blob: ceab9f445195759d57adff7ec2fe8c0fc4bbe803 [file]
# Licensed to the Apache Software Foundation (ASF) under one
# or more contributor license agreements. See the NOTICE file
# distributed with this work for additional information
# regarding copyright ownership. The ASF licenses this file
# to you under the Apache License, Version 2.0 (the
# "License"); you may not use this file except in compliance
# with the License. You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing,
# software distributed under the License is distributed on an
# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
# KIND, either express or implied. See the License for the
# specific language governing permissions and limitations
# under the License.
#
# Every ecosystem update below uses a 7-day cooldown so a just-
# released version has a week to settle (retags, withdrawals,
# upstream incident reports) before Dependabot proposes bumping to
# it. This mirrors the same window applied locally via
# `[tool.uv] exclude-newer = "7 days"` in the root pyproject.toml
# and `exclude-newer-span = "P7D"` baked into every tool's uv.lock.
#
# `uv` ecosystems use the full cooldown form (default-days plus the
# four semver-* buckets). `github-actions` and `pre-commit` only
# support `default-days` — adding the semver-* keys there causes
# dependabot to reject the whole config (see comment on the
# github-actions block).
---
version: 2
updates:
- package-ecosystem: "github-actions"
directory: "/"
schedule:
interval: "weekly"
# github-actions and pre-commit ecosystems do not support the
# semver-{major,minor,patch}-days cooldown keys — dependabot
# rejects the whole config block when they are present, which
# is why this ecosystem produced zero PRs between adoption on
# 2026-04-29 and the fix on 2026-05-25. Only `default-days` is
# honoured here.
cooldown:
default-days: 7
groups:
github-actions:
patterns:
- "*"
- package-ecosystem: "pre-commit"
directory: "/"
schedule:
interval: "weekly"
cooldown:
default-days: 7
groups:
pre-commit-hooks:
patterns:
- "*"
# All Python projects in this repo, consolidated into one update
# entry with `directories:` (plural). Dependabot writes per-directory
# inside a SINGLE weekly PR per group, so this collapses what was
# previously nine independent uv PRs into one. Each tool's lockfile
# still updates correctly — the resolver runs per-directory; only the
# PR boundary is unified.
- package-ecosystem: "uv"
directories:
- "/"
- "/tools/privacy-llm/checker"
- "/tools/privacy-llm/redactor"
- "/tools/sandbox-lint"
- "/tools/skill-evals"
- "/tools/skill-and-tool-validator"
- "/tools/gmail/oauth-draft"
- "/tools/cve-tool-vulnogram/generate-cve-json"
- "/tools/cve-tool-vulnogram/oauth-api"
schedule:
interval: "weekly"
cooldown:
default-days: 7
semver-major-days: 7
semver-minor-days: 7
semver-patch-days: 7
groups:
python-deps:
patterns:
- "*"