mirror of
https://github.com/johannesjo/super-productivity.git
synced 2026-07-17 16:37:43 +00:00
- Monthly/weekly update frequency reduces the window of exposure but the addition of a cooldown should help narrow it further. - Implemented as suggested in this gist: https://gist.github.com/mcollina/b294a6c39ee700d24073c0e5a4e93104 - I've opted to use the more conservative 3-day cooldown as this is the default in some tools. - Dependabot needs to be adjusted in combination with .npmrc to avoid creating PRs that can't succeed. Ref. https://docs.github.com/en/code-security/reference/supply-chain-security/dependabot-options-reference#cooldown-
74 lines
1.9 KiB
YAML
74 lines
1.9 KiB
YAML
# Dependabot configuration for automated dependency updates
|
|
# https://docs.github.com/en/code-security/dependabot/dependabot-version-updates/configuration-options-for-the-dependabot.yml-file
|
|
|
|
version: 2
|
|
updates:
|
|
# ==========================================
|
|
# npm Dependencies (Monthly Updates)
|
|
# ==========================================
|
|
- package-ecosystem: 'npm'
|
|
directory: '/'
|
|
schedule:
|
|
interval: 'monthly'
|
|
day: 'monday'
|
|
time: '09:00'
|
|
timezone: 'Europe/Berlin'
|
|
cooldown:
|
|
default-days: 3
|
|
open-pull-requests-limit: 10
|
|
|
|
reviewers:
|
|
- 'johannesjo'
|
|
|
|
labels:
|
|
- 'dependencies'
|
|
- 'npm'
|
|
|
|
commit-message:
|
|
prefix: 'chore(deps)'
|
|
|
|
# ==========================================
|
|
# GitHub Actions (Weekly Updates - SECURITY)
|
|
# ==========================================
|
|
# Automatically updates pinned action SHAs when new versions release
|
|
# This is critical for security: keeps SHA pins up-to-date with patches
|
|
- package-ecosystem: 'github-actions'
|
|
directory: '/'
|
|
schedule:
|
|
interval: 'weekly'
|
|
day: 'monday'
|
|
time: '09:00'
|
|
timezone: 'Europe/Berlin'
|
|
cooldown:
|
|
default-days: 3
|
|
# Limit concurrent PRs to avoid overwhelming maintainers
|
|
open-pull-requests-limit: 5
|
|
|
|
# Require @johannesjo approval (matches CODEOWNERS)
|
|
reviewers:
|
|
- 'johannesjo'
|
|
|
|
# Label PRs for easy filtering and security awareness
|
|
labels:
|
|
- 'dependencies'
|
|
- 'security'
|
|
- 'github-actions'
|
|
|
|
# Consistent commit message format
|
|
commit-message:
|
|
prefix: 'chore(deps)'
|
|
include: 'scope'
|
|
|
|
# Group minor and patch updates together to reduce PR noise
|
|
groups:
|
|
github-actions-minor:
|
|
patterns:
|
|
- '*'
|
|
update-types:
|
|
- 'minor'
|
|
- 'patch'
|
|
softprops-action-gh-release-major:
|
|
patterns:
|
|
- 'softprops/action-gh-release'
|
|
update-types:
|
|
- 'major'
|