super-productivity/.github/dependabot.yml
Corey Newton 441952f0ed
chore(deps): add cooldown for NPM and GH Actions to reduce supply chain attack risk (#7685)
- Monthly/weekly update frequency reduces the window of exposure but the addition of a cooldown should help narrow it further.
- Implemented as suggested in this gist: https://gist.github.com/mcollina/b294a6c39ee700d24073c0e5a4e93104
- I've opted to use the more conservative 3-day cooldown as this is the default in some tools.
- Dependabot needs to be adjusted in combination with .npmrc to avoid creating PRs that can't succeed.

Ref.
https://docs.github.com/en/code-security/reference/supply-chain-security/dependabot-options-reference#cooldown-
2026-05-20 11:50:30 +02:00

74 lines
1.9 KiB
YAML

# Dependabot configuration for automated dependency updates
# https://docs.github.com/en/code-security/dependabot/dependabot-version-updates/configuration-options-for-the-dependabot.yml-file
version: 2
updates:
# ==========================================
# npm Dependencies (Monthly Updates)
# ==========================================
- package-ecosystem: 'npm'
directory: '/'
schedule:
interval: 'monthly'
day: 'monday'
time: '09:00'
timezone: 'Europe/Berlin'
cooldown:
default-days: 3
open-pull-requests-limit: 10
reviewers:
- 'johannesjo'
labels:
- 'dependencies'
- 'npm'
commit-message:
prefix: 'chore(deps)'
# ==========================================
# GitHub Actions (Weekly Updates - SECURITY)
# ==========================================
# Automatically updates pinned action SHAs when new versions release
# This is critical for security: keeps SHA pins up-to-date with patches
- package-ecosystem: 'github-actions'
directory: '/'
schedule:
interval: 'weekly'
day: 'monday'
time: '09:00'
timezone: 'Europe/Berlin'
cooldown:
default-days: 3
# Limit concurrent PRs to avoid overwhelming maintainers
open-pull-requests-limit: 5
# Require @johannesjo approval (matches CODEOWNERS)
reviewers:
- 'johannesjo'
# Label PRs for easy filtering and security awareness
labels:
- 'dependencies'
- 'security'
- 'github-actions'
# Consistent commit message format
commit-message:
prefix: 'chore(deps)'
include: 'scope'
# Group minor and patch updates together to reduce PR noise
groups:
github-actions-minor:
patterns:
- '*'
update-types:
- 'minor'
- 'patch'
softprops-action-gh-release-major:
patterns:
- 'softprops/action-gh-release'
update-types:
- 'major'