1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
version: 2
updates:
# Rust dependencies — weekly check for security patches and version bumps.
# OpenSSL is vendored, so openssl-sys bumps are the mechanism for CVE fixes.
- package-ecosystem: cargo
directory: /
schedule:
interval: weekly
day: friday
commit-message:
prefix: "chore(deps):"
labels:
- dependencies
open-pull-requests-limit: 5
groups:
# Batch all non-security Rust dep bumps into a single weekly PR.
rust-dependencies:
update-types:
- minor
- patch
# GitHub Actions — pinned to full SHA; Dependabot proposes SHA bumps.
- package-ecosystem: github-actions
directory: /
schedule:
interval: weekly
day: friday
commit-message:
prefix: "chore(ci):"
labels:
- ci
open-pull-requests-limit: 3
groups:
# Batch all action version bumps into a single weekly PR.
actions:
update-types:
- major
- minor
- patch