From 88f9a32ccccf5732d02b53af4324c0b968a4ab7d Mon Sep 17 00:00:00 2001
From: Kevin Dew <kevindew@me.com>
Date: Mon, 27 Apr 2026 13:52:14 +0100
Subject: [PATCH] Add cooldown for dependabot

The GOV.UK programme is now suggesting the use of dependabot cooldowns to help mitigate against supply chain attacks see: https://docs.publishing.service.gov.uk/manual/manage-dependencies.html#configuring-dependabot-for-your-repository

This excludes the govuk dependencies so they can stay current.
---
 .github/dependabot.yml | 11 +++++++++++
 1 file changed, 11 insertions(+)

diff --git a/.github/dependabot.yml b/.github/dependabot.yml
index 57cb5c5d7..2ea65a084 100644
--- a/.github/dependabot.yml
+++ b/.github/dependabot.yml
@@ -6,14 +6,25 @@ updates:
     directory: /
     schedule:
       interval: daily
+    cooldown:
+      default-days: 3
+      exclude:
+        - gds-api-adapters
+        - gds-sso
+        - govuk_*
+        - rubocop-govuk
   - package-ecosystem: npm
     directory: /
     schedule:
       interval: daily
+    cooldown:
+      default-days: 3
   - package-ecosystem: github-actions
     directory: /
     schedule:
       interval: weekly
+    cooldown:
+      default-days: 3
 registries:
   github:
     type: git