| # Licensed to the Apache Software Foundation (ASF) under one |
| # or more contributor license agreements. See the NOTICE file |
| # distributed with this work for additional information |
| # regarding copyright ownership. The ASF licenses this file |
| # to you under the Apache License, Version 2.0 (the |
| # "License"); you may not use this file except in compliance |
| # with the License. You may obtain a copy of the License at |
| # |
| # http://www.apache.org/licenses/LICENSE-2.0 |
| # |
| # Unless required by applicable law or agreed to in writing, software |
| # distributed under the License is distributed on an "AS IS" BASIS, |
| # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. |
| # See the License for the specific language governing permissions and |
| # limitations under the License. |
| # |
| # Dependabot configuration for cloudstore. |
| # |
| # IMPORTANT: PRs filed by Dependabot are reviewed and merged by hand. Do NOT |
| # add an auto-merge workflow. Hadoop/AWS SDK/GCS-connector versions are |
| # manually selected to work around known CVEs and downstream compatibility |
| # constraints; an automated bump can silently regress those fixes. |
| # |
| # Dependabot itself never auto-merges; that requires a separate workflow. |
| # This file only causes PRs to be opened, which is exactly the desired |
| # behaviour - visibility without automatic acceptance. |
| |
| version: 2 |
| updates: |
| |
| # Pin third-party GitHub Actions by SHA per SECURITY.md. |
| # Dependabot understands the "uses: org/action@<sha> # vX.Y.Z" pattern |
| # and rewrites both the SHA and the trailing version comment together. |
| - package-ecosystem: github-actions |
| directory: / |
| schedule: |
| interval: weekly |
| open-pull-requests-limit: 5 |
| labels: |
| - dependencies |
| - github-actions |
| cooldown: |
| default-days: 7 |
| |
| # Maven dependencies. Most cloudstore deps are `provided` scope - the host |
| # Hadoop install supplies them at runtime - so a bump here only changes |
| # what the test/CI run resolves against, not what ships in the jar. |
| # Still worth surfacing: plugin versions, junit, assertj, avro etc. are |
| # all in scope. |
| - package-ecosystem: maven |
| directory: / |
| schedule: |
| interval: weekly |
| open-pull-requests-limit: 5 |
| labels: |
| - dependencies |
| - maven |
| cooldown: |
| default-days: 7 |
| |
| # Shut up warnings about hadoop and the asf/gcs bundle JARs |
| ignore: |
| - dependency-name: org.apache.hadoop:* |
| - dependency-name: software.amazon.awssdk:* |
| - dependency-name: com.google.cloud.bigdataoss:* |