chore(ci): tighten dependency update gates

- Disable routine Dependabot PR creation while keeping grouped security update handling for npm and GitHub Actions.

- Add dependency-review workflow for dependency manifest and lockfile pull requests.

- Checked current upstream action majors before committing: actions/checkout v6 and dependency-review-action v5.
This commit is contained in:
777genius 2026-05-24 15:57:04 +03:00
parent bc8d47aaa2
commit d0b0a18e3b
2 changed files with 37 additions and 10 deletions

View file

@ -9,20 +9,16 @@ updates:
day: monday
time: "09:00"
timezone: Etc/UTC
cooldown:
default-days: 3
open-pull-requests-limit: 5
open-pull-requests-limit: 0
commit-message:
prefix: chore
prefix-development: chore
include: scope
groups:
npm-minor-and-patch:
npm-security:
applies-to: security-updates
patterns:
- "*"
update-types:
- minor
- patch
- package-ecosystem: github-actions
directory: /
@ -31,9 +27,12 @@ updates:
day: tuesday
time: "09:00"
timezone: Etc/UTC
cooldown:
default-days: 3
open-pull-requests-limit: 3
open-pull-requests-limit: 0
commit-message:
prefix: chore
include: scope
groups:
github-actions-security:
applies-to: security-updates
patterns:
- "*"

28
.github/workflows/dependency-review.yml vendored Normal file
View file

@ -0,0 +1,28 @@
name: Dependency Review
on:
pull_request:
paths:
- "**/package.json"
- "**/package-lock.json"
- "**/pnpm-lock.yaml"
- "pnpm-workspace.yaml"
permissions:
contents: read
jobs:
dependency-review:
runs-on: ubuntu-latest
steps:
- name: Checkout
uses: actions/checkout@v6
- name: Dependency Review
uses: actions/dependency-review-action@v5
with:
fail-on-severity: high
fail-on-scopes: runtime, development, unknown
license-check: false
show-patched-versions: true