From: Dmitry V. Levin <ldv@strace.io>
Date: Wed, 18 Feb 2026 08:00:00 +0000 (+0000)
Subject: github/dependabot: set cooldown period
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=31fc68a69acf4db48f26b83e845c703768f0f954;p=thirdparty%2Fsystemd.git

github/dependabot: set cooldown period

By default, Dependabot does not perform any cooldown on dependency updates.
In other words, a regularly scheduled Dependabot run may perform an update
on a dependency that was just released moments before the run began.
This presents both stability and supply-chain security risks.

To mitigate these risks, explicitly set Dependabot cooldown period to 7 days.

Link: https://docs.zizmor.sh/audits/#dependabot-cooldown
---

diff --git a/.github/dependabot.yml b/.github/dependabot.yml
index ded4b244e50..cb8f6ab23e1 100644
--- a/.github/dependabot.yml
+++ b/.github/dependabot.yml
@@ -12,14 +12,20 @@ updates:
           - "*"
         exclude-patterns:
           - "systemd/mkosi"
+    cooldown:
+      default-days: 7
     open-pull-requests-limit: 2
   - package-ecosystem: "pip"
     directory: "/.github/workflows"
     schedule:
       interval: "monthly"
+    cooldown:
+      default-days: 7
     open-pull-requests-limit: 2
   - package-ecosystem: "docker"
     directory: "/.clusterfuzzlite"
     schedule:
       interval: "monthly"
+    cooldown:
+      default-days: 7
     open-pull-requests-limit: 2