CI: Add dependabot cooldown and PR limits#266
Merged
Conversation
Bring the Dependabot configuration in line with our canonical actions-template best practices. Both the npm and github-actions ecosystems now declare a cooldown period and an explicit open pull-request limit. The cooldown delays opening a version-bump PR for seven days so we avoid churning on a release that gets retracted or superseded shortly after it ships. For github-actions this also satisfies the zizmor workflow auditing tool. The open-pull-requests-limit caps concurrent Dependabot PRs at fifteen per ecosystem. Co-Authored-By: Claude <noreply@anthropic.com> Signed-off-by: Matthew Watkins <mwatkins@linuxfoundation.org>
|
@ModeSevenIndustrialSolutions is attempting to deploy a commit to the DCO App Team on Vercel. A member of the Team first needs to authorize it. |
Copilot started reviewing on behalf of
ModeSevenIndustrialSolutions
June 24, 2026 23:05
View session
There was a problem hiding this comment.
Pull request overview
Updates the repository’s Dependabot configuration to reduce update-PR churn and cap concurrent Dependabot PR volume across the two configured ecosystems (npm and github-actions).
Changes:
- Adds a 7-day
cooldownconfiguration to bothnpmandgithub-actionsupdate entries. - Sets
open-pull-requests-limit: 15for both ecosystems.
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
tykeal
approved these changes
Jun 25, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Brings the Dependabot configuration in line with current best practices by
adding a
cooldownperiod and an explicitopen-pull-requests-limittoboth ecosystems the repository uses (
npmandgithub-actions).What changed
.github/dependabot.yml— for each ecosystem:cooldown.default-days: 7— delays opening a version-bump PR for sevendays so we avoid churning on a release that gets retracted or superseded
shortly after it ships. For the
github-actionsecosystem this alsosatisfies the zizmor workflow
auditing tool.
open-pull-requests-limit: 15— caps concurrent Dependabot PRs perecosystem.
Notes
weekly schedule and ecosystems are unchanged.
prek/pre-commit hooks: the"Validate Dependabot Config (v2)" and
yamllintchecks pass.