1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
version: 2
updates:
# Keep SHA-pinned GitHub Actions current. Dependabot opens PRs that bump
# both the pinned commit SHA and the trailing version comment.
- package-ecosystem: github-actions
directory: /
schedule:
interval: weekly
groups:
# Collapse all action bumps into a single weekly PR instead of one per
# action. Review the changelogs together, then merge once.
github-actions:
patterns:
- "*"
# Cargo dependency updates for the crate itself.
- package-ecosystem: cargo
directory: /
schedule:
interval: weekly
ignore:
# `sha3` and `sha2` are intentionally held at the 0.11 line: the
# transitive `ml-kem 0.3.x` dependency requires `sha3 ^0.11`, and `sha2`
# must share the same `digest 0.11` to keep a single `digest`/`keccak`
# version in the tree (see CHANGELOG v0.3.7 / v0.4.0). A bump to 0.12 on
# either crate cannot unify with `ml-kem` and will fail to compile, so
# those PRs are noise until `ml-kem` itself moves to `sha3 0.12`.
# Re-evaluate (and drop this ignore) when `ml-kem` bumps `sha3`.
- dependency-name: "sha3"
update-types:
- dependency-name: "sha2"
update-types:
groups:
# Batch low-risk patch/minor bumps. Major bumps (and 0.x minor bumps,
# which are breaking) stay as separate PRs so cryptography dependencies
# get individual review.
cargo-minor:
update-types:
- "minor"
- "patch"