From 9f867ad2c5405bb1533b6ed2f277c4069a2c49de Mon Sep 17 00:00:00 2001
From: David Anderson <danderson@tailscale.com>
Date: Mon, 6 Dec 2021 12:38:47 -0800
Subject: [PATCH] .github/dependabot.yml: disable eager updates for Go.

Given our development cycle, we'll instead do big-bang updates
after every release, to give time for all the updates to soak in
unstable.

This does _not_ disable dependabot security-critical PRs.

Signed-off-by: David Anderson <danderson@tailscale.com>
---
 .github/dependabot.yml | 18 +++++++++++-------
 1 file changed, 11 insertions(+), 7 deletions(-)

diff --git a/.github/dependabot.yml b/.github/dependabot.yml
index d20507782..14c912905 100644
--- a/.github/dependabot.yml
+++ b/.github/dependabot.yml
@@ -2,13 +2,17 @@
 # https://docs.github.com/en/code-security/supply-chain-security/keeping-your-dependencies-updated-automatically/configuration-options-for-dependency-updates
 version: 2
 updates:
-  - package-ecosystem: "gomod"
-    directory: "/"
-    schedule:
-      interval: "daily"
-    commit-message:
-      prefix: "go.mod:"
-    open-pull-requests-limit: 100
+  ## Disabled between releases. We reenable it briefly after every
+  ## stable release, pull in all changes, and close it again so that
+  ## the tree remains more stable during development and the upstream
+  ## changes have time to soak before the next release.
+  # - package-ecosystem: "gomod"
+  #   directory: "/"
+  #   schedule:
+  #     interval: "daily"
+  #   commit-message:
+  #     prefix: "go.mod:"
+  #   open-pull-requests-limit: 100
   - package-ecosystem: "github-actions"
     directory: "/"
     schedule: