Skip to content

ci: add Dependabot for GitHub Actions and Swift deps #32

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
BlackHole1 merged 1 commit into from
Jun 24, 2026
+51 −0
Merged

ci: add Dependabot for GitHub Actions and Swift deps #32

Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
51 changes: 51 additions & 0 deletions .github/dependabot.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,51 @@
# Dependabot keeps two dependency surfaces current. Commit prefixes and the
# `(deps)` scope follow the repo's Conventional Commits convention so the
# squash titles read like every other PR (`ci(deps): ...`, `build(deps): ...`).
#
# cooldown: let a freshly released version soak for N days before its PR is
# opened — supply-chain safety, so a malicious or broken release has time to
# be caught/yanked first. It delays *version* updates only; security (CVE)
# updates still open immediately, so we don't trade away urgent patches.
version: 2
updates:
# GitHub Actions pinned across ci / nightly / release / build-publish.
# `directory: "/"` scans .github/workflows/; local reusable-workflow
# `uses: ./...` references are ignored automatically.
- package-ecosystem: "github-actions"
directory: "/"
schedule:
interval: "daily"
# github-actions supports only the flat default-days (no per-semver-tier
# cooldown), so every actions bump waits 3 days.
cooldown:
default-days: 3
groups:
github-actions:
patterns:
- "*"
commit-message:
prefix: "ci"
include: "scope"

# Swift Package Manager deps (Sparkle, KeyboardShortcuts, PermissionFlow).
# This project has no top-level Package.swift — xcodegen declares the
# packages in project.yml and the pins live in the Xcode project bundle
# (LockIME.xcodeproj/.../swiftpm/Package.resolved). Dependabot's Swift
# updater discovers that nested Package.resolved and reads the version
# rules from project.pbxproj (xcodegen's `from:` → "up to next major"),
# so it stays within each package's major and never proposes a major bump.
- package-ecosystem: "swift"
directory: "/"
schedule:
interval: "daily"
# swift also supports semver-major/minor/patch-days if you ever want
# majors to soak longer than patches; default-days: 3 keeps it uniform.
cooldown:
default-days: 3
groups:
swift:
patterns:
- "*"
commit-message:
prefix: "build"
include: "scope"
Loading