harden supply chain by adding dependabot cooldowns and goflag readonly (#92)

Signed-off-by: Eric Pickard <piceri@github.com>

Author: piceri

.github/dependabot.yml

@@ -9,6 +9,8 @@ updates:
         update-types:
           - "minor"
           - "patch"
+    cooldown:
+      default-days: 3
 
   - package-ecosystem: "github-actions"
     directory: "/"
@@ -19,8 +21,17 @@ updates:
         update-types:
           - "minor"
           - "patch"
+    cooldown:
+      default-days: 3
 
   - package-ecosystem: "docker"
     directory: "/"
     schedule:
       interval: "weekly"
+    groups:
+      minor-patch:
+        update-types:
+          - "minor"
+          - "patch"
+    cooldown:
+      default-days: 3

.github/workflows/build.yml

@@ -12,6 +12,8 @@ jobs:
   build:
     name: build
     runs-on: ubuntu-latest
+    env:
+      GOFLAGS: "-mod=readonly"
     permissions:
       contents: read
     steps:
@@ -30,6 +32,8 @@ jobs:
   test:
     name: Test
     runs-on: ubuntu-latest
+    env:
+      GOFLAGS: "-mod=readonly"
     permissions:
       contents: read
     steps:

.github/workflows/lint.yml

@@ -12,6 +12,8 @@ jobs:
   golangci-lint:
     name: lint
     runs-on: ubuntu-latest
+    env:
+      GOFLAGS: "-mod=readonly"
     permissions:
       contents: read
     steps: