chore(ci): tighten dependency update gates

- Disable routine Dependabot PR creation while keeping grouped security update handling for npm and GitHub Actions.

- Add dependency-review workflow for dependency manifest and lockfile pull requests.

- Checked current upstream action majors before committing: actions/checkout v6 and dependency-review-action v5.
This commit is contained in:
777genius 2026-05-24 15:57:04 +03:00
parent bc8d47aaa2
commit d0b0a18e3b
2 changed files with 37 additions and 10 deletions

View file

@ -9,20 +9,16 @@ updates:
day: monday day: monday
time: "09:00" time: "09:00"
timezone: Etc/UTC timezone: Etc/UTC
cooldown: open-pull-requests-limit: 0
default-days: 3
open-pull-requests-limit: 5
commit-message: commit-message:
prefix: chore prefix: chore
prefix-development: chore prefix-development: chore
include: scope include: scope
groups: groups:
npm-minor-and-patch: npm-security:
applies-to: security-updates
patterns: patterns:
- "*" - "*"
update-types:
- minor
- patch
- package-ecosystem: github-actions - package-ecosystem: github-actions
directory: / directory: /
@ -31,9 +27,12 @@ updates:
day: tuesday day: tuesday
time: "09:00" time: "09:00"
timezone: Etc/UTC timezone: Etc/UTC
cooldown: open-pull-requests-limit: 0
default-days: 3
open-pull-requests-limit: 3
commit-message: commit-message:
prefix: chore prefix: chore
include: scope include: scope
groups:
github-actions-security:
applies-to: security-updates
patterns:
- "*"

28
.github/workflows/dependency-review.yml vendored Normal file
View file

@ -0,0 +1,28 @@
name: Dependency Review
on:
pull_request:
paths:
- "**/package.json"
- "**/package-lock.json"
- "**/pnpm-lock.yaml"
- "pnpm-workspace.yaml"
permissions:
contents: read
jobs:
dependency-review:
runs-on: ubuntu-latest
steps:
- name: Checkout
uses: actions/checkout@v6
- name: Dependency Review
uses: actions/dependency-review-action@v5
with:
fail-on-severity: high
fail-on-scopes: runtime, development, unknown
license-check: false
show-patched-versions: true