Skip to content

dependabot: try enabling cooldown again #371

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 1 commit into
base: main
Choose a base branch
from
Open

dependabot: try enabling cooldown again #371

wants to merge 1 commit into from
+14 −0

Conversation

@cho-m
Copy link
Member

@cho-m cho-m commented Nov 27, 2025

May want to try this again to see what is state of cooldown feature since previous attempt

For now, using minimum requirement expected by Zizmor (i.e. 4 days)

Supposedly should default to all files without include but not sure given it didn't work last time.

I see fixes like dependabot/dependabot-core@7da4bdd which could help as it may have used semver-major-days (14 previously configured) for all Bundler updates,

          # Get maximum cooldown days based on semver parts
          days = [cooldown.default_days, cooldown.semver_major_days].max
          days = cooldown.semver_minor_days unless days > cooldown.semver_minor_days
          days = cooldown.semver_patch_days unless days > cooldown.semver_patch_days

Copilot AI review requested due to automatic review settings November 27, 2025 18:59
Copilot finished reviewing on behalf of cho-m November 27, 2025 19:00
Copilot AI reviewed Nov 27, 2025
View reviewed changes
Copy link

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR re-enables the Dependabot cooldown feature that was previously attempted in PR #342. It adds a 4-day cooldown period (the minimum required by Zizmor) to prevent Dependabot from creating too many PRs in rapid succession when new dependency versions are released.

  • Adds cooldown configuration with default-days: 4 to all package ecosystems
  • Addresses previous issues that may have been fixed in recent Dependabot updates

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

@cho-m cho-m marked this pull request as ready for review November 27, 2025 19:07
p-linnane
p-linnane approved these changes Nov 27, 2025
View reviewed changes
Copy link
Member

@p-linnane p-linnane left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Worth trying again. We'll need to monitor when the jobs run. Last time they kept showing no updates after filtering.

woodruffw
woodruffw approved these changes Nov 27, 2025
View reviewed changes
Copy link
Member

@woodruffw woodruffw left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM!

I've been considering increasing the minimum default cooldown in zizmor to 7 days, so you might want to get ahead of that here (or configure it explicitly so you don't get nagged).

@MikeMcQuaid
Copy link
Member

MikeMcQuaid commented Nov 27, 2025

I've been considering increasing the minimum default cooldown in zizmor to 7 days, so you might want to get ahead of that here (or configure it explicitly so you don't get nagged).

👍🏻 to me to do 7 days.

@cho-m
Copy link
Member Author

cho-m commented Nov 27, 2025

Updated to 7 days.

Unrelated to this, but not sure if Terraform section is doing anything, at least after repo merge, as the directory layout changed.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

@SMillerDev SMillerDev SMillerDev approved these changes

@woodruffw woodruffw woodruffw approved these changes

@p-linnane p-linnane p-linnane approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

6 participants

@cho-m @MikeMcQuaid @SMillerDev @woodruffw @p-linnane