chore(deps): use uv ecosystem and add cooldown for supply-chain hardening

.github/dependabot.yml

@@ -3,32 +3,18 @@
 
 # Dependabot configuration for the OpenSTEF uv workspace.
 #
-# Goals:
-#  - Reduce PR volume (was ~1 PR per package per advisory) by grouping
-#    patch+minor bumps into daily bundles.
-#  - Keep security visible and fast: separate `applies-to: security-updates`
-#    groups land within ~24h on the daily cadence rather than waiting
-#    up to a week.
-#  - Major bumps stay individual — they often need code changes.
-#
-# Block layout:
-#  - Block 1: published packages (root + packages/*). Splits runtime
-#    (`project.dependencies`) from dev (`dependency-groups.dev`).
-#  - Block 2: internal tooling (docs/, examples/). These workspace
-#    members put sphinx/jupyter under `dependencies`, so the
-#    production/development filter doesn't separate them usefully —
-#    everything in these roots is treated as docs/example tooling.
-#  - Block 3: GitHub Actions, single grouped daily PR.
+#  - Patch/minor updates are grouped into daily PRs; majors stay individual.
+#  - Cooldown delays brand-new releases by a few days as supply-chain protection.
+#  - Security advisories are in their own group, exempt from cooldown.
 
 version: 2
 
 updates:
-  # ---------------------------------------------------------------------
-  # Block 1 — Published packages (runtime + dev tooling at root)
-  # ---------------------------------------------------------------------
-  - package-ecosystem: pip
+  - package-ecosystem: uv
     directories:
       - "/"
+      - "/docs"
+      - "/examples"
       - "/packages/openstef-beam"
       - "/packages/openstef-core"
       - "/packages/openstef-meta"
@@ -40,64 +26,23 @@ updates:
     open-pull-requests-limit: 10
     commit-message:
       prefix: "chore(deps)"
-      prefix-development: "chore(deps-dev)"
       include: scope
     labels:
       - dependencies
       - python:uv
+    cooldown:
+      default-days: 3
+      semver-patch-days: 2
+      semver-minor-days: 5
+      semver-major-days: 7
     groups:
       python-security:
         applies-to: security-updates
-        update-types:
-          - patch
-          - minor
-      python-runtime:
-        applies-to: version-updates
-        dependency-type: production
-        update-types:
-          - patch
-          - minor
-      python-dev:
-        applies-to: version-updates
-        dependency-type: development
-        update-types:
-          - patch
-          - minor
-
-  # ---------------------------------------------------------------------
-  # Block 2 — Internal tooling: docs and examples
-  # ---------------------------------------------------------------------
-  - package-ecosystem: pip
-    directories:
-      - "/docs"
-      - "/examples"
-    schedule:
-      interval: daily
-      time: "06:00"
-      timezone: Europe/Amsterdam
-    open-pull-requests-limit: 5
-    commit-message:
-      prefix: "chore(deps-docs)"
-      include: scope
-    labels:
-      - dependencies
-      - python:uv
-      - documentation
-    groups:
-      python-tooling-security:
-        applies-to: security-updates
-        update-types:
-          - patch
-          - minor
-      python-tooling:
+        update-types: [patch, minor]
+      python-versions:
         applies-to: version-updates
-        update-types:
-          - patch
-          - minor
+        update-types: [patch, minor]
 
-  # ---------------------------------------------------------------------
-  # Block 3 — GitHub Actions
-  # ---------------------------------------------------------------------
   - package-ecosystem: github-actions
     directory: "/"
     schedule:
@@ -111,7 +56,8 @@ updates:
     labels:
       - dependencies
       - github-actions
+    cooldown:
+      default-days: 3
     groups:
       actions-all:
-        patterns:
-          - "*"
+        patterns: ["*"]