Update dependabot.yaml for security updates

Testing if dependabot can create security pull request for release-2.6, 2.7 and 2.8 branches. I am trying to cheat with a separate `updates` entry per branch. Most likely dependabot cannot bump only security-relevan dependencies in older branches, see dependabot/dependabot-core#2767 (comment)
jsafrane · Jun 15, 2023 · a68bc84 · a68bc84
1 parent c9200e1
commit a68bc84
Showing 1 changed file with 40 additions and 3 deletions.
diff --git a/.github/dependabot.yaml b/.github/dependabot.yaml
@@ -1,5 +1,15 @@
 version: 2
 updates:
+- package-ecosystem: "github-actions"
+  directory: "/"
+  schedule:
+      interval: "daily"
+  labels:
+    - "area/dependency"
+    - "release-note-none"
+    - "ok-to-test"
+  open-pull-requests-limit: 10
+
 - package-ecosystem: gomod
   directory: "/"
   schedule:
@@ -9,12 +19,39 @@ updates:
     - "release-note-none"
     - "ok-to-test"
   open-pull-requests-limit: 10
-- package-ecosystem: "github-actions"
+
+# The list below needs to be maintained manually with every branch we support.
+# It allows dependabot to open security-only updates in supported branches.
+# ("open-pull-requests-limit: 0" blocks non-security updates)
+- package-ecosystem: gomod
+  open-pull-requests-limit: 0
+  target-branch: "release-2.6"
   directory: "/"
   schedule:
-      interval: "daily"
+    interval: daily
+  labels:
+    - "area/dependency"
+    - "release-note-none"
+    - "ok-to-test"
+
+- package-ecosystem: gomod
+  open-pull-requests-limit: 0
+  target-branch: "release-2.7"
+  directory: "/"
+  schedule:
+    interval: daily
+  labels:
+    - "area/dependency"
+    - "release-note-none"
+    - "ok-to-test"
+
+- package-ecosystem: gomod
+  open-pull-requests-limit: 0
+  target-branch: "release-2.8"
+  directory: "/"
+  schedule:
+    interval: daily
   labels:
     - "area/dependency"
     - "release-note-none"
     - "ok-to-test"
-  open-pull-requests-limit: 10