Skip to content

Add a cooldown to dependabot#782

Merged
zetter-rpf merged 1 commit intomainfrom
add-cooldown
Apr 13, 2026
Merged

Add a cooldown to dependabot#782
zetter-rpf merged 1 commit intomainfrom
add-cooldown

Conversation

@zetter-rpf
Copy link
Copy Markdown
Contributor

@zetter-rpf zetter-rpf commented Apr 13, 2026
edited
Loading

This has become a recommended way to reduce the risk of supply chain attacks. 10 days is fairly arbitrary and could be shortened or lengthened in the future.

A shorter cooldown might mean that we're more to encounter supply chain attacks or newly released versions with major issues. A longer cooldown means that we're less likely to get bug fixes.

Note that security updates are not affected by this setting.

Documentation: https://docs.github.com/en/code-security/reference/supply-chain-security/dependabot-options-reference#cooldown-
Github announcement: https://github.blog/changelog/2025-07-01-dependabot-supports-configuration-of-a-minimum-package-age/

@zetter-rpf
Add a cooldown to dependabot
7db6051 
This has become a recommended way to reduce the risk of supply chain attacks. 10 days is fairly arbitrary and could be shortened or lengthened in the future.
@cla-bot cla-bot bot added the cla-signed label Apr 13, 2026
@zetter-rpf zetter-rpf marked this pull request as ready for review April 13, 2026 08:02
Copilot AI review requested due to automatic review settings April 13, 2026 08:02
Copilot AI reviewed Apr 13, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Adds a Dependabot “cooldown” to delay non-security version updates, aiming to reduce exposure to newly published compromised or unstable releases while keeping the existing daily check cadence.

Changes:

  • Configure Dependabot with a 10-day default cooldown for bundler updates.
  • Preserve the existing daily update schedule.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

@github-actions
Copy link
Copy Markdown

github-actions bot commented Apr 13, 2026

Test coverage

89.88% line coverage reported by SimpleCov.
Run: https://github.com/RaspberryPiFoundation/editor-api/actions/runs/24332541250

@zetter-rpf zetter-rpf requested a review from mwtrew April 13, 2026 08:55
@zetter-rpf zetter-rpf merged commit 98b5aa6 into main Apr 13, 2026
9 checks passed
@zetter-rpf zetter-rpf deleted the add-cooldown branch April 13, 2026 09:03
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

@mwtrew mwtrew mwtrew approved these changes

Assignees

No one assigned

Labels

cla-signed

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@zetter-rpf @mwtrew