security: Delay dependabot updates [TAROT-3707]

[afsmeira]

7 days should be enough when most malicious packages are patched within 24 hours.

[codacy-production]

Up to standards ✅

🟢 Issues 0 issues

Results:
0 new issues

View in Codacy

AI Reviewer: first review requested successfully. AI can make mistakes. Always validate suggestions.

_{TIP This summary will be updated as you push new changes.}

[codacy-production]

Pull Request Overview

This PR attempts to implement a 7-day delay for Dependabot Composer updates to mitigate risks from malicious packages. However, the implementation is invalid because the 'cooldown' property is not part of the official GitHub Dependabot v2 schema. As a result, the intended security delay will not be enforced, and the configuration file will likely fail to load or be ignored. This creates a critical gap in the primary acceptance criterion.

Test suggestions

• Validate .github/dependabot.yml against the official GitHub JSON schema.

Prompt proposal for missing tests

Consider implementing these tests if applicable:
1. Validate .github/dependabot.yml against the official GitHub JSON schema.

Low confidence findings

• The security motivation for this change is clear, but the PR lacks a link to a formal policy or tracking ticket (e.g., Jira) for auditability and tracking.

_{TIP Improve review quality by adding custom instructions
TIP How was this review? Give us feedback}