From a05fd4ee2fb2e8907c6752976ab5ec0e21053c73 Mon Sep 17 00:00:00 2001
From: Matthew Watkins <mwatkins@linuxfoundation.org>
Date: Thu, 25 Jun 2026 00:04:30 +0100
Subject: [PATCH] CI: Add dependabot cooldown and PR limits

Bring the Dependabot configuration in line with our canonical
actions-template best practices. Both the npm and github-actions
ecosystems now declare a cooldown period and an explicit open
pull-request limit.

The cooldown delays opening a version-bump PR for seven days so we
avoid churning on a release that gets retracted or superseded shortly
after it ships. For github-actions this also satisfies the zizmor
workflow auditing tool. The open-pull-requests-limit caps concurrent
Dependabot PRs at fifteen per ecosystem.

Co-Authored-By: Claude <noreply@anthropic.com>
Signed-off-by: Matthew Watkins <mwatkins@linuxfoundation.org>
---
 .github/dependabot.yml | 11 +++++++++++
 1 file changed, 11 insertions(+)

diff --git a/.github/dependabot.yml b/.github/dependabot.yml
index f6e1c9d..bb43ea7 100644
--- a/.github/dependabot.yml
+++ b/.github/dependabot.yml
@@ -8,7 +8,18 @@ updates:
     directory: '/'
     schedule:
       interval: 'weekly'
+    # Wait before opening a bump PR so we don't churn on a release
+    # that gets retracted or superseded shortly after it ships.
+    cooldown:
+      default-days: 7
+    open-pull-requests-limit: 15
   - package-ecosystem: 'github-actions'
     directory: '/'
     schedule:
       interval: 'weekly'
+    # Wait before opening a bump PR so we don't churn on a release
+    # that gets retracted or superseded shortly after it ships.
+    # This is required to satisfy the zizmor workflow auditing tool.
+    cooldown:
+      default-days: 7
+    open-pull-requests-limit: 15