partial revert #560

Author: kevinjqliu

.github/dependabot.yml

@@ -35,5 +35,3 @@ updates:
       - dependency-name: "cpp-linter/cpp-linter-action"
         versions: ">=2.16"
     open-pull-requests-limit: 50
-    cooldown:
-      default-days: 7

README.md

@@ -8,7 +8,6 @@ This repository hosts GitHub Actions developed by the ASF community and approved
   - [Adding a New Action](#adding-a-new-action-to-the-allow-list)
   - [Reviewing](#reviewing)
   - [Adding a New Version](#adding-a-new-version-to-the-allow-list)
-    - [Dependabot Cooldown Period](#dependabot-cooldown-period)
   - [Manual Version Addition](#manual-addition-of-specific-versions)
   - [Removing a Version](#removing-a-version-manually)
 
@@ -101,66 +100,6 @@ In most cases, new versions are automatically added through Dependabot:
 
 Projects are encouraged to help review updates to actions they use. Please have a look at the diff and mention in your approval what you have checked and why you think the action is safe.
 
-#### Verifying Compiled JavaScript
-
-Many GitHub Actions ship pre-compiled JavaScript in their `dist/` directory. To verify that the published compiled JS matches a clean rebuild from source, use the verification script:
-
-```bash
-uv run utils/verify-action-build.py org/repo@commit_hash
-```
-
-For example:
-
-```bash
-uv run utils/verify-action-build.py dorny/test-reporter@dc3a92680fcc15842eef52e8c4606ea7ce6bd3f3
-```
-
-The script will:
-1. Clone the action at the specified commit inside an isolated Docker container
-2. Save the original `dist/` files as published in the repository
-3. Rebuild the action from source (`npm ci && npm run build`)
-4. Reformat both versions of the JavaScript for readable comparison
-5. Show a colored diff of any differences
-
-A clean result confirms that the compiled JS was built from the declared source. Any differences will be flagged for manual inspection.
-
-#### Batch-Reviewing Dependabot PRs
-
-To review all open dependabot PRs at once, run:
-
-```bash
-uv run utils/verify-action-build.py --check-dependabot-prs
-```
-
-This will:
-1. List all open PRs from dependabot
-2. For each PR, extract the action reference from the diff
-3. Run the full build verification (rebuild in Docker, compare compiled JS)
-4. Show source changes between the previously approved version and the new one
-5. If verification passes, ask whether to approve and merge the PR
-6. On merge, add a review comment documenting what was verified
-
-> [!NOTE]
-> **Prerequisites:** `docker`, `uv`, and `gh` (GitHub CLI, authenticated via `gh auth login`).
-> The build runs in a `node:20-slim` container so no local Node.js installation is needed.
-
-#### Dependabot Cooldown Period
-
-This repository uses a [Dependabot cooldown period](https://docs.github.com/en/code-security/dependabot/dependabot-version-updates/configuration-options-for-the-dependabot.yml-file#cooldown) of 7 days. After a Dependabot PR is merged or closed, Dependabot will wait 7 days before opening the next PR for the same ecosystem. This helps keep the volume of update PRs manageable and gives reviewers time to catch up.
-
-> [!TIP]
-> We recommend that ASF projects configure a similar cooldown in their own `dependabot.yml` to avoid being overwhelmed by update PRs and to catch up with approved actions here:
-> ```yaml
-> updates:
->   - package-ecosystem: "github-actions"
->     directory: "/"
->     schedule:
->       interval: "weekly"
->     cooldown:
->       default-days: 7
-> ```
-> Adjust the `default-days` value to match your project's review capacity.
-
 ### Manual Addition of Specific Versions
 
 If you need to add a specific version of an already approved action (especially an older one):