ci(dependabot): require 7-day cooldown for dependency upgrades

[kozlek]

Mitigate supply chain attacks by waiting 7 days before adopting any new dependency release. Most compromised packages are detected and yanked within hours-to-days of publication, so a release-age delay catches the overwhelming majority of malicious releases.

Security updates bypass this delay automatically — Dependabot's cooldown option is documented as "only available for version updates, not security updates", so CVE fixes still ship without waiting.

Mirrors the equivalent change in the Mergify monorepo (which uses Renovate's minimumReleaseAge): Mergifyio/mergify#31013.

[mergify]

Merge Protections

Your pull request matches the following merge protections and will not be merged until they are valid.

🟢 Approval

Wonderful, this rule succeeded.

• #approved-reviews-by >= 2

🟢 Continuous Integration

Wonderful, this rule succeeded.

• all of:
  • check-success = test (3.1)
  • check-success = test (3.2)
  • check-success = test (3.3)
  • check-success = test (3.4)

🟢 Enforce conventional commit

Wonderful, this rule succeeded.

Make sure that we follow https://www.conventionalcommits.org/en/v1.0.0/

• title ~= ^(fix|feat|docs|style|refactor|perf|test|build|ci|chore|revert|ui)(?:\(.+\))?:

🟢 🔎 Reviews

Wonderful, this rule succeeded.

• #changes-requested-reviews-by = 0
• #review-requested = 0
• #review-threads-unresolved = 0

🟢 📕 PR description

Wonderful, this rule succeeded.

• body ~= (?ms:.{48,})

[Copilot]

Pull request overview

This PR updates the repository’s Dependabot configuration to introduce a 7-day cooldown period for dependency update pull requests, aiming to reduce the frequency of upgrade PRs while keeping the daily check schedule.

Changes:

• Added a cooldown configuration with default-days: 7 for Bundler updates.
• Added the same cooldown configuration for GitHub Actions updates.

Comments suppressed due to low confidence (1)

.github/dependabot.yml:19

• Same concern as above: please confirm cooldown is a supported Dependabot config key for github-actions updates; otherwise this may invalidate the config and halt updates. If the intent is weekly updates, setting schedule.interval: weekly is the safest built-in approach.

    cooldown:
      default-days: 7

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[mergify]

Merge Queue Status

• ✅ Entered queue — 2026-05-22 09:52 UTC · Rule: default
• ✅ Checks skipped · PR is already up-to-date
• ✅ Merged — 2026-05-22 09:53 UTC · at 78eec1f05bd9dcc90aedeeef642680231e052d14 · squash

This pull request spent 19 seconds in the queue, including 4 seconds running CI.

Required conditions to merge

• all of [🛡 Merge Protections rule Approval]:
  • #approved-reviews-by >= 2
    • ci(dependabot): require 7-day cooldown for dependency upgrades #8
• all of [🛡 Merge Protections rule Continuous Integration]:
  • all of:
    • check-success = test (3.1)
    • check-success = test (3.2)
    • check-success = test (3.3)
    • check-success = test (3.4)
• all of [🛡 Merge Protections rule Enforce conventional commit]:
  • title ~= ^(fix|feat|docs|style|refactor|perf|test|build|ci|chore|revert|ui)(?:\(.+\))?:
    • ci(dependabot): require 7-day cooldown for dependency upgrades #8
• all of [🛡 Merge Protections rule 📕 PR description]:
  • body ~= (?ms:.{48,})
    • ci(dependabot): require 7-day cooldown for dependency upgrades #8
• all of [🛡 Merge Protections rule 🔎 Reviews]:
  • #changes-requested-reviews-by = 0
    • ci(dependabot): require 7-day cooldown for dependency upgrades #8
  • #review-requested = 0
    • ci(dependabot): require 7-day cooldown for dependency upgrades #8
  • #review-threads-unresolved = 0
    • ci(dependabot): require 7-day cooldown for dependency upgrades #8