github/dependabot: set cooldown period

By default, Dependabot does not perform any cooldown on dependency updates.
In other words, a regularly scheduled Dependabot run may perform an update
on a dependency that was just released moments before the run began.
This presents both stability and supply-chain security risks.

To mitigate these risks, explicitly set Dependabot cooldown period to 7 days.

Link: https://docs.zizmor.sh/audits/#dependabot-cooldown

diff --git a/.github/dependabot.yml b/.github/dependabot.yml
index ded4b244e500c9aaf0ced77b6fa3c96dd15f0531..cb8f6ab23e13f9601d03e73308023d6d0991a8d5 100644 (file)
--- a/.github/dependabot.yml
+++ b/.github/dependabot.yml
@@ -12,14 +12,20 @@ updates:
           - "*"
         exclude-patterns:
           - "systemd/mkosi"
+    cooldown:
+      default-days: 7
     open-pull-requests-limit: 2
   - package-ecosystem: "pip"
     directory: "/.github/workflows"
     schedule:
       interval: "monthly"
+    cooldown:
+      default-days: 7
     open-pull-requests-limit: 2
   - package-ecosystem: "docker"
     directory: "/.clusterfuzzlite"
     schedule:
       interval: "monthly"
+    cooldown:
+      default-days: 7
     open-pull-requests-limit: 2