chore(ci): tighten dependency update gates
- Disable routine Dependabot PR creation while keeping grouped security update handling for npm and GitHub Actions. - Add dependency-review workflow for dependency manifest and lockfile pull requests. - Checked current upstream action majors before committing: actions/checkout v6 and dependency-review-action v5.
This commit is contained in:
parent
bc8d47aaa2
commit
d0b0a18e3b
2 changed files with 37 additions and 10 deletions
19
.github/dependabot.yml
vendored
19
.github/dependabot.yml
vendored
|
|
@ -9,20 +9,16 @@ updates:
|
|||
day: monday
|
||||
time: "09:00"
|
||||
timezone: Etc/UTC
|
||||
cooldown:
|
||||
default-days: 3
|
||||
open-pull-requests-limit: 5
|
||||
open-pull-requests-limit: 0
|
||||
commit-message:
|
||||
prefix: chore
|
||||
prefix-development: chore
|
||||
include: scope
|
||||
groups:
|
||||
npm-minor-and-patch:
|
||||
npm-security:
|
||||
applies-to: security-updates
|
||||
patterns:
|
||||
- "*"
|
||||
update-types:
|
||||
- minor
|
||||
- patch
|
||||
|
||||
- package-ecosystem: github-actions
|
||||
directory: /
|
||||
|
|
@ -31,9 +27,12 @@ updates:
|
|||
day: tuesday
|
||||
time: "09:00"
|
||||
timezone: Etc/UTC
|
||||
cooldown:
|
||||
default-days: 3
|
||||
open-pull-requests-limit: 3
|
||||
open-pull-requests-limit: 0
|
||||
commit-message:
|
||||
prefix: chore
|
||||
include: scope
|
||||
groups:
|
||||
github-actions-security:
|
||||
applies-to: security-updates
|
||||
patterns:
|
||||
- "*"
|
||||
|
|
|
|||
28
.github/workflows/dependency-review.yml
vendored
Normal file
28
.github/workflows/dependency-review.yml
vendored
Normal file
|
|
@ -0,0 +1,28 @@
|
|||
name: Dependency Review
|
||||
|
||||
on:
|
||||
pull_request:
|
||||
paths:
|
||||
- "**/package.json"
|
||||
- "**/package-lock.json"
|
||||
- "**/pnpm-lock.yaml"
|
||||
- "pnpm-workspace.yaml"
|
||||
|
||||
permissions:
|
||||
contents: read
|
||||
|
||||
jobs:
|
||||
dependency-review:
|
||||
runs-on: ubuntu-latest
|
||||
|
||||
steps:
|
||||
- name: Checkout
|
||||
uses: actions/checkout@v6
|
||||
|
||||
- name: Dependency Review
|
||||
uses: actions/dependency-review-action@v5
|
||||
with:
|
||||
fail-on-severity: high
|
||||
fail-on-scopes: runtime, development, unknown
|
||||
license-check: false
|
||||
show-patched-versions: true
|
||||
Loading…
Reference in a new issue