Commit 4866644
chore: Add Dependabot version-update cooldown (#226)
This pull request was auto generated by the LaunchDarkly Github
Standards automation platform.
* Ensure every entry under `updates` in `.github/dependabot.yml`
declares a cooldown of at least 7 days (default-days).
* Add entries for detected package ecosystems that were not yet tracked
by Dependabot.
Cooldown applies only to version updates; security updates bypass it, so
critical CVE fixes are never delayed.
Ref: SEC-8058.
<!-- CURSOR_SUMMARY -->
---
> [!NOTE]
> **Low Risk**
> CI-only dependency automation; security updates bypass the cooldown,
so critical action CVEs are not intentionally delayed.
>
> **Overview**
> Introduces **`.github/dependabot.yml`** to enable automated **GitHub
Actions** dependency updates on a **weekly** schedule.
>
> Adds a **7-day cooldown** (`default-days: 7`) on version bumps so
Dependabot does not flood the repo with rapid action upgrades. Per the
PR intent, **security updates are not subject to this cooldown**, so
urgent fixes can still land immediately.
>
> <sup>Reviewed by [Cursor Bugbot](https://cursor.com/bugbot) for commit
e38a911. Bugbot is set up for automated
code reviews on this repo. Configure
[here](https://www.cursor.com/dashboard/bugbot).</sup>
<!-- /CURSOR_SUMMARY -->
Co-authored-by: ld-repository-standards[bot] <113625520+ld-repository-standards[bot]@users.noreply.github.com>
Co-authored-by: Andrey Belonogov <abelonogov@launchdarkly.com>1 parent e8ab4eb commit 4866644
1 file changed
Lines changed: 8 additions & 0 deletions
| Original file line number | Diff line number | Diff line change | |
|---|---|---|---|
| |||
| 1 | + | |
| 2 | + | |
| 3 | + | |
| 4 | + | |
| 5 | + | |
| 6 | + | |
| 7 | + | |
| 8 | + | |
0 commit comments