From: Dmitry V. Levin <ldv@strace.io>
Date: Wed, 18 Feb 2026 08:00:00 +0000 (+0000)
Subject: github/dependabot: set cooldown period
X-Git-Tag: v257.11~25
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=e1486a19532b315a5b7a7109b11ea5b544406a67;p=thirdparty%2Fsystemd.git

github/dependabot: set cooldown period

By default, Dependabot does not perform any cooldown on dependency updates.
In other words, a regularly scheduled Dependabot run may perform an update
on a dependency that was just released moments before the run began.
This presents both stability and supply-chain security risks.

To mitigate these risks, explicitly set Dependabot cooldown period to 7 days.

Link: https://docs.zizmor.sh/audits/#dependabot-cooldown
(cherry picked from commit 31fc68a69acf4db48f26b83e845c703768f0f954)
(cherry picked from commit 093c9ad9f028e8bb84e3b55ff4b7a2f952a9adfd)
(cherry picked from commit ffc81522bbab70c8e7bb5348dd40121174459059)
---

diff --git a/.github/dependabot.yml b/.github/dependabot.yml
index 3e067c176fd..4b0d016d49c 100644
--- a/.github/dependabot.yml
+++ b/.github/dependabot.yml
@@ -6,14 +6,20 @@ updates:
     directory: "/"
     schedule:
       interval: "monthly"
+    cooldown:
+      default-days: 7
     open-pull-requests-limit: 2
   - package-ecosystem: "pip"
     directory: "/.github/workflows"
     schedule:
       interval: "monthly"
+    cooldown:
+      default-days: 7
     open-pull-requests-limit: 2
   - package-ecosystem: "docker"
     directory: "/.clusterfuzzlite"
     schedule:
       interval: "monthly"
+    cooldown:
+      default-days: 7
     open-pull-requests-limit: 2