.github/dependabot.yml: disable eager updates for Go.

Given our development cycle, we'll instead do big-bang updates after every release, to give time for all the updates to soak in unstable. This does _not_ disable dependabot security-critical PRs. Signed-off-by: David Anderson <danderson@tailscale.com>
2 years ago · 9f867ad2c5
parent c0701b130d
commit 9f867ad2c5
1 changed files with 11 additions and 7 deletions
--- a/.github/dependabot.yml
+++ b/.github/dependabot.yml
@ -2,13 +2,17 @@
 # https://docs.github.com/en/code-security/supply-chain-security/keeping-your-dependencies-updated-automatically/configuration-options-for-dependency-updates
 version: 2
 updates:
-  - package-ecosystem: "gomod"
-    directory: "/"
-    schedule:
-      interval: "daily"
-    commit-message:
-      prefix: "go.mod:"
-    open-pull-requests-limit: 100
+  ## Disabled between releases. We reenable it briefly after every
+  ## stable release, pull in all changes, and close it again so that
+  ## the tree remains more stable during development and the upstream
+  ## changes have time to soak before the next release.
+  # - package-ecosystem: "gomod"
+  #   directory: "/"
+  #   schedule:
+  #     interval: "daily"
+  #   commit-message:
+  #     prefix: "go.mod:"
+  #   open-pull-requests-limit: 100
  - package-ecosystem: "github-actions"
    directory: "/"
    schedule: