From f4c2c85d28ae11d1b0aaf10132d591cfd288ac3c Mon Sep 17 00:00:00 2001 From: Kevin Liu Date: Thu, 26 Mar 2026 22:01:03 -0700 Subject: [PATCH 1/2] Fix dependabot cooldown config: use default-days and increase to 7 - Fix key name from 'default' to 'default-days' per GitHub docs - Increase cooldown period from 4 to 7 days as recommended by zizmor - Update README to reflect the corrected key name and new value See: https://docs.zizmor.sh/audits/\#dependabot-cooldown --- .github/dependabot.yml | 2 +- README.md | 6 +++--- 2 files changed, 4 insertions(+), 4 deletions(-) diff --git a/.github/dependabot.yml b/.github/dependabot.yml index 27fdc60d..ac195fb1 100644 --- a/.github/dependabot.yml +++ b/.github/dependabot.yml @@ -36,4 +36,4 @@ updates: versions: ">=2.16" open-pull-requests-limit: 50 cooldown: - default: 4 + default-days: 7 diff --git a/README.md b/README.md index ab9d66c1..1a1e0e04 100644 --- a/README.md +++ b/README.md @@ -146,7 +146,7 @@ This will: #### Dependabot Cooldown Period -This repository uses a [Dependabot cooldown period](https://docs.github.com/en/code-security/dependabot/dependabot-version-updates/configuration-options-for-the-dependabot.yml-file#cooldown) of 4 days. After a Dependabot PR is merged or closed, Dependabot will wait 4 days before opening the next PR for the same ecosystem. This helps keep the volume of update PRs manageable and gives reviewers time to catch up. +This repository uses a [Dependabot cooldown period](https://docs.github.com/en/code-security/dependabot/dependabot-version-updates/configuration-options-for-the-dependabot.yml-file#cooldown) of 7 days. After a Dependabot PR is merged or closed, Dependabot will wait 7 days before opening the next PR for the same ecosystem. This helps keep the volume of update PRs manageable and gives reviewers time to catch up. > [!TIP] > We recommend that ASF projects configure a similar cooldown in their own `dependabot.yml` to avoid being overwhelmed by update PRs and to catch up with approved actions here: @@ -157,9 +157,9 @@ This repository uses a [Dependabot cooldown period](https://docs.github.com/en/c > schedule: > interval: "weekly" > cooldown: -> default: 4 +> default-days: 7 > ``` -> Adjust the `default` value (in days) to match your project's review capacity. +> Adjust the `default-days` value to match your project's review capacity. ### Manual Addition of Specific Versions From b7a532a1100e939b6fb12acdecc27287006bf78a Mon Sep 17 00:00:00 2001 From: Kevin Liu Date: Fri, 27 Mar 2026 12:11:09 -0700 Subject: [PATCH 2/2] partial revert #560 --- .github/dependabot.yml | 2 -- README.md | 18 ------------------ 2 files changed, 20 deletions(-) diff --git a/.github/dependabot.yml b/.github/dependabot.yml index ac195fb1..71255cb2 100644 --- a/.github/dependabot.yml +++ b/.github/dependabot.yml @@ -35,5 +35,3 @@ updates: - dependency-name: "cpp-linter/cpp-linter-action" versions: ">=2.16" open-pull-requests-limit: 50 - cooldown: - default-days: 7 diff --git a/README.md b/README.md index 1a1e0e04..6537fe69 100644 --- a/README.md +++ b/README.md @@ -8,7 +8,6 @@ This repository hosts GitHub Actions developed by the ASF community and approved - [Adding a New Action](#adding-a-new-action-to-the-allow-list) - [Reviewing](#reviewing) - [Adding a New Version](#adding-a-new-version-to-the-allow-list) - - [Dependabot Cooldown Period](#dependabot-cooldown-period) - [Manual Version Addition](#manual-addition-of-specific-versions) - [Removing a Version](#removing-a-version-manually) @@ -144,23 +143,6 @@ This will: > **Prerequisites:** `docker`, `uv`, and `gh` (GitHub CLI, authenticated via `gh auth login`). > The build runs in a `node:20-slim` container so no local Node.js installation is needed. -#### Dependabot Cooldown Period - -This repository uses a [Dependabot cooldown period](https://docs.github.com/en/code-security/dependabot/dependabot-version-updates/configuration-options-for-the-dependabot.yml-file#cooldown) of 7 days. After a Dependabot PR is merged or closed, Dependabot will wait 7 days before opening the next PR for the same ecosystem. This helps keep the volume of update PRs manageable and gives reviewers time to catch up. - -> [!TIP] -> We recommend that ASF projects configure a similar cooldown in their own `dependabot.yml` to avoid being overwhelmed by update PRs and to catch up with approved actions here: -> ```yaml -> updates: -> - package-ecosystem: "github-actions" -> directory: "/" -> schedule: -> interval: "weekly" -> cooldown: -> default-days: 7 -> ``` -> Adjust the `default-days` value to match your project's review capacity. - ### Manual Addition of Specific Versions If you need to add a specific version of an already approved action (especially an older one):