|
| 1 | +# This file is adapted from the same file in element-hq/synapse: |
| 2 | +# https://github.com/element-hq/synapse/blob/2e9b8202f0a1a8ceba9f02bb5ec227498d51dcbd/.github/dependabot.yml |
| 3 | +# But updated to remove `pip` and `cargo` ecosystems, and introduce `gomod`. |
| 4 | +version: 2 |
| 5 | +# As dependabot is currently only run on a weekly basis, we raise the |
| 6 | +# open-pull-requests-limit to 10 (from the default of 5) to better ensure we |
| 7 | +# don't continuously grow a backlog of updates. |
| 8 | +updates: |
| 9 | + package-ecosystem: "gomod" |
| 10 | + directory: "/" |
| 11 | + open-pull-requests-limit: 10 |
| 12 | + schedule: |
| 13 | + interval: "weekly" |
| 14 | + # Group patch updates to packages together into a single PR, as they rarely |
| 15 | + # if ever contain breaking changes that need to be reviewed separately. |
| 16 | + # |
| 17 | + # Less PRs means a streamlined review process. |
| 18 | + # |
| 19 | + # The Go ecosystem is special in that breaking changes are often introduced |
| 20 | + # in minor version bumps, as packages typically stay pre-1.0 for a long time. |
| 21 | + # Thus we specifically keep minor version bumps separate in their own PRs. |
| 22 | + groups: |
| 23 | + minor-and-patches: |
| 24 | + applies-to: version-updates |
| 25 | + patterns: |
| 26 | + - "*" |
| 27 | + update-types: |
| 28 | + - "minor" |
| 29 | + - "patch" |
| 30 | + # Prevent pulling packages that were recently updated to help mitigate |
| 31 | + # supply chain attacks. 14 days was taken from the recommendation at |
| 32 | + # https://blog.yossarian.net/2025/11/21/We-should-all-be-using-dependency-cooldowns |
| 33 | + # where the author noted that 9/10 attacks would have been mitigated by a |
| 34 | + # two week cooldown. |
| 35 | + # |
| 36 | + # The cooldown only applies to general updates; security updates will still |
| 37 | + # be pulled in as soon as possible. |
| 38 | + cooldown: |
| 39 | + default-days: 14 |
| 40 | + |
| 41 | + - package-ecosystem: "docker" |
| 42 | + directory: "/docker" |
| 43 | + open-pull-requests-limit: 10 |
| 44 | + schedule: |
| 45 | + interval: "weekly" |
| 46 | + # For container versions, breaking changes are also typically only introduced in major |
| 47 | + # package bumps. |
| 48 | + groups: |
| 49 | + minor-and-patches: |
| 50 | + applies-to: version-updates |
| 51 | + patterns: |
| 52 | + - "*" |
| 53 | + update-types: |
| 54 | + - "minor" |
| 55 | + - "patch" |
| 56 | + cooldown: |
| 57 | + default-days: 14 |
| 58 | + |
| 59 | + - package-ecosystem: "github-actions" |
| 60 | + directory: "/" |
| 61 | + open-pull-requests-limit: 10 |
| 62 | + schedule: |
| 63 | + interval: "weekly" |
| 64 | + # Similarly for GitHub Actions, breaking changes are typically only introduced in major |
| 65 | + # package bumps. |
| 66 | + groups: |
| 67 | + minor-and-patches: |
| 68 | + applies-to: version-updates |
| 69 | + patterns: |
| 70 | + - "*" |
| 71 | + update-types: |
| 72 | + - "minor" |
| 73 | + - "patch" |
| 74 | + cooldown: |
| 75 | + default-days: 14 |
0 commit comments