Skip to content

chore: drop Dependabot version-update config for security-only policy#228

Merged
rivercg merged 1 commit into
0.9.xfrom
chore/dependabot-security-only
Jun 22, 2026
Merged

chore: drop Dependabot version-update config for security-only policy#228
rivercg merged 1 commit into
0.9.xfrom
chore/dependabot-security-only

Conversation

@rivercg

@rivercg rivercg commented Jun 22, 2026

Copy link
Copy Markdown
Contributor

What

Remove .github/dependabot.yml, switching the repo to a security-only
Dependabot policy.

Why

The weekly version-update scans (5 Go module dirs + GitHub Actions) generate a
steady stream of routine bump PRs that require manual review/verify each week.
We want to keep CVE coverage without the routine noise.

  • Version updates (routine "bump X to latest") are driven entirely by this
    file — removing it stops them.
  • Security updates (CVE-driven) are controlled by the repo security
    settings
    toggle, independent of this file, and are unaffected by this change.

Follow-up (repo admin, web UI)

Confirm Settings → Code security → Dependabot security updates is enabled so
vulnerability patches keep flowing. (The scoped CI token cannot read or change
that setting.)

Note

CI-config-only change — no buildable code touched, so just verify (cpworker
build + Go tests) is not applicable here.

Remove .github/dependabot.yml so Dependabot no longer opens weekly
version-bump PRs across the Go modules and GitHub Actions. CVE coverage
is retained via Dependabot *security* updates, which are controlled by
the repo security settings, not this file.
@rivercg rivercg merged commit 735b020 into 0.9.x Jun 22, 2026
1 check failed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant