runs-on: ubuntu-latest
+    env:
+      GOFLAGS: "-mod=readonly"
     permissions:
       contents: read
     steps: