From 064e7d8d4a5ad00fcad8bfdfca0d75dcd6e2d44f Mon Sep 17 00:00:00 2001 From: Jaxxen Date: Mon, 15 Jun 2026 20:58:45 +0000 Subject: [PATCH] ci: add Dependabot config for GitHub Actions updates MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Keep the SHA-pinned actions in the workflows current — pins otherwise go stale silently, with no signal when an action ships a security fix. Dependabot bumps both the SHA and its `# vX.Y.Z` comment. Scope is github-actions only (Dependabot has no Nix flake ecosystem, so flake.lock stays owned by flake-update.yml). Weekly, grouped into one batched PR, opened for manual review — consistent with the repo's no-auto-merge posture; flake-check runs on the PR via pull_request. A 7-day cooldown defers brand-new releases (supply-chain window) while still letting GHSA-driven security updates open immediately. Co-authored-by: Claude --- .github/dependabot.yml | 22 ++++++++++++++++++++++ 1 file changed, 22 insertions(+) create mode 100644 .github/dependabot.yml diff --git a/.github/dependabot.yml b/.github/dependabot.yml new file mode 100644 index 0000000..6da823c --- /dev/null +++ b/.github/dependabot.yml @@ -0,0 +1,22 @@ +# Keep the SHA-pinned GitHub Actions current (security fixes land silently behind a pin). +# Scope is github-actions ONLY: Dependabot has no Nix flake ecosystem, so flake.lock stays +# owned by the weekly flake-update.yml workflow. Bumps open as manual-review PRs (consistent +# with this repo's no-auto-merge posture) and trigger flake-check via pull_request. +version: 2 +updates: + - package-ecosystem: github-actions + directory: / + schedule: + interval: weekly + day: monday # lands alongside the weekly flake-update PR + # Supply-chain hardening: don't adopt a brand-new release the instant it lands (the window + # where a compromised/yanked release is most likely still live). Applies to version updates + # only — GHSA-driven security updates still open immediately. + cooldown: + default-days: 7 + groups: + actions: + patterns: ["*"] # one batched PR, not one per action + commit-message: + prefix: ci + open-pull-requests-limit: 5