e93507a09c
Lockfile supply-chain audit / lockfile supply-chain audit (push) Has been cancelled
Windows Studio GGUF CI / GPU prebuilt resolves without Visual Studio (push) Has been cancelled
Windows Studio GGUF CI / setup.ps1 unit tests (VS 2026 / CMake guard) (push) Has been cancelled
Windows Studio GGUF CI / real-VS detection (VS 2022) (push) Has been cancelled
Windows Studio GGUF CI / real-VS detection (VS 2026) (push) Has been cancelled
Windows Studio GGUF CI / VC++ runtime detect + install round-trip (windows-2025-vs2026) (push) Has been cancelled
Windows Studio GGUF CI / VC++ runtime detect + install round-trip (windows-latest) (push) Has been cancelled
Windows Studio Update CI / Studio Updating Tests (push) Has been cancelled
Wheel CI / Wheel build + content sanity + import smoke (push) Has been cancelled
Lint CI / Source lint (Python + shell + YAML + JSON + safety nets) (push) Has been cancelled
MLX CI on Mac M1 / dispatch (push) Has been cancelled
Security audit / advisory audit (pip + npm + cargo) (push) Has been cancelled
Security audit / pip scan-packages :: extras (push) Has been cancelled
Security audit / pip scan-packages :: studio (push) Has been cancelled
Security audit / pip scan-packages :: hf-stack (push) Has been cancelled
Security audit / npm scan-packages (Studio frontend tarballs) (push) Has been cancelled
Security audit / workflow-trigger lint (pull_request_target / cache-poisoning) (push) Has been cancelled
Security audit / pytest tests/security (push) Has been cancelled
Security audit / npm provenance + new install-script diff (push) Has been cancelled
Studio API CI / Studio API & Auth Tests (push) Has been cancelled
Backend CI / (Python 3.10) (push) Has been cancelled
Backend CI / (Python 3.11) (push) Has been cancelled
Backend CI / (Python 3.12) (push) Has been cancelled
Backend CI / (Python 3.13) (push) Has been cancelled
Backend CI / Repo tests (CPU) (push) Has been cancelled
Frontend CI / Frontend build + bundle sanity (push) Has been cancelled
Studio GGUF CI / OpenAI, Anthropic API tests (push) Has been cancelled
Studio GGUF CI / Tool calling Tests (push) Has been cancelled
Studio GGUF CI / JSON, images (push) Has been cancelled
Mac Studio GGUF CI / OpenAI, Anthropic API tests (push) Has been cancelled
Mac Studio GGUF CI / Tool calling Tests (push) Has been cancelled
Mac Studio GGUF CI / JSON, images (push) Has been cancelled
Mac Studio Install Matrix CI / Install + load (macos-14) (push) Has been cancelled
Mac Studio Install Matrix CI / Install + load (macos-15) (push) Has been cancelled
Mac Studio Install Matrix CI / Install + load (macos-26) (push) Has been cancelled
Mac Studio Install Matrix CI / Install + load (macos-15-intel) (push) Has been cancelled
Mac Studio API CI / Studio API & Auth Tests (push) Has been cancelled
Mac Studio Install Matrix CI / Install + load (macos-26-intel) (push) Has been cancelled
Mac Studio UI CI / Chat UI Tests (push) Has been cancelled
Studio Tauri CI / Tauri Linux debug build (no codesign) (push) Has been cancelled
Mac Studio Update CI / Studio Updating Tests (push) Has been cancelled
Studio UI CI / Chat UI Tests (push) Has been cancelled
Windows Studio API CI / Studio API & Auth Tests (push) Has been cancelled
Windows Studio UI CI / Chat UI Tests (push) Has been cancelled
Studio Update CI / Studio Updating Tests (push) Has been cancelled
Core / Core (HF=default + TRL=default) (push) Has been cancelled
Core / Core (HF=4.57.6 + TRL<1) (push) Has been cancelled
Core / Core (HF=latest + TRL=latest) (push) Has been cancelled
Core / llama.cpp build + smoke (push) Has been cancelled
Windows Studio GGUF CI / OpenAI, Anthropic API tests (push) Has been cancelled
Windows Studio GGUF CI / Tool calling Tests (push) Has been cancelled
Windows Studio GGUF CI / JSON, images (push) Has been cancelled
Windows Studio GGUF CI / Studio install + inference without Visual Studio (push) Has been cancelled
Studio export capability / capability (macos-latest) (push) Has been cancelled
Studio export capability / capability (ubuntu-latest) (push) Has been cancelled
Studio export capability / capability (windows-latest) (push) Has been cancelled
Cross-platform parity / parity (macos-latest) (push) Has been cancelled
Cross-platform parity / parity (windows-latest) (push) Has been cancelled
Scorecard supply-chain security / Scorecard analysis (push) Has been cancelled
Studio load-orchestrator CI / test (push) Has been cancelled
101 lines
3.1 KiB
YAML
101 lines
3.1 KiB
YAML
---
|
|
version: 2
|
|
updates:
|
|
- package-ecosystem: "github-actions"
|
|
directory: "/"
|
|
schedule:
|
|
interval: "weekly"
|
|
cooldown:
|
|
# github-actions refs are git tags / SHAs, not semver -- the
|
|
# `semver-minor-days` / `semver-patch-days` knobs are rejected
|
|
# by Dependabot's validator for this ecosystem. Only the
|
|
# `default-days` floor applies.
|
|
default-days: 7
|
|
groups:
|
|
actions:
|
|
patterns: ["*"]
|
|
actions-security:
|
|
applies-to: security-updates
|
|
patterns: ["*"]
|
|
|
|
# Removed a stray `package-ecosystem: "bun"` entry for
|
|
# /studio/frontend: that path has no bun.lock / bun.lockb, so
|
|
# Dependabot's bun ecosystem silently no-ops on it. The actual
|
|
# lockfile committed at /studio/frontend is package-lock.json
|
|
# (npm), and the npm entry further below already catches
|
|
# npm_and_yarn security advisories for that directory. Version
|
|
# updates for /studio/frontend stay suppressed (open-pull-
|
|
# requests-limit: 0 in that entry) -- security PRs flow through
|
|
# regardless. Add a real bun entry IF and WHEN bun.lock lands.
|
|
|
|
- package-ecosystem: "npm"
|
|
directory: "/studio/backend/core/data_recipe/oxc-validator"
|
|
schedule:
|
|
interval: "weekly"
|
|
cooldown:
|
|
default-days: 7
|
|
semver-minor-days: 3
|
|
semver-patch-days: 3
|
|
groups:
|
|
npm-oxc-validator:
|
|
patterns: ["*"]
|
|
npm-oxc-validator-security:
|
|
applies-to: security-updates
|
|
patterns: ["*"]
|
|
|
|
# pip + cargo grouped weekly; the *-security siblings batch
|
|
# advisories that would otherwise each open their own PR.
|
|
- package-ecosystem: "pip"
|
|
directory: "/"
|
|
schedule:
|
|
interval: "weekly"
|
|
open-pull-requests-limit: 5
|
|
cooldown:
|
|
default-days: 7
|
|
groups:
|
|
python:
|
|
patterns: ["*"]
|
|
python-security:
|
|
applies-to: security-updates
|
|
patterns: ["*"]
|
|
|
|
- package-ecosystem: "cargo"
|
|
directory: "/studio/src-tauri"
|
|
schedule:
|
|
interval: "weekly"
|
|
cooldown:
|
|
default-days: 7
|
|
semver-minor-days: 3
|
|
semver-patch-days: 3
|
|
groups:
|
|
cargo-tauri:
|
|
patterns: ["*"]
|
|
cargo-tauri-security:
|
|
applies-to: security-updates
|
|
patterns: ["*"]
|
|
|
|
# /studio/frontend npm dependencies. Version-update PRs are
|
|
# deliberately suppressed (open-pull-requests-limit: 0) -- the
|
|
# frontend dep tree is large, the lockfile is the authoritative
|
|
# pin, and `min-release-age=7` in studio/frontend/.npmrc already
|
|
# blocks fresh tarballs at install time. Security advisories
|
|
# arrive via GitHub's npm_and_yarn channel and are NOT capped by
|
|
# `open-pull-requests-limit` per Dependabot's documented
|
|
# behaviour; they flow through this entry, group together, and
|
|
# still respect the cooldown below so we never ingest a tarball
|
|
# that was hot-published less than 3 days ago.
|
|
- package-ecosystem: "npm"
|
|
directory: "/studio/frontend"
|
|
schedule:
|
|
interval: "weekly"
|
|
open-pull-requests-limit: 0
|
|
cooldown:
|
|
default-days: 7
|
|
semver-minor-days: 3
|
|
semver-patch-days: 3
|
|
groups:
|
|
npm-frontend-security:
|
|
applies-to: security-updates
|
|
patterns: ["*"]
|
|
...
|