mirror of
https://github.com/supabase/setup-cli.git
synced 2026-05-13 11:26:59 +00:00
c099ad8c4a
## What changed This updates our Dependabot policy to reduce routine dependency-update noise while keeping minor and patch updates moving automatically. - Configure Dependabot to run weekly on Tuesday at 09:00 Europe/Paris for both `github-actions` and `bun` - Group all minor and patch updates per ecosystem: - one GitHub Actions update PR - one Bun dependency update PR - Keep major updates ungrouped so Dependabot opens individual PRs for manual review - Reduce routine open Dependabot PRs to one per ecosystem - Add cooldown windows so Dependabot avoids immediately chasing fresh releases: - 7 days for minor updates - 2 days for patch updates - Update the Dependabot automerge workflow to generate a GitHub App token before approving PRs - Auto-approve and enable automerge only for patch and minor updates, including `0.x` minors - Leave major update PRs for human review and merge ## Why Dependabot was not able to approve/automerge PRs using the default token. This follows the GitHub App token pattern recommended by security, while also tuning Dependabot for a better signal-to-noise ratio. The resulting behavior is: - minor/patch updates are batched weekly and can merge after CI passes - major updates still appear, but individually and without automerge - security updates remain handled by Dependabot/GitHub outside the routine grouping policy