8 Commits

Author SHA1 Message Date
Mike Dalessio e518d638f2 ci: suppress dependabot-execution warning in dependabot config 2026-03-17 18:27:45 -04:00
Mike Dalessio 99e683125b ci: batch github actions dependabot updates into a single PR 2026-03-17 17:39:54 -04:00
Mike Dalessio 6a244b17e6 Use new FIZZY_GH_TOKEN with limited access
because this is a public repo and so doesn't have access to the
private org secret GH_TOKEN anymore.
2025-12-12 13:04:26 -05:00
Stanko K.R. 9d5ddfccec Remove semver-major-days from Dependabot on GH actions 2025-12-10 09:18:20 +01:00
Rosa Gutierrez 2352f30b61 Adopt a cooldown period for dependency updates
As suggested by @flavorjones, and explained in:
https://blog.yossarian.net/2025/11/21/We-should-all-be-using-dependency-cooldowns

This applies:
- 7 days as default: from the article, a 7-day
cooldown would have prevented 8 out of 10 recent
supply chain attacks. It seems reasonably long
but not crazy long.
- 14 days for major versions, to give some time
to the community to find problems.
2025-12-08 20:05:03 +01:00
Mike Dalessio 3a8ea5ea85 dependabot: make the schedule weekly
Daily is very noisy when we're using so many git branches.
2025-10-03 22:17:21 -04:00
Jeremy Daer 42130f71ab Dependabot: group dev deps 2025-02-04 10:32:17 -08:00
Kevin McConnell 5f5226d05b Add CI 2024-06-24 15:09:34 +01:00