From eb911c9d9178d61fa6d9dcb199462e4d5d1629b1 Mon Sep 17 00:00:00 2001 From: Christian <33660027+cl77@users.noreply.github.com> Date: Wed, 15 Apr 2026 09:01:21 +0200 Subject: [PATCH 1/3] chore: add Dependabot config (scheduled + grouped security updates) --- .github/dependabot.yml | 20 ++++++++++++++++++++ 1 file changed, 20 insertions(+) create mode 100644 .github/dependabot.yml diff --git a/.github/dependabot.yml b/.github/dependabot.yml new file mode 100644 index 0000000..fb1a600 --- /dev/null +++ b/.github/dependabot.yml @@ -0,0 +1,20 @@ +# managed-by: seven-io/isms-tools/scripts/dependabot-rollout.sh +# Dependabot config: scheduled + grouped security updates. Do not edit by hand; +# changes should be made in the script and re-rolled out with FORCE_UPDATE=true. +# See: https://docs.github.com/en/code-security/dependabot/dependabot-version-updates/configuration-options-for-the-dependabot.yml-file +version: 2 +updates: + - package-ecosystem: "pip" + directory: "/" + schedule: + interval: "weekly" + day: "monday" + open-pull-requests-limit: 5 + groups: + security-all: + applies-to: security-updates + patterns: ["*"] + minor-patch: + applies-to: version-updates + patterns: ["*"] + update-types: ["minor", "patch"] \ No newline at end of file From 5d743d9f51a7f8078ec6b2a7fa7abfe94ba55800 Mon Sep 17 00:00:00 2001 From: Christian <33660027+cl77@users.noreply.github.com> Date: Wed, 15 Apr 2026 09:01:22 +0200 Subject: [PATCH 2/3] chore: auto-merge Dependabot patch PRs when CI passes --- .github/workflows/dependabot-auto-merge.yml | 26 +++++++++++++++++++++ 1 file changed, 26 insertions(+) create mode 100644 .github/workflows/dependabot-auto-merge.yml diff --git a/.github/workflows/dependabot-auto-merge.yml b/.github/workflows/dependabot-auto-merge.yml new file mode 100644 index 0000000..ff8ea15 --- /dev/null +++ b/.github/workflows/dependabot-auto-merge.yml @@ -0,0 +1,26 @@ +name: Dependabot auto-merge +# pull_request_target is required so that Dependabot-triggered runs get a token +# with write permissions. Safe here because we never check out PR code — we only +# call the gh CLI on the PR metadata. +on: pull_request_target + +permissions: + contents: write + pull-requests: write + +jobs: + dependabot: + runs-on: ubuntu-latest + if: github.actor == 'dependabot[bot]' + steps: + - name: Fetch metadata + id: metadata + uses: dependabot/fetch-metadata@v2 + - name: Enable auto-merge for patch-only updates (version + security) + if: >- + steps.metadata.outputs.update-type == 'version-update:semver-patch' || + steps.metadata.outputs.update-type == 'security-update:semver-patch' + run: gh pr merge --auto --squash "$PR_URL" + env: + PR_URL: ${{ github.event.pull_request.html_url }} + GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} \ No newline at end of file From e06893ddab4af6d6b0aa916f2b935d264f1d7a7c Mon Sep 17 00:00:00 2001 From: Christian <33660027+cl77@users.noreply.github.com> Date: Mon, 25 May 2026 10:10:00 +0000 Subject: [PATCH 3/3] chore: refresh managed Dependabot config --- .github/dependabot.yml | 20 +++++++++++++++++++- 1 file changed, 19 insertions(+), 1 deletion(-) diff --git a/.github/dependabot.yml b/.github/dependabot.yml index fb1a600..64b3c47 100644 --- a/.github/dependabot.yml +++ b/.github/dependabot.yml @@ -10,6 +10,11 @@ updates: interval: "weekly" day: "monday" open-pull-requests-limit: 5 + cooldown: + default-days: 5 + semver-major-days: 14 + semver-minor-days: 7 + semver-patch-days: 3 groups: security-all: applies-to: security-updates @@ -17,4 +22,17 @@ updates: minor-patch: applies-to: version-updates patterns: ["*"] - update-types: ["minor", "patch"] \ No newline at end of file + update-types: ["minor", "patch"] + - package-ecosystem: "github-actions" + directory: "/" + schedule: + interval: "monthly" + open-pull-requests-limit: 2 + cooldown: + default-days: 5 + semver-major-days: 14 + semver-minor-days: 7 + semver-patch-days: 3 + groups: + actions-all: + patterns: ["*"] \ No newline at end of file