From 7745c20ef89637fcd942555fdaf9367545b3172c Mon Sep 17 00:00:00 2001
From: Aga Dufrat <aga.dufrat@digital.cabinet-office.gov.uk>
Date: Thu, 16 Apr 2026 15:26:49 +0100
Subject: [PATCH 1/6] =?UTF-8?q?Update=20Dependabot=20config=20format=C2=A0?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

For consistency with other repos.
The quotes are not needed.
---
 .github/dependabot.yml | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/.github/dependabot.yml b/.github/dependabot.yml
index 709997f1..e4367120 100644
--- a/.github/dependabot.yml
+++ b/.github/dependabot.yml
@@ -4,7 +4,8 @@ updates:
     directory: /
     schedule:
       interval: daily
-  - package-ecosystem: "github-actions"
+
+  - package-ecosystem: github-actions
     directory: /
     schedule:
       interval: daily

From 8d13a4cacd3fdf58f25755064a714826c0ede56f Mon Sep 17 00:00:00 2001
From: Aga Dufrat <aga.dufrat@digital.cabinet-office.gov.uk>
Date: Thu, 16 Apr 2026 15:28:24 +0100
Subject: [PATCH 2/6] Introduce Dependabot cooldown period
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

This gives the community time to flag compromised or broken releases before
updates are applied, helping us avoid pulling in unstable or unsafe
dependencies.  Sets the values according to GOV.UK Developer docs
recommendations: 
- 3 days for code dependencies
- 7 days for infrastructure tooling (Terraform, Docker), as these changes tend
  to carry more risk.

https://docs.github.com/en/code-security/reference/supply-chain-security/dependabot-options-reference#cooldown-
---
 .github/dependabot.yml | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/.github/dependabot.yml b/.github/dependabot.yml
index e4367120..8abb350a 100644
--- a/.github/dependabot.yml
+++ b/.github/dependabot.yml
@@ -4,8 +4,12 @@ updates:
     directory: /
     schedule:
       interval: daily
+    cooldown:
+      default-days: 3
 
   - package-ecosystem: github-actions
     directory: /
     schedule:
       interval: daily
+    cooldown:
+      default-days: 3

From 0bc34374348664f621a503360ecc3c19ce2f7ba3 Mon Sep 17 00:00:00 2001
From: Aga Dufrat <aga.dufrat@digital.cabinet-office.gov.uk>
Date: Thu, 16 Apr 2026 15:28:52 +0100
Subject: [PATCH 3/6] Group Dependabot PRs
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Groups Bundler updates to reduce noise and make reviews more focused by
batching related dependencies together. Test libraries (e.g. Minitest, SimpleCov)
are grouped so they can be reviewed and updated in context. This approach helps
streamline pull requests, making them less disruptive to the team’s delivery
work. We’re only using one linter for ruby so there’s no point in grouping at
the moment.

https://docs.github.com/en/code-security/reference/supply-chain-security/dependabot-options-reference#groups--
---
 .github/dependabot.yml | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/.github/dependabot.yml b/.github/dependabot.yml
index 8abb350a..e1e5550f 100644
--- a/.github/dependabot.yml
+++ b/.github/dependabot.yml
@@ -6,6 +6,12 @@ updates:
       interval: daily
     cooldown:
       default-days: 3
+    groups:
+      test:
+        patterns:
+          - "minitest"
+          - "mocha"
+          - "simplecov"
 
   - package-ecosystem: github-actions
     directory: /

From 68aa8d18e676451a5e45953c126486a3e16608a7 Mon Sep 17 00:00:00 2001
From: Aga Dufrat <aga.dufrat@digital.cabinet-office.gov.uk>
Date: Thu, 16 Apr 2026 15:29:29 +0100
Subject: [PATCH 4/6] Change Dependabot schedule to weekly

We schedule updates weekly on Tuesdays at 7:00am UTC to balance staying current
with a manageable review workload. A monthly cadence would be too infrequent
for a single person on the daily rota, and Tuesdays avoid common non-working
days in our team (Mondays and Fridays at the time).

The `timezone` is not set, so it defaults to UTC, and the time is chosen to run
before the automatic Dependabot merger (currently 08:30 UTC)[^1]. However, with
the current scheduling and grouping of updates, we may not benefit from the
auto merger that much.

Security updates are still raised immediately regardless of schedule.

[^1]: https://github.com/alphagov/govuk-dependabot-merger/blob/main/.github/workflows/merge-dependabot-prs.yml#L5

https://docs.github.com/en/code-security/reference/supply-chain-security/dependabot-options-reference#schedule-
---
 .github/dependabot.yml | 8 ++++++--
 1 file changed, 6 insertions(+), 2 deletions(-)

diff --git a/.github/dependabot.yml b/.github/dependabot.yml
index e1e5550f..25f31328 100644
--- a/.github/dependabot.yml
+++ b/.github/dependabot.yml
@@ -3,7 +3,9 @@ updates:
   - package-ecosystem: bundler
     directory: /
     schedule:
-      interval: daily
+      interval: weekly
+      day: tuesday
+      time: "07:00"
     cooldown:
       default-days: 3
     groups:
@@ -16,6 +18,8 @@ updates:
   - package-ecosystem: github-actions
     directory: /
     schedule:
-      interval: daily
+      interval: weekly
+      day: tuesday
+      time: "07:00"
     cooldown:
       default-days: 3

From c66f0c30ab0778a28dd7ce5e69d2c9789be35272 Mon Sep 17 00:00:00 2001
From: Aga Dufrat <aga.dufrat@digital.cabinet-office.gov.uk>
Date: Thu, 16 Apr 2026 15:29:55 +0100
Subject: [PATCH 5/6] Increase Dependabot Open PR limit to 25

We increase the Dependabot open PR limit to 25 to accommodate our weekly
schedule and grouped updates, ensuring multiple batches can be raised and
reviewed without being artificially capped. This helps avoid delays while still
keeping changes manageable alongside the cooldown and grouping strategy.

Note that security updates are unaffected by this setting, as they have a
separate internal limit of ten open pull requests which cannot be changed.

https://docs.github.com/en/code-security/reference/supply-chain-security/dependabot-options-reference#open-pull-requests-limit-
---
 .github/dependabot.yml | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/.github/dependabot.yml b/.github/dependabot.yml
index 25f31328..b97153fc 100644
--- a/.github/dependabot.yml
+++ b/.github/dependabot.yml
@@ -8,6 +8,7 @@ updates:
       time: "07:00"
     cooldown:
       default-days: 3
+    open-pull-requests-limit: 25
     groups:
       test:
         patterns:
@@ -23,3 +24,4 @@ updates:
       time: "07:00"
     cooldown:
       default-days: 3
+    open-pull-requests-limit: 25

From ee37aea40fa26a3ec7d5800c41e9b3bdb1ffff56 Mon Sep 17 00:00:00 2001
From: Aga Dufrat <aga.dufrat@digital.cabinet-office.gov.uk>
Date: Thu, 16 Apr 2026 15:30:11 +0100
Subject: [PATCH 6/6] Restrict Dependabot updates to direct dependencies

Configure Dependabot to only open pull requests for direct dependencies,
reducing noise from transitive updates and keeping changes more relevant and
easier to review.

Approach recommended in GOV.UK Developer Docs.

https://docs.github.com/en/code-security/reference/supply-chain-security/dependabot-options-reference#dependency-type-allow
---
 .github/dependabot.yml | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/.github/dependabot.yml b/.github/dependabot.yml
index b97153fc..bd65f97d 100644
--- a/.github/dependabot.yml
+++ b/.github/dependabot.yml
@@ -6,6 +6,8 @@ updates:
       interval: weekly
       day: tuesday
       time: "07:00"
+    allow:
+      - dependency-type: direct
     cooldown:
       default-days: 3
     open-pull-requests-limit: 25