mirror of
https://github.com/anchore/syft.git
synced 2026-03-30 05:33:24 +02:00
c5114fd745
Prevent some packages from being updated. Signed-off-by: Will Murphy <willmurphyscode@users.noreply.github.com>
60 lines
1.7 KiB
YAML
60 lines
1.7 KiB
YAML
# Dependabot configuration
|
|
#
|
|
# Grouping behavior (see inline comments for details):
|
|
# - Minor + patch updates: grouped into a single PR per ecosystem
|
|
# - Major version bumps: individual PR per dependency
|
|
# - Security updates: individual PR per dependency
|
|
#
|
|
# Note: "patch" refers to semver version bumps (1.2.3 -> 1.2.4), not security fixes.
|
|
# Security updates are identified separately via GitHub's Advisory Database and
|
|
# can be any version bump (patch, minor, or major) that fixes a known CVE.
|
|
|
|
version: 2
|
|
|
|
updates:
|
|
|
|
- package-ecosystem: gomod
|
|
directory: "/"
|
|
cooldown:
|
|
default-days: 7
|
|
schedule:
|
|
interval: "weekly"
|
|
day: "friday"
|
|
open-pull-requests-limit: 10
|
|
labels:
|
|
- "dependencies"
|
|
ignore:
|
|
- dependency-name: "github.com/aquasecurity/go-pep440-version"
|
|
- dependency-name: "github.com/aquasecurity/go-version"
|
|
- dependency-name: "github.com/knqyf263/go-apk-version"
|
|
- dependency-name: "github.com/knqyf263/go-deb-version"
|
|
groups:
|
|
go-minor-patch:
|
|
applies-to: version-updates # security updates get individual PRs
|
|
patterns:
|
|
- "*"
|
|
update-types: # major omitted, gets individual PRs
|
|
- "minor"
|
|
- "patch"
|
|
|
|
- package-ecosystem: "github-actions"
|
|
directories:
|
|
- "/"
|
|
- "/.github/actions/bootstrap"
|
|
cooldown:
|
|
default-days: 7
|
|
schedule:
|
|
interval: "weekly"
|
|
day: "friday"
|
|
open-pull-requests-limit: 10
|
|
labels:
|
|
- "dependencies"
|
|
groups:
|
|
actions-minor-patch:
|
|
applies-to: version-updates # security updates get individual PRs
|
|
patterns:
|
|
- "*"
|
|
update-types: # major omitted, gets individual PRs
|
|
- "minor"
|
|
- "patch"
|