chore(deps): add 7-day cooldown across cargo, bun, mise, dependabot, and CI#431
Merged
chore(deps): add 7-day cooldown across cargo, bun, mise, dependabot, and CI#431
Conversation
…ot, and CI Add a layered supply-chain age gate so freshly-published package versions don't enter the dep graph without intent. Security-only updates still flow through (Dependabot bypasses cooldown for security PRs). Layers: - mise.toml [settings] minimum_release_age = "7d" — gates dev tools - bunfig.toml + docs/bunfig.toml minimumReleaseAge = 604800 — gates Bun installs - .github/dependabot.yml cooldown.default-days: 7 across cargo, bun, gh-actions - cargo-cooldown registered via mise + cooldown.toml — local cargo build guard - scripts/check-lockfile-age.sh + dep-age-check CI job — diffs Cargo.lock and bun.lock against the PR base ref and queries crates.io / npm for pubtime, failing PRs that introduce <7-day-old entries Bypass paths: .dep-age-allowlist, bunfig minimumReleaseAgeExcludes, cooldown.toml [[allow.exact]], or ALLOW_FRESH_DEPS=1 for emergency CI overrides. Switches the existing /docs Dependabot entry from npm to bun (the docs site is bun-managed) and adds a new bun entry for /, which previously had no coverage. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Replaces the need for Renovate-style automation just for mise tools. Runs `mise upgrade` on a weekly cron and opens a PR if anything changed. The 7-day minimum_release_age in mise.toml ensures only aged-in versions are ever picked. Constraint bumps (mise upgrade --bump) remain manual — flagged in the PR body so reviewers know to escalate when needed. Note: PRs opened with the default GITHUB_TOKEN don't trigger downstream workflows, so CI requires an empty-commit nudge or close+reopen. Documented in the workflow body. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Weekly was overcautious — most runs are no-ops anyway (peter-evans/create-pull-request diffs and skips when nothing changed), and daily lines up with the dependabot schedule already in dependabot.yml. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Extends the existing [hooks] enter hash gate to include mise.toml and mise.lock alongside package.json/bun.lock. When you cd into a worktree whose mise files have moved (e.g. after pulling master, after an auto-upgrade PR merges, when switching to a worktree on a different branch), the hook now also runs `mise install` to materialize the pinned versions. Cost is the md5 of four small files when nothing changed. Doesn't cover the case where you `git pull` and stay in the same shell without cd'ing — for that, cd-out-and-back-in or run mise install manually. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
This was referenced May 1, 2026
Merged
Merged
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Adds a layered supply-chain age gate so freshly-published package versions
don't enter the dep graph without intent. Security-only updates still flow
through (Dependabot bypasses cooldown for security PRs).
Cooldown layers
mise.toml[settings] minimum_release_age = "7d"bunfig.toml+docs/bunfig.tomlminimumReleaseAge = 604800cooldown.default-days: 7across cargo, bun, github-actions/docsentry fromnpm→bun(the docs siteis bun-managed; the npm ecosystem doesn't read
bun.lock)bunentry for/(prettier dev dep, previously uncovered)cargo-cooldownregistered via mise +cooldown.toml— local cargo build guardscripts/check-lockfile-age.sh+ newdep-age-checkjob in
test.yml. DiffsCargo.lockandbun.lockagainst the PR base ref,queries crates.io / npm for pubtime, fails PRs that introduce <7-day-old entries
Bypass paths
.dep-age-allowlist,bunfig.tomlminimumReleaseAgeExcludes, orcooldown.toml[[allow.exact]]ALLOW_FRESH_DEPS=1Also bundled (related supporting work)
.github/workflows/mise-tool-updates.yml— dailymise upgradecronthat opens a PR when anything moves (matches the Dependabot schedule). Fills
the gap that Dependabot has no
miseecosystem support.mise.toml[hooks] enterto also hashmise.toml/mise.lockandrun
mise installwhen they change — socd-ing into a worktree with stalepinned tool versions auto-syncs them.
CLAUDE.mdDependency Cooldown section documenting the gate and how to addpackages under it.
Test plan
bun add @aws-sdk/client-s3@3.1040.0(1d old) blocked withminimum-release-ageerror;@3.700.0(Nov 2024) installed cleanlymise install cargo:cargo-cooldownselected0.2.0insteadof
0.3.0(5d old at the time)c8b0bd37(parent of edtui bump), correctlyflagged
cargo:edtui@0.11.3(1d old). Allowlist entry suppressed it.ALLOW_FRESH_DEPS=1env-var bypass also verified.mise run fmt,mise run clippy,mise run test:unitall passactionlintclean on all new/modified workflow filesmise-tool-updates.ymlproduces a no-op or areasonable PR (will validate after merge)