From 379eecacb02431d24fde19aa6b32b577ed45abff Mon Sep 17 00:00:00 2001
From: stevenhorsman <steven@uk.ibm.com>
Date: Tue, 13 Jan 2026 11:38:19 +0000
Subject: [PATCH] dependabot: Add cooldown

It's good practice to get dependabot to wait after a release before bumping
to avoid it bumping to a release done seconds before, which could have
supply-chain security implications, so add a 7 day cooldown to help with this.

See https://blog.yossarian.net/2025/11/21/We-should-all-be-using-dependency-cooldowns

Signed-off-by: stevenhorsman <steven@uk.ibm.com>
---
 .github/dependabot.yml | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/.github/dependabot.yml b/.github/dependabot.yml
index 52f755bc0d..5dfa732bc2 100644
--- a/.github/dependabot.yml
+++ b/.github/dependabot.yml
@@ -15,6 +15,8 @@ updates:
       - "/src/tools/trace-forwarder"
     schedule:
       interval: "daily"
+    cooldown:
+      default-days: 7
     ignore:
     # rust-vmm repos might cause incompatibilities on patch versions, so
     # lets handle them manually for now.
@@ -85,8 +87,12 @@ updates:
       - "src/tools/csi-kata-directvolume"
     schedule:
       interval: "daily"
+    cooldown:
+      default-days: 7
 
   - package-ecosystem: "github-actions"
     directory: "/"
     schedule:
       interval: "monthly"
+    cooldown:
+      default-days: 7