b4fbd6fe9f
Deploy Site / deploy-vercel (push) Has been skipped
Deploy Site / deploy-docs (push) Has been skipped
Build Skills Index / build-index (push) Has been skipped
CI / Deny unrelated histories (push) Has been skipped
CI / Detect affected areas (push) Successful in 27m35s
CI / OSV scan (push) Failing after 4s
CI / Build&Test Docker image (push) Successful in 9s
CI / Supply-chain scan (push) Has been skipped
CI / Lint Docker scripts (push) Failing after 5m13s
CI / Check contributors (push) Failing after 12m8s
CI / Docs Site (push) Failing after 12m8s
CI / TypeScript (push) Failing after 12m8s
CI / Python lints (push) Failing after 12m9s
CI / Python tests (push) Failing after 12m9s
CI / Check uv.lock (push) Failing after 23m22s
CI / CI timing report (push) Has been cancelled
Build Skills Index / trigger-deploy (push) Has been cancelled
CI / All required checks pass (push) Has been cancelled
45 lines
1.7 KiB
YAML
45 lines
1.7 KiB
YAML
# Dependabot configuration for hermes-agent.
|
|
#
|
|
# Deliberately scoped to github-actions only.
|
|
#
|
|
# We do NOT enable Dependabot for pip / npm / any source-dependency ecosystem
|
|
# because we pin source dependencies exactly (uv.lock, package-lock.json) as
|
|
# part of our supply-chain posture. Automatic version-bump PRs against those
|
|
# pins would undermine the strategy — pins are moved deliberately, after
|
|
# review, not on a schedule.
|
|
#
|
|
# github-actions is the exception: action pins (we use full commit SHAs per
|
|
# supply-chain policy) must be updated when upstream actions publish
|
|
# patches — usually themselves security fixes. Dependabot opens a PR with
|
|
# the new SHA and release notes; we review and merge like any other PR.
|
|
#
|
|
# Security-update PRs for source dependencies (opened ONLY when a CVE is
|
|
# published affecting a currently-pinned version) are enabled separately
|
|
# via the repo's Dependabot security updates setting
|
|
# (Settings → Code security → Dependabot → Dependabot security updates).
|
|
# Those are CVE-only, not schedule-driven, and do not conflict with our
|
|
# pinning strategy — they fire when a pinned version becomes known-bad,
|
|
# which is exactly when we want to move the pin.
|
|
|
|
version: 2
|
|
updates:
|
|
- package-ecosystem: "github-actions"
|
|
directory: "/"
|
|
schedule:
|
|
interval: "weekly"
|
|
day: "monday"
|
|
open-pull-requests-limit: 5
|
|
labels:
|
|
- "dependencies"
|
|
- "github-actions"
|
|
commit-message:
|
|
prefix: "chore(actions)"
|
|
include: "scope"
|
|
groups:
|
|
# Batch routine action bumps into one PR per week to reduce noise.
|
|
# Security updates still open individually and bypass grouping.
|
|
actions-minor-patch:
|
|
update-types:
|
|
- "minor"
|
|
- "patch"
|