github/dependabot: set cooldown period

By default, Dependabot does not perform any cooldown on dependency updates.
In other words, a regularly scheduled Dependabot run may perform an update
on a dependency that was just released moments before the run began.
This presents both stability and supply-chain security risks.

To mitigate these risks, explicitly set Dependabot cooldown period to 7 days.

Link: https://docs.zizmor.sh/audits/#dependabot-cooldown
(cherry picked from commit 31fc68a69acf4db48f26b83e845c703768f0f954)
(cherry picked from commit 093c9ad9f028e8bb84e3b55ff4b7a2f952a9adfd)
(cherry picked from commit ffc81522bbab70c8e7bb5348dd40121174459059)

diff --git a/.github/dependabot.yml b/.github/dependabot.yml
index 3e067c176fd4f9258104336379c8b7b6cf16812a..4b0d016d49c2df06d641c77305a32625441bb439 100644 (file)
--- a/.github/dependabot.yml
+++ b/.github/dependabot.yml
@@ -6,14 +6,20 @@ updates:
     directory: "/"
     schedule:
       interval: "monthly"
+    cooldown:
+      default-days: 7
     open-pull-requests-limit: 2
   - package-ecosystem: "pip"
     directory: "/.github/workflows"
     schedule:
       interval: "monthly"
+    cooldown:
+      default-days: 7
     open-pull-requests-limit: 2
   - package-ecosystem: "docker"
     directory: "/.clusterfuzzlite"
     schedule:
       interval: "monthly"
+    cooldown:
+      default-days: 7
     open-pull-requests-limit: 2