security: Delay dependabot updates [TAROT-3707]

[afsmeira]

7 days should be enough when most malicious packages are patched within 24 hours.

[codacy-production]

Up to standards ✅

🟢 Issues 0 issues

Results:
0 new issues

View in Codacy

AI Reviewer: first review requested successfully. AI can make mistakes. Always validate suggestions.

_{TIP This summary will be updated as you push new changes.}

[codacy-production]

Pull Request Overview

The pull request attempts to implement a security-focused delay for Dependabot updates to mitigate the risk of malicious package versions. However, the implementation uses an unsupported cooldown property, which is not part of the GitHub Dependabot v2 configuration schema. Consequently, the setting will be ignored or cause a configuration error, failing to meet the requirement for a 7-day update delay.

Since GitHub does not natively support a release-age delay, you may need to reconsider the approach. Alternatives include switching the schedule to weekly to reduce frequency or migrating to a tool like Renovate, which explicitly supports a minimumReleaseAge configuration.

About this PR

• The proposed security delay cannot be achieved with the current implementation. The Dependabot schema will likely ignore the cooldown key, leaving the repository vulnerable to immediate updates of potentially compromised packages, which contradicts the PR's intent.

Test suggestions

• Verify that the dependabot.yml file adheres to the official GitHub schema.
• Confirm that a new pip package release does not trigger a Dependabot PR until 7 days have passed.

Prompt proposal for missing tests

Consider implementing these tests if applicable:
1. Verify that the dependabot.yml file adheres to the official GitHub schema.
2. Confirm that a new pip package release does not trigger a Dependabot PR until 7 days have passed.

_{TIP Improve review quality by adding custom instructions
TIP How was this review? Give us feedback}