From cb28fdb5aca6098c842b55823a07472abd8f4c4f Mon Sep 17 00:00:00 2001 From: Egor Dmitriev Date: Wed, 27 May 2026 09:57:14 +0200 Subject: [PATCH 1/4] chore(deps): use uv ecosystem and add cooldown for supply-chain hardening Two changes to the Dependabot config: 1. Switch `package-ecosystem` from `pip` to `uv` (both Python blocks). Dependabot has a dedicated `uv` ecosystem for projects with `uv.lock`. Previously `pip` worked as the umbrella fallback, but `uv` is the canonical value per Astral's docs: https://docs.astral.sh/uv/guides/integration/dependabot/ 2. Add `cooldown` blocks to all three ecosystems. Brand-new releases wait a few days before Dependabot proposes a bump, giving the community time to surface malicious or broken releases. Cooldown is the main defence against supply-chain attacks like: - xz-utils 2024 (malicious release caught within days of publication) - tj-actions/changed-files March 2025 (compromised action detected fast by the community) Values: 2 days patch / 5 days minor / 7 days major / 3 days default. Security updates bypass cooldown entirely so CVE fixes are never delayed. The cooldown applies only to non-security version-updates. Signed-off-by: Egor Dmitriev --- .github/dependabot.yml | 32 ++++++++++++++++++++++++++++---- 1 file changed, 28 insertions(+), 4 deletions(-) diff --git a/.github/dependabot.yml b/.github/dependabot.yml index d50f512fb..63ac3fbea 100644 --- a/.github/dependabot.yml +++ b/.github/dependabot.yml @@ -7,8 +7,12 @@ # - Reduce PR volume (was ~1 PR per package per advisory) by grouping # patch+minor bumps into daily bundles. # - Keep security visible and fast: separate `applies-to: security-updates` -# groups land within ~24h on the daily cadence rather than waiting -# up to a week. +# groups land within ~24h on the daily cadence. `cooldown` does NOT +# apply to security updates, so CVE fixes are never throttled. +# - Supply-chain hardening via `cooldown`: a brand-new release waits a +# few days before Dependabot proposes a bump, which gives the +# community time to surface malicious or broken releases (e.g. +# xz-utils 2024, tj-actions/changed-files 2025). # - Major bumps stay individual — they often need code changes. # # Block layout: @@ -26,7 +30,7 @@ updates: # --------------------------------------------------------------------- # Block 1 — Published packages (runtime + dev tooling at root) # --------------------------------------------------------------------- - - package-ecosystem: pip + - package-ecosystem: uv directories: - "/" - "/packages/openstef-beam" @@ -45,6 +49,13 @@ updates: labels: - dependencies - python:uv + # Cooldown applies to version-updates only. Security-updates bypass + # it entirely so CVE patches are never delayed. + cooldown: + default-days: 3 + semver-patch-days: 2 + semver-minor-days: 5 + semver-major-days: 7 groups: python-security: applies-to: security-updates @@ -67,7 +78,7 @@ updates: # --------------------------------------------------------------------- # Block 2 — Internal tooling: docs and examples # --------------------------------------------------------------------- - - package-ecosystem: pip + - package-ecosystem: uv directories: - "/docs" - "/examples" @@ -83,6 +94,11 @@ updates: - dependencies - python:uv - documentation + cooldown: + default-days: 3 + semver-patch-days: 2 + semver-minor-days: 5 + semver-major-days: 7 groups: python-tooling-security: applies-to: security-updates @@ -111,6 +127,14 @@ updates: labels: - dependencies - github-actions + # Actions are SHA-pinned but cooldown still helps catch incidents + # like tj-actions/changed-files (March 2025) where a compromised + # action was published and detected within days. + cooldown: + default-days: 3 + semver-patch-days: 2 + semver-minor-days: 5 + semver-major-days: 7 groups: actions-all: patterns: From 467f8ee91d00e50688215d21f8ea9b4741ba20fe Mon Sep 17 00:00:00 2001 From: Egor Dmitriev Date: Wed, 27 May 2026 16:35:26 +0200 Subject: [PATCH 2/4] chore(deps): tighten dependabot config per review - Trim header to three terse bullets describing mechanics. - Collapse blocks 1 and 2 into a single uv block scanning all workspace directories. The previous split existed only to route docs/examples deps (which list sphinx/jupyter under project.dependencies) into a separate "tooling" group. With the runtime/dev split removed (see below), that justification no longer applies. - Merge python-runtime and python-dev groups into a single python-versions group. Cooldown already throttles routine bumps, so the production/development distinction wasn't earning its complexity. - Drop inline explainers that described Dependabot's general behaviour rather than this config's choices. - Drop prefix-development (never fires with grouping), explicit patterns: ["*"] (default catches all), and the chore(deps-docs) prefix divergence. Signed-off-by: Egor Dmitriev --- .github/dependabot.yml | 94 ++++-------------------------------------- 1 file changed, 9 insertions(+), 85 deletions(-) diff --git a/.github/dependabot.yml b/.github/dependabot.yml index 63ac3fbea..9ebc03683 100644 --- a/.github/dependabot.yml +++ b/.github/dependabot.yml @@ -3,36 +3,18 @@ # Dependabot configuration for the OpenSTEF uv workspace. # -# Goals: -# - Reduce PR volume (was ~1 PR per package per advisory) by grouping -# patch+minor bumps into daily bundles. -# - Keep security visible and fast: separate `applies-to: security-updates` -# groups land within ~24h on the daily cadence. `cooldown` does NOT -# apply to security updates, so CVE fixes are never throttled. -# - Supply-chain hardening via `cooldown`: a brand-new release waits a -# few days before Dependabot proposes a bump, which gives the -# community time to surface malicious or broken releases (e.g. -# xz-utils 2024, tj-actions/changed-files 2025). -# - Major bumps stay individual — they often need code changes. -# -# Block layout: -# - Block 1: published packages (root + packages/*). Splits runtime -# (`project.dependencies`) from dev (`dependency-groups.dev`). -# - Block 2: internal tooling (docs/, examples/). These workspace -# members put sphinx/jupyter under `dependencies`, so the -# production/development filter doesn't separate them usefully — -# everything in these roots is treated as docs/example tooling. -# - Block 3: GitHub Actions, single grouped daily PR. +# - Patch/minor updates are grouped into daily PRs; majors stay individual. +# - Cooldown delays brand-new releases by a few days as supply-chain protection. +# - Security advisories are in their own group, exempt from cooldown. version: 2 updates: - # --------------------------------------------------------------------- - # Block 1 — Published packages (runtime + dev tooling at root) - # --------------------------------------------------------------------- - package-ecosystem: uv directories: - "/" + - "/docs" + - "/examples" - "/packages/openstef-beam" - "/packages/openstef-core" - "/packages/openstef-meta" @@ -44,13 +26,10 @@ updates: open-pull-requests-limit: 10 commit-message: prefix: "chore(deps)" - prefix-development: "chore(deps-dev)" include: scope labels: - dependencies - python:uv - # Cooldown applies to version-updates only. Security-updates bypass - # it entirely so CVE patches are never delayed. cooldown: default-days: 3 semver-patch-days: 2 @@ -59,61 +38,11 @@ updates: groups: python-security: applies-to: security-updates - update-types: - - patch - - minor - python-runtime: - applies-to: version-updates - dependency-type: production - update-types: - - patch - - minor - python-dev: - applies-to: version-updates - dependency-type: development - update-types: - - patch - - minor - - # --------------------------------------------------------------------- - # Block 2 — Internal tooling: docs and examples - # --------------------------------------------------------------------- - - package-ecosystem: uv - directories: - - "/docs" - - "/examples" - schedule: - interval: daily - time: "06:00" - timezone: Europe/Amsterdam - open-pull-requests-limit: 5 - commit-message: - prefix: "chore(deps-docs)" - include: scope - labels: - - dependencies - - python:uv - - documentation - cooldown: - default-days: 3 - semver-patch-days: 2 - semver-minor-days: 5 - semver-major-days: 7 - groups: - python-tooling-security: - applies-to: security-updates - update-types: - - patch - - minor - python-tooling: + update-types: [patch, minor] + python-versions: applies-to: version-updates - update-types: - - patch - - minor + update-types: [patch, minor] - # --------------------------------------------------------------------- - # Block 3 — GitHub Actions - # --------------------------------------------------------------------- - package-ecosystem: github-actions directory: "/" schedule: @@ -127,15 +56,10 @@ updates: labels: - dependencies - github-actions - # Actions are SHA-pinned but cooldown still helps catch incidents - # like tj-actions/changed-files (March 2025) where a compromised - # action was published and detected within days. cooldown: default-days: 3 semver-patch-days: 2 semver-minor-days: 5 semver-major-days: 7 groups: - actions-all: - patterns: - - "*" + actions-all: {} From 8f99f1efb496b5cb9a94167d2a2ee1e3e4eec996 Mon Sep 17 00:00:00 2001 From: Egor Dmitriev Date: Wed, 27 May 2026 16:37:58 +0200 Subject: [PATCH 3/4] chore(deps): fix actions-all group missing filter Dependabot requires every group to declare at least one filter (patterns, applies-to, dependency-type, or update-types). Empty `{}` fails validation. Restore the explicit catch-all pattern. Signed-off-by: Egor Dmitriev --- .github/dependabot.yml | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/.github/dependabot.yml b/.github/dependabot.yml index 9ebc03683..ca686d16a 100644 --- a/.github/dependabot.yml +++ b/.github/dependabot.yml @@ -62,4 +62,5 @@ updates: semver-minor-days: 5 semver-major-days: 7 groups: - actions-all: {} + actions-all: + patterns: ["*"] From 5efcbf0bceb6729eb265a48f24d5e1c854fbd63d Mon Sep 17 00:00:00 2001 From: Egor Dmitriev Date: Wed, 27 May 2026 16:40:24 +0200 Subject: [PATCH 4/4] chore(deps): drop unsupported semver-* cooldown fields for github-actions The github-actions ecosystem does not version by semver, so Dependabot rejects semver-patch/minor/major-days. Only default-days is supported there. Signed-off-by: Egor Dmitriev --- .github/dependabot.yml | 3 --- 1 file changed, 3 deletions(-) diff --git a/.github/dependabot.yml b/.github/dependabot.yml index ca686d16a..0b7a0af01 100644 --- a/.github/dependabot.yml +++ b/.github/dependabot.yml @@ -58,9 +58,6 @@ updates: - github-actions cooldown: default-days: 3 - semver-patch-days: 2 - semver-minor-days: 5 - semver-major-days: 7 groups: actions-all: patterns: ["*"]