mirror of
https://github.com/anchore/syft.git
synced 2026-02-12 02:26:42 +01:00
29a0b19a21
* group dependabot updates Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com> * use directories key Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com> --------- Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
51 lines
1.4 KiB
YAML
51 lines
1.4 KiB
YAML
# Dependabot configuration
|
|
#
|
|
# Grouping behavior (see inline comments for details):
|
|
# - Minor + patch updates: grouped into a single PR per ecosystem
|
|
# - Major version bumps: individual PR per dependency
|
|
# - Security updates: individual PR per dependency
|
|
#
|
|
# Note: "patch" refers to semver version bumps (1.2.3 -> 1.2.4), not security fixes.
|
|
# Security updates are identified separately via GitHub's Advisory Database and
|
|
# can be any version bump (patch, minor, or major) that fixes a known CVE.
|
|
|
|
version: 2
|
|
|
|
updates:
|
|
|
|
- package-ecosystem: gomod
|
|
directory: "/"
|
|
schedule:
|
|
interval: "weekly"
|
|
day: "friday"
|
|
open-pull-requests-limit: 10
|
|
labels:
|
|
- "dependencies"
|
|
groups:
|
|
go-minor-patch:
|
|
applies-to: version-updates # security updates get individual PRs
|
|
patterns:
|
|
- "*"
|
|
update-types: # major omitted, gets individual PRs
|
|
- "minor"
|
|
- "patch"
|
|
|
|
- package-ecosystem: "github-actions"
|
|
directories:
|
|
- "/"
|
|
- "/.github/actions/bootstrap"
|
|
schedule:
|
|
interval: "weekly"
|
|
day: "friday"
|
|
open-pull-requests-limit: 10
|
|
labels:
|
|
- "dependencies"
|
|
groups:
|
|
actions-minor-patch:
|
|
applies-to: version-updates # security updates get individual PRs
|
|
patterns:
|
|
- "*"
|
|
update-types: # major omitted, gets individual PRs
|
|
- "minor"
|
|
- "patch"
|