Loading...

XML

Word

Printable

JSON

Type: Task
Resolution: Unresolved
Priority: Unknown
Fix Version/s: None
Affects Version/s: None
Component/s: Infrastructure
Labels:
- greenerbuild

Confidence Status:
None

Assigned Teams:

Python Drivers

Aha! Reference:
None
Tracking Level:
None
Risk Status:
None
Exec Notes:
None
Goal Link:
None
Goal Name(s):
None

Context

zizmor recommends using the cooldown option for dependabot - it avoids spurious errors like the one we reported as https://github.com/zizmorcore/zizmor-action/issues/73.
Note that this only affects {}version{} updates, not {}security{} updates.

Additionally, it appears that if you do not add a version comment, then dependabot will attempt to bump a version that isn't part of any release, which appears to have contributed to this problem.

Definition of done

Add cooldown to dependabot configurations, e.g.

  # update once a week, with a 7-day cooldown
  - package-ecosystem: github-actions
    directory: /
    schedule:
      interval: weekly
    cooldown:
      default-days: 7

Also audit actions that use a hash to make sure they also use a version comment.

Pitfalls

None

Assignee:: Noah Stapp
Reporter:: Steve Silvester
Votes:: 0 Vote for this issue
Watchers:: 1 Start watching this issue

Created:: Jan 12 2026 06:01:25 PM UTC
Updated:: Jan 26 2026 12:51:30 PM UTC

Details

Description

Context

Definition of done

Pitfalls

Attachments

Activity

People

Dates