From 15934930447d8f8418767eba215187764cb6d8e4 Mon Sep 17 00:00:00 2001 From: Christian <33660027+cl77@users.noreply.github.com> Date: Wed, 15 Apr 2026 09:00:02 +0200 Subject: [PATCH 1/3] chore: add Dependabot config (scheduled + grouped security updates) --- .github/dependabot.yml | 14 ++++++++++++++ 1 file changed, 14 insertions(+) create mode 100644 .github/dependabot.yml diff --git a/.github/dependabot.yml b/.github/dependabot.yml new file mode 100644 index 0000000..e5dc759 --- /dev/null +++ b/.github/dependabot.yml @@ -0,0 +1,14 @@ +# managed-by: seven-io/isms-tools/scripts/dependabot-rollout.sh +# Dependabot config: scheduled + grouped security updates. Do not edit by hand; +# changes should be made in the script and re-rolled out with FORCE_UPDATE=true. +# See: https://docs.github.com/en/code-security/dependabot/dependabot-version-updates/configuration-options-for-the-dependabot.yml-file +version: 2 +updates: + - package-ecosystem: "github-actions" + directory: "/" + schedule: + interval: "monthly" + open-pull-requests-limit: 2 + groups: + actions-all: + patterns: ["*"] \ No newline at end of file From a66e7a45234910b8e27d9e3059576795fa973c93 Mon Sep 17 00:00:00 2001 From: Christian <33660027+cl77@users.noreply.github.com> Date: Wed, 15 Apr 2026 09:00:04 +0200 Subject: [PATCH 2/3] chore: auto-merge Dependabot patch PRs when CI passes --- .github/workflows/dependabot-auto-merge.yml | 26 +++++++++++++++++++++ 1 file changed, 26 insertions(+) create mode 100644 .github/workflows/dependabot-auto-merge.yml diff --git a/.github/workflows/dependabot-auto-merge.yml b/.github/workflows/dependabot-auto-merge.yml new file mode 100644 index 0000000..ff8ea15 --- /dev/null +++ b/.github/workflows/dependabot-auto-merge.yml @@ -0,0 +1,26 @@ +name: Dependabot auto-merge +# pull_request_target is required so that Dependabot-triggered runs get a token +# with write permissions. Safe here because we never check out PR code — we only +# call the gh CLI on the PR metadata. +on: pull_request_target + +permissions: + contents: write + pull-requests: write + +jobs: + dependabot: + runs-on: ubuntu-latest + if: github.actor == 'dependabot[bot]' + steps: + - name: Fetch metadata + id: metadata + uses: dependabot/fetch-metadata@v2 + - name: Enable auto-merge for patch-only updates (version + security) + if: >- + steps.metadata.outputs.update-type == 'version-update:semver-patch' || + steps.metadata.outputs.update-type == 'security-update:semver-patch' + run: gh pr merge --auto --squash "$PR_URL" + env: + PR_URL: ${{ github.event.pull_request.html_url }} + GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} \ No newline at end of file From 700b36840739115f80d84968f715d41309719892 Mon Sep 17 00:00:00 2001 From: Christian <33660027+cl77@users.noreply.github.com> Date: Mon, 25 May 2026 10:14:50 +0000 Subject: [PATCH 3/3] chore: refresh managed Dependabot config --- .github/dependabot.yml | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/.github/dependabot.yml b/.github/dependabot.yml index e5dc759..b85e12a 100644 --- a/.github/dependabot.yml +++ b/.github/dependabot.yml @@ -9,6 +9,11 @@ updates: schedule: interval: "monthly" open-pull-requests-limit: 2 + cooldown: + default-days: 5 + semver-major-days: 14 + semver-minor-days: 7 + semver-patch-days: 3 groups: actions-all: patterns: ["*"] \ No newline at end of file