From d0b0a18e3b2fe7d105d679053e71ead1d54d96e7 Mon Sep 17 00:00:00 2001 From: 777genius Date: Sun, 24 May 2026 15:57:04 +0300 Subject: [PATCH] chore(ci): tighten dependency update gates - Disable routine Dependabot PR creation while keeping grouped security update handling for npm and GitHub Actions. - Add dependency-review workflow for dependency manifest and lockfile pull requests. - Checked current upstream action majors before committing: actions/checkout v6 and dependency-review-action v5. --- .github/dependabot.yml | 19 ++++++++--------- .github/workflows/dependency-review.yml | 28 +++++++++++++++++++++++++ 2 files changed, 37 insertions(+), 10 deletions(-) create mode 100644 .github/workflows/dependency-review.yml diff --git a/.github/dependabot.yml b/.github/dependabot.yml index 9b040905..21712b46 100644 --- a/.github/dependabot.yml +++ b/.github/dependabot.yml @@ -9,20 +9,16 @@ updates: day: monday time: "09:00" timezone: Etc/UTC - cooldown: - default-days: 3 - open-pull-requests-limit: 5 + open-pull-requests-limit: 0 commit-message: prefix: chore prefix-development: chore include: scope groups: - npm-minor-and-patch: + npm-security: + applies-to: security-updates patterns: - "*" - update-types: - - minor - - patch - package-ecosystem: github-actions directory: / @@ -31,9 +27,12 @@ updates: day: tuesday time: "09:00" timezone: Etc/UTC - cooldown: - default-days: 3 - open-pull-requests-limit: 3 + open-pull-requests-limit: 0 commit-message: prefix: chore include: scope + groups: + github-actions-security: + applies-to: security-updates + patterns: + - "*" diff --git a/.github/workflows/dependency-review.yml b/.github/workflows/dependency-review.yml new file mode 100644 index 00000000..9cbf4b8f --- /dev/null +++ b/.github/workflows/dependency-review.yml @@ -0,0 +1,28 @@ +name: Dependency Review + +on: + pull_request: + paths: + - "**/package.json" + - "**/package-lock.json" + - "**/pnpm-lock.yaml" + - "pnpm-workspace.yaml" + +permissions: + contents: read + +jobs: + dependency-review: + runs-on: ubuntu-latest + + steps: + - name: Checkout + uses: actions/checkout@v6 + + - name: Dependency Review + uses: actions/dependency-review-action@v5 + with: + fail-on-severity: high + fail-on-scopes: runtime, development, unknown + license-check: false + show-patched-versions: true