Add CODEOWNERS for dependency files and use cooldown instead of reviewers in Dependabot config#389
Merged
Merged
Conversation
…son, flag web team for review
…. Add cooldown of 1 day to prevent dependabot from opening up a PR that pnpm will fail
erinxocon
force-pushed
the
dependabot-updates
branch
from
0ec3ed9 to
1f9a57a
Compare
jacobgkau
approved these changes
Jun 15, 2026
jacobgkau
left a comment
jacobgkau
left a comment
Member
There was a problem hiding this comment.
The web team previously did not need to allocate bandwidth (and could not become a bottleneck) for software (mdBook) updates in this repo. If the members of @system76/web-engineering are okay with needing to allocate the time to review this repo's dependency bumps, then this organizationally makes sense.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
.github/CODEOWNERS(new file)Adds code ownership for
package.json,pnpm-lock.yaml, andpnpm-workspace.yaml, assigning@system76/web-engineeringas reviewers. This replaces thereviewersfield previously set directly independabot.yml— GitHub now recommends CODEOWNERS for this since Dependabot'sreviewersoption only supports the legacy review-request flow and CODEOWNERS works more consistently across PR review requirements..github/dependabot.ymlreviewers: ["system76/web-engineering"]from both ecosystems (now handled via CODEOWNERS).cooldown.default-days: 1to both ecosystems, so Dependabot won't open a PR for a new release until it's at least 1 day old.This aligns Dependabot's PR-creation timing with our pnpm
minimumReleaseAgepolicy (24h), preventing Dependabot from proposing package versions that CI will immediately reject for being too recently published — which was happening withastro@6.4.7.