From c26da417685efc38157c4bbdd5b2bfa91ee96a6a Mon Sep 17 00:00:00 2001 From: Tim Dittler Date: Wed, 25 Feb 2026 11:50:47 +0100 Subject: [PATCH 1/2] fix(dependabot): fix broken config and add cooldown - Remove private registry config for npm.pkg.github.com as internal packages are now accessible without a token (CI-1040) - Add github-actions ecosystem to allow updating internal actions - Add 7-day cooldown to npm and github-actions to mitigate supply chain attacks (CI-1108) Co-Authored-By: opencode noreply@opencode.ai --- .github/dependabot.yml | 19 +++++++++++-------- 1 file changed, 11 insertions(+), 8 deletions(-) diff --git a/.github/dependabot.yml b/.github/dependabot.yml index 02d11b7..5136d67 100644 --- a/.github/dependabot.yml +++ b/.github/dependabot.yml @@ -1,10 +1,4 @@ version: 2 -registries: - npm-github: - type: npm-registry - url: https://npm.pkg.github.com - token: ${{secrets.STAFFBOT_NPM_READ}} - updates: - package-ecosystem: "npm" directory: "/" @@ -14,5 +8,14 @@ updates: default-days: 7 labels: - "dependencies" - registries: - - npm-github + cooldown: + default-days: 7 + + - package-ecosystem: "github-actions" + directory: "/" + schedule: + interval: "weekly" + labels: + - "dependencies" + cooldown: + default-days: 7 From 34dd559cb8f4622925c5510a00fd2e83796af37e Mon Sep 17 00:00:00 2001 From: Tim Dittler <93928360+timdittler@users.noreply.github.com> Date: Wed, 25 Feb 2026 12:49:04 +0100 Subject: [PATCH 2/2] Update dependabot.yml Co-authored-by: Marcel Seidel <47413751+m-seidel@users.noreply.github.com> --- .github/dependabot.yml | 2 -- 1 file changed, 2 deletions(-) diff --git a/.github/dependabot.yml b/.github/dependabot.yml index 5136d67..ddb83ba 100644 --- a/.github/dependabot.yml +++ b/.github/dependabot.yml @@ -8,8 +8,6 @@ updates: default-days: 7 labels: - "dependencies" - cooldown: - default-days: 7 - package-ecosystem: "github-actions" directory: "/"