diff --git a/.github/dependabot.yml b/.github/dependabot.yml new file mode 100644 index 0000000..2fb75b0 --- /dev/null +++ b/.github/dependabot.yml @@ -0,0 +1,23 @@ +version: 2 +updates: + - package-ecosystem: "github-actions" + directory: "/" + schedule: + interval: "weekly" + day: "monday" + time: "09:00" + timezone: "Europe/Berlin" + open-pull-requests-limit: 5 + cooldown: + default-days: 7 + labels: + - "dependencies" + - "github-actions" + commit-message: + prefix: "chore(actions)" + include: "scope" + ignore: + # This tells Dependabot to ignore patch and minor bumps for all GHA dependencies, so it won't try to pin v8.3.7 — only major version bumps (e.g. v8 → v9) would trigger a PR + - dependency-name: "*" + update-types: + ["version-update:semver-patch", "version-update:semver-minor"]