From d0824a405178ea7a1f76ba6bfc813d37a23e6740 Mon Sep 17 00:00:00 2001 From: Christian <33660027+cl77@users.noreply.github.com> Date: Wed, 15 Apr 2026 09:00:20 +0200 Subject: [PATCH 1/3] chore: add Dependabot config (scheduled + grouped security updates) --- .github/dependabot.yml | 23 +++++++++++++++++++++++ 1 file changed, 23 insertions(+) create mode 100644 .github/dependabot.yml diff --git a/.github/dependabot.yml b/.github/dependabot.yml new file mode 100644 index 0000000..9e45326 --- /dev/null +++ b/.github/dependabot.yml @@ -0,0 +1,23 @@ +# managed-by: seven-io/isms-tools/scripts/dependabot-rollout.sh +# Dependabot config: scheduled + grouped security updates. Do not edit by hand; +# changes should be made in the script and re-rolled out with FORCE_UPDATE=true. +# See: https://docs.github.com/en/code-security/dependabot/dependabot-version-updates/configuration-options-for-the-dependabot.yml-file +version: 2 +updates: + - package-ecosystem: "npm" + directory: "/" + schedule: + interval: "weekly" + day: "monday" + open-pull-requests-limit: 5 + groups: + security-all: + applies-to: security-updates + patterns: ["*"] + minor-patch: + applies-to: version-updates + patterns: ["*"] + update-types: ["minor", "patch"] + ignore: + - dependency-name: "@seven/*" + - dependency-name: "@sms77/*" \ No newline at end of file From 7d046f3f8ff261a5b49ebfde939fe69067eae68c Mon Sep 17 00:00:00 2001 From: Christian <33660027+cl77@users.noreply.github.com> Date: Wed, 15 Apr 2026 09:00:21 +0200 Subject: [PATCH 2/3] chore: auto-merge Dependabot patch PRs when CI passes --- .github/workflows/dependabot-auto-merge.yml | 26 +++++++++++++++++++++ 1 file changed, 26 insertions(+) create mode 100644 .github/workflows/dependabot-auto-merge.yml diff --git a/.github/workflows/dependabot-auto-merge.yml b/.github/workflows/dependabot-auto-merge.yml new file mode 100644 index 0000000..ff8ea15 --- /dev/null +++ b/.github/workflows/dependabot-auto-merge.yml @@ -0,0 +1,26 @@ +name: Dependabot auto-merge +# pull_request_target is required so that Dependabot-triggered runs get a token +# with write permissions. Safe here because we never check out PR code — we only +# call the gh CLI on the PR metadata. +on: pull_request_target + +permissions: + contents: write + pull-requests: write + +jobs: + dependabot: + runs-on: ubuntu-latest + if: github.actor == 'dependabot[bot]' + steps: + - name: Fetch metadata + id: metadata + uses: dependabot/fetch-metadata@v2 + - name: Enable auto-merge for patch-only updates (version + security) + if: >- + steps.metadata.outputs.update-type == 'version-update:semver-patch' || + steps.metadata.outputs.update-type == 'security-update:semver-patch' + run: gh pr merge --auto --squash "$PR_URL" + env: + PR_URL: ${{ github.event.pull_request.html_url }} + GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} \ No newline at end of file From c38b373e13a267be9a0f5cb5d239f44de6e3bc8c Mon Sep 17 00:00:00 2001 From: Christian <33660027+cl77@users.noreply.github.com> Date: Mon, 25 May 2026 10:07:32 +0000 Subject: [PATCH 3/3] chore: refresh managed Dependabot config --- .github/dependabot.yml | 23 ++++++++++++++++++++++- 1 file changed, 22 insertions(+), 1 deletion(-) diff --git a/.github/dependabot.yml b/.github/dependabot.yml index 9e45326..e033f4c 100644 --- a/.github/dependabot.yml +++ b/.github/dependabot.yml @@ -10,6 +10,14 @@ updates: interval: "weekly" day: "monday" open-pull-requests-limit: 5 + # Supply-chain hardening: delay new releases so yanked/compromised + # packages (e.g. nx 2024, shai-hulud worm 2025) get detected upstream + # before we bump. Security-advisory updates are NOT delayed by cooldown. + cooldown: + default-days: 5 + semver-major-days: 14 + semver-minor-days: 7 + semver-patch-days: 3 groups: security-all: applies-to: security-updates @@ -20,4 +28,17 @@ updates: update-types: ["minor", "patch"] ignore: - dependency-name: "@seven/*" - - dependency-name: "@sms77/*" \ No newline at end of file + - dependency-name: "@sms77/*" + - package-ecosystem: "github-actions" + directory: "/" + schedule: + interval: "monthly" + open-pull-requests-limit: 2 + cooldown: + default-days: 5 + semver-major-days: 14 + semver-minor-days: 7 + semver-patch-days: 3 + groups: + actions-all: + patterns: ["*"] \ No newline at end of file