scorecard/.github/dependabot.yml

version: 2
updates:
- package-ecosystem: gomod
  directories:
    - "/"
    - "/tools"
  schedule:
    interval: daily
  rebase-strategy: disabled
  commit-message:
      prefix: ":seedling:"
  open-pull-requests-limit: 3
- package-ecosystem: "github-actions"
  directory: "/"
  schedule:
      interval: "weekly"
  rebase-strategy: disabled
  commit-message:
      prefix: ":seedling:"
  groups:
    github-actions:
      patterns:
        - "*"
      # These actions directly influence the build process and are excluded from grouped updates
      exclude-patterns:
        - "actions/setup-go"
        - "arduino/setup-protoc"
        - "goreleaser/goreleaser-action"
- package-ecosystem: docker
  directories:
    - "/"
    - "/cron/internal/bq"
    - "/cron/internal/worker"
    - "/cron/internal/webhook"
    - "/cron/internal/controller"
    - "/cron/internal/cii"
    - "/clients/githubrepo/roundtripper/tokens/server"
    - "/attestor"
  schedule:
    interval: weekly
  rebase-strategy: disabled
  commit-message:
      prefix: ":seedling:"
  # currently needed to get PRs which actually update multiple directories in a single PR
  # https://github.com/dependabot/dependabot-core/issues/2178#issuecomment-2109164992
  groups:
    golang:
      patterns:
        - "golang"
    distroless:
      patterns:
        - "distroless/base"
Create Dependabot config file (#116) Co-authored-by: dependabot-preview[bot] <27856297+dependabot-preview[bot]@users.noreply.github.com> 2021-01-01 23:32:06 +03:00			`version: 2`
			`updates:`
			`- package-ecosystem: gomod`
:seedling: Enable dependabot multi-directory updates (#4062) * allowed shared updates across gomod directories Signed-off-by: Spencer Schrock <sschrock@google.com> * group docker directories Signed-off-by: Spencer Schrock <sschrock@google.com> --------- Signed-off-by: Spencer Schrock <sschrock@google.com> 2024-04-30 23:36:49 +03:00			`directories:`
			`- "/"`
			`- "/tools"`
:seedling: Included dependabot setting for tools Included dependabot setting for tools module to get updates. 2022-01-27 02:54:58 +03:00			`schedule:`
			`interval: daily`
Disable auto rebasing when PR merged (#2378) Signed-off-by: Spencer Schrock <sschrock@google.com> Signed-off-by: Spencer Schrock <sschrock@google.com> 2022-10-21 20:44:03 +03:00			`rebase-strategy: disabled`
:seedling: Included dependabot setting for tools Included dependabot setting for tools module to get updates. 2022-01-27 02:54:58 +03:00			`commit-message:`
			`prefix: ":seedling:"`
:seedling: Reduce the number of PR's opened by dependabot (#2297) - Reduce the number of PR's opened by dependabot Signed-off-by: naveensrinivasan <172697+naveensrinivasan@users.noreply.github.com> Signed-off-by: naveensrinivasan <172697+naveensrinivasan@users.noreply.github.com> 2022-09-23 02:23:03 +03:00			`open-pull-requests-limit: 3`
Fix - dependabot yaml error 2021-02-06 20:45:49 +03:00			`- package-ecosystem: "github-actions"`
Fix - dependabot githubactions location 2021-02-06 21:30:29 +03:00			`directory: "/"`
Fix - dependabot yaml error 2021-02-06 20:45:49 +03:00			`schedule:`
:seedling: configure dependabot to group (most) GitHub actions weekly (#3655) actions which influence the build/release process are excluded. dependabot will send individual updates for those. Signed-off-by: Spencer Schrock <sschrock@google.com> 2023-11-10 04:22:29 +03:00			`interval: "weekly"`
Disable auto rebasing when PR merged (#2378) Signed-off-by: Spencer Schrock <sschrock@google.com> Signed-off-by: Spencer Schrock <sschrock@google.com> 2022-10-21 20:44:03 +03:00			`rebase-strategy: disabled`
:seedling: Updated commit message for dependabot * Updated commit message to have :seedling: prefix in dependabot PR. 2021-04-08 21:25:25 +03:00			`commit-message:`
			`prefix: ":seedling:"`
:seedling: configure dependabot to group (most) GitHub actions weekly (#3655) actions which influence the build/release process are excluded. dependabot will send individual updates for those. Signed-off-by: Spencer Schrock <sschrock@google.com> 2023-11-10 04:22:29 +03:00			`groups:`
			`github-actions:`
			`patterns:`
			`- "*"`
			`# These actions directly influence the build process and are excluded from grouped updates`
			`exclude-patterns:`
			`- "actions/setup-go"`
			`- "arduino/setup-protoc"`
			`- "goreleaser/goreleaser-action"`
Feat- Included dependabot for docker (#213) 2021-02-23 18:34:12 +03:00			`- package-ecosystem: docker`
:seedling: Enable dependabot multi-directory updates (#4062) * allowed shared updates across gomod directories Signed-off-by: Spencer Schrock <sschrock@google.com> * group docker directories Signed-off-by: Spencer Schrock <sschrock@google.com> --------- Signed-off-by: Spencer Schrock <sschrock@google.com> 2024-04-30 23:36:49 +03:00			`directories:`
			`- "/"`
			`- "/cron/internal/bq"`
			`- "/cron/internal/worker"`
			`- "/cron/internal/webhook"`
			`- "/cron/internal/controller"`
			`- "/cron/internal/cii"`
			`- "/clients/githubrepo/roundtripper/tokens/server"`
			`- "/attestor"`
:seedling: Include attestor Dockerfile in CI and dependabot updates (#3285) Signed-off-by: Spencer Schrock <sschrock@google.com> 2023-07-20 23:00:51 +03:00			`schedule:`
			`interval: weekly`
			`rebase-strategy: disabled`
			`commit-message:`
			`prefix: ":seedling:"`
fix dependabot config to group docker images (#4211) This is apparently required with the current implementation of multi dir PRs. Signed-off-by: Spencer Schrock <sschrock@google.com> 2024-07-03 23:47:20 +03:00			`# currently needed to get PRs which actually update multiple directories in a single PR`
			`# https://github.com/dependabot/dependabot-core/issues/2178#issuecomment-2109164992`
			`groups:`
			`golang:`
			`patterns:`
			`- "golang"`
			`distroless:`
			`patterns:`
			`- "distroless/base"`