ci: harden dependabot review workflow

lelia · lelia · commit 5cf294b62709 · 2026-03-31T16:32:32.000-04:00
Signed-off-by: lelia &lt;2418071+lelia@users.noreply.github.com&gt;
diff --git a/.github/dependabot.yml b/.github/dependabot.yml
@@ -9,6 +9,12 @@ updates:
     directory: "/"
     schedule:
       interval: "weekly"
+    open-pull-requests-limit: 5
+    allow:
+      - dependency-name: "python"
+      - dependency-name: "ghcr.io/astral-sh/uv"
+      - dependency-name: "trufflesecurity/trufflehog"
+      - dependency-name: "aquasec/trivy"
     labels:
       - "dependencies"
       - "docker"
@@ -23,6 +29,13 @@ updates:
     directory: "/app_tests"
     schedule:
       interval: "weekly"
+    open-pull-requests-limit: 2
+    allow:
+      - dependency-name: "python"
+      - dependency-name: "golang"
+      - dependency-name: "securego/gosec"
+      - dependency-name: "trufflesecurity/trufflehog"
+      - dependency-name: "aquasec/trivy"
     labels:
       - "dependencies"
       - "docker"
@@ -37,6 +50,14 @@ updates:
     directory: "/"
     schedule:
       interval: "weekly"
+    open-pull-requests-limit: 4
+    groups:
+      github-actions-minor-patch:
+        patterns:
+          - "*"
+        update-types:
+          - "minor"
+          - "patch"
     labels:
       - "dependencies"
       - "github-actions"
