Skip to content

Add Dependabot Cooldown#402

Merged
skyguy94 merged 2 commits into
mainfrom
security/dependabot-cooldown
May 20, 2026
Merged

Add Dependabot Cooldown#402
skyguy94 merged 2 commits into
mainfrom
security/dependabot-cooldown

Conversation

@skyguy94
Copy link
Copy Markdown
Contributor

@skyguy94 skyguy94 commented May 20, 2026
edited
Loading

Description of Changes

Adds a cooldown: block to each package-ecosystem entry in .github/dependabot.yml. Values follow the CE house style already in use by SecurityAndChangeControl:

Cooldown delays version-update PRs by N days after publish, giving the ecosystem time to detect and yank malicious releases. Same risk applies to the github-actions ecosystem (poisoned third-party action via auto-PR), hence the same block there.

cooldown:
  default-days: 7
  semver-major-days: 30
  semver-minor-days: 7
  semver-patch-days: 3

Review and manually apply the following workflow permissions:

gh api -X PUT repos/CareEvolution/OrchestrateSDK/actions/permissions/workflow \
  -F default_workflow_permissions=read \
  -F can_approve_pull_request_reviews=false

Rationale: https://careevolution.slack.com/archives/C0DEKSMFY/p1779275551026199?thread_ts=1779197176.503919&cid=C0DEKSMFY

Issue Link

N/A

Security

REMINDER: All file contents are public.

  • I have ensured no secure credentials or sensitive information remain in code, metadata, comments, etc.
  • My changes do not introduce any security risks, or any such risks have been properly mitigated.

Defensive change; reduces same-day auto-merge risk for compromised package versions. No new attack surface.

Change Control Board (CCB) Approval

CCB approval is required when the change affects organizational processes (like vulnerability management or disaster recovery), or has the potential to impact availability, security, or privacy. See the CR process for more detailed assessment guidelines.

  • This change does NOT require CCB approval.
  • This change DOES require CCB approval. Tag @careevolution/ccb.

Testing/Validation

N/A

Backout Plan

Describe how we will restore the system to its pre-change state if something goes wrong.

Revert the PR; Dependabot reverts to immediate version-update PRs.

Implementation Notes

Config-only change; no downtime, no operational impact.

Documentation Updates

  • This change has no documentation impact.
  • This change impacts external documentation (API docs, user guides). Tag @careevolution/mdhd-docs or @careevolution/api-docs.
  • This change impacts internal documentation (procedures, security plans, wiki). Tag the owner.

N/A -- internal change to .github/dependabot.yml.

Reviewers

  • I have assigned the appropriate reviewer(s).

Minimally, a second set of eyes is needed ensure no non-public information is published. Consider also including subject-matter experts and editing/style reviewers.

@skyguy94 skyguy94 changed the title chore(deps): add Dependabot cooldown to all ecosystems Add Dependabot Cooldown May 20, 2026
@skyguy94 skyguy94 requested a review from jeremytwfortune May 20, 2026 13:21
@jeremytwfortune
Copy link
Copy Markdown
Collaborator

jeremytwfortune commented May 20, 2026

Unfortunately the semver-* values only work at the top of the group

@skyguy94 skyguy94 requested a review from mattk-ce May 20, 2026 13:34
@skyguy94 skyguy94 marked this pull request as ready for review May 20, 2026 13:34
@skyguy94 skyguy94 merged commit a1232ab into main May 20, 2026
16 checks passed
@skyguy94 skyguy94 deleted the security/dependabot-cooldown branch May 20, 2026 14:07
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@jeremytwfortune jeremytwfortune jeremytwfortune approved these changes

@mattk-ce mattk-ce Awaiting requested review from mattk-ce

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@skyguy94 @jeremytwfortune