petry-projects · don-petry · Apr 4, 2026 · Apr 3, 2026 · Apr 3, 2026 · Apr 3, 2026
@@ -0,0 +1,176 @@
+# Dependabot Policy: Security-Only Updates
+
+## Rationale
+
+New package versions pose risk to stability and security. Keeping known-good versions
+and upgrading only when vulnerabilities are found and fixed provides a better
+security posture than chasing every minor/patch release.
+
+## Policy
+
+1. **Security updates only** for application dependencies (npm, Go modules, pip, Cargo).
+   Dependabot opens PRs only when a vulnerability advisory exists for a dependency.
+   Version update PRs are suppressed by setting `open-pull-requests-limit: 0` for
+   application ecosystems — Dependabot security updates bypass this limit.
+2. **Version updates weekly** for GitHub Actions, since pinned action versions do not
+   affect application stability and staying current reduces CI attack surface.
+3. **Labels** `security` and `dependencies` on every Dependabot PR for filtering and audit.
+4. **Auto-merge** security patches and minor updates after all CI checks pass, using a
+   GitHub App token to satisfy branch protection (CODEOWNERS review bypass for bot PRs).
+   Uses `gh pr merge --auto` to wait for required checks before merging.
+5. **Vulnerability audit CI check** runs on every PR and push to `main`, failing the
+   build if any dependency has a known advisory. This is a required status check.
+
+## Prerequisites
+
+- **Dependabot security updates** must be enabled at the org or repo level
+  (Settings > Code security > Dependabot security updates).
+- The `dependabot.yml` entries below configure which ecosystems and directories
+  Dependabot monitors. Setting `open-pull-requests-limit: 0` for application
+  ecosystems suppresses routine version-update PRs while still allowing
+  security-alert-triggered PRs to be created.
+
+## Configuration Files
+
+Each repository must have:
+
+| File | Purpose |
+|------|---------|
+| `.github/dependabot.yml` | Dependabot config scoped to the repo's ecosystems |
+| `.github/workflows/dependabot-automerge.yml` | Auto-approve + squash-merge security PRs |
+| `.github/workflows/dependency-audit.yml` | CI check — fail on known vulnerabilities |
+
+## Dependabot Templates
+
+Use the template matching your repository type.
+
+**Application ecosystems** (npm, gomod, cargo, pip, terraform) use:
+
+```yaml
+schedule:
+  interval: "weekly"
+open-pull-requests-limit: 0   # suppress version updates; security PRs bypass this
+labels:
+  - "security"
+  - "dependencies"
+```
+
+**GitHub Actions** uses:
+
+```yaml
+schedule:
+  interval: "weekly"
+open-pull-requests-limit: 10  # allow version updates for CI actions
+labels:
+  - "security"
+  - "dependencies"
+```
+
+### Frontend (npm)
+
+For repos with `package.json` at root or in subdirectories.
+
+- Ecosystem: `npm`
+- Directory: `/` (or path to each `package.json`)
+
+See [`dependabot/frontend.yml`](dependabot/frontend.yml)
+
+### Backend — Go
+
+For repos with `go.mod`.
+
+- Ecosystem: `gomod`
+- Directory: path to `go.mod`
+
+See [`dependabot/backend-go.yml`](dependabot/backend-go.yml)
+
+### Backend — Rust
+
+For repos with `Cargo.toml`.
+
+- Ecosystem: `cargo`
+- Directory: `/`
+
+See [`dependabot/backend-rust.yml`](dependabot/backend-rust.yml)
+
+### Backend — Python
+
+For repos with `pyproject.toml` or `requirements.txt`.
+
+- Ecosystem: `pip`
+- Directory: `/`
+
+See [`dependabot/backend-python.yml`](dependabot/backend-python.yml)
+
+### Infrastructure — Terraform
+
+For repos with Terraform modules.
+
+- Ecosystem: `terraform`
+- Directory: path to Terraform root module
+
+See [`dependabot/infra-terraform.yml`](dependabot/infra-terraform.yml)
+
+### GitHub Actions (all repos)
+
+Every repository must include the `github-actions` ecosystem entry.
+GitHub Actions use **version updates** (not security-only) on a weekly schedule
+since pinned action SHAs do not affect application runtime stability.
+
+```yaml
+- package-ecosystem: "github-actions"
+  directory: "/"
+  schedule:
+    interval: "weekly"
+  open-pull-requests-limit: 10
+  labels:
+    - "security"
+    - "dependencies"
+```
+
+### Full-Stack Example
+
+A full-stack repo (e.g., npm + Go + Terraform + GitHub Actions) combines the
+relevant ecosystem entries into a single `dependabot.yml`. See
+[`dependabot/fullstack.yml`](dependabot/fullstack.yml) for a complete example.
+
+## Auto-Merge Workflow
+
+See [`workflows/dependabot-automerge.yml`](workflows/dependabot-automerge.yml).
+
+Behavior:
+- Triggers on `pull_request_target` from `dependabot[bot]`
+- Fetches Dependabot metadata to determine update type
+- For **patch** and **minor** updates (and indirect dependency updates):
+  approves the PR and enables auto-merge (waits for all required CI checks)
+- **Major** updates are left for human review
+- Uses `gh pr merge --auto --squash` so the merge only happens after CI passes
+
+## Vulnerability Audit CI Check
+
+See [`workflows/dependency-audit.yml`](workflows/dependency-audit.yml).
+
+This workflow template detects the ecosystems present in the repo and runs the
+appropriate audit tool:
+
+| Ecosystem | Tool | Command |
+|-----------|------|---------|
+| npm | `npm audit` | `npm audit --audit-level=low` per `package-lock.json` (fails on any advisory) |
+| pnpm | `pnpm audit` | `pnpm audit --audit-level low` per `pnpm-lock.yaml` |
+| Go | `govulncheck` | `govulncheck ./...` per `go.mod` directory |
+| Rust | `cargo-audit` | `cargo audit` per `Cargo.toml` workspace |
+| Python | `pip-audit` | `pip-audit .` per `pyproject.toml` / `-r requirements.txt` |
+
+The workflow fails if any known vulnerability is found, blocking the PR from merging.
+
+## Applying to a Repository
+
+1. Copy the appropriate `dependabot.yml` template to `.github/dependabot.yml`,
+   adjusting `directory` paths as needed.
+2. Add `workflows/dependabot-automerge.yml` to `.github/workflows/`.
+3. Add `workflows/dependency-audit.yml` to `.github/workflows/`.
+4. Ensure the repository has the GitHub App secrets (`APP_ID`, `APP_PRIVATE_KEY`)
+   configured for auto-merge.
+5. Create the `security` and `dependencies` labels in the repository if they
+   don't already exist.
+6. Add `dependency-audit` as a required status check in branch protection rules.
@@ -0,0 +1,26 @@
+# Dependabot configuration for Go backend repositories
+# Copy to .github/dependabot.yml and adjust directory paths as needed
+#
+# gomod uses open-pull-requests-limit: 0 to suppress version update PRs.
+# Dependabot security updates bypass this limit, so security PRs still open.
+version: 2
+updates:
+  # Go modules — security updates only (limit 0 suppresses version updates)
+  - package-ecosystem: "gomod"
+    directory: "/"
+    schedule:
+      interval: "weekly"
+    open-pull-requests-limit: 0
+    labels:
+      - "security"
+      - "dependencies"
+
+  # GitHub Actions — version updates (keep actions current)
+  - package-ecosystem: "github-actions"
+    directory: "/"
+    schedule:
+      interval: "weekly"
+    open-pull-requests-limit: 10
+    labels:
+      - "security"
+      - "dependencies"
@@ -0,0 +1,26 @@
+# Dependabot configuration for Python backend repositories
+# Copy to .github/dependabot.yml and adjust directory paths as needed
+#
+# pip uses open-pull-requests-limit: 0 to suppress version update PRs.
+# Dependabot security updates bypass this limit, so security PRs still open.
+version: 2
+updates:
+  # pip — security updates only (limit 0 suppresses version updates)
+  - package-ecosystem: "pip"
+    directory: "/"
+    schedule:
+      interval: "weekly"
+    open-pull-requests-limit: 0
+    labels:
+      - "security"
+      - "dependencies"
+
+  # GitHub Actions — version updates (keep actions current)
+  - package-ecosystem: "github-actions"
+    directory: "/"
+    schedule:
+      interval: "weekly"
+    open-pull-requests-limit: 10
+    labels:
+      - "security"
+      - "dependencies"
@@ -0,0 +1,26 @@
+# Dependabot configuration for Rust backend repositories
+# Copy to .github/dependabot.yml and adjust directory paths as needed
+#
+# cargo uses open-pull-requests-limit: 0 to suppress version update PRs.
+# Dependabot security updates bypass this limit, so security PRs still open.
+version: 2
+updates:
+  # Cargo — security updates only (limit 0 suppresses version updates)
+  - package-ecosystem: "cargo"
+    directory: "/"
+    schedule:
+      interval: "weekly"
+    open-pull-requests-limit: 0
+    labels:
+      - "security"
+      - "dependencies"
+
+  # GitHub Actions — version updates (keep actions current)
+  - package-ecosystem: "github-actions"
+    directory: "/"
+    schedule:
+      interval: "weekly"
+    open-pull-requests-limit: 10
+    labels:
+      - "security"
+      - "dependencies"
@@ -0,0 +1,26 @@
+# Dependabot configuration for frontend (npm) repositories
+# Copy to .github/dependabot.yml and adjust directory paths as needed
+#
+# npm uses open-pull-requests-limit: 0 to suppress version update PRs.
+# Dependabot security updates bypass this limit, so security PRs still open.
+version: 2
+updates:
+  # npm — security updates only (limit 0 suppresses version updates)
+  - package-ecosystem: "npm"
+    directory: "/"
+    schedule:
+      interval: "weekly"
+    open-pull-requests-limit: 0
+    labels:
+      - "security"
+      - "dependencies"
+
+  # GitHub Actions — version updates (keep actions current)
+  - package-ecosystem: "github-actions"
+    directory: "/"
+    schedule:
+      interval: "weekly"
+    open-pull-requests-limit: 10
+    labels:
+      - "security"
+      - "dependencies"
@@ -0,0 +1,51 @@
+# Dependabot configuration for full-stack repositories (npm + Go + Terraform)
+# Copy to .github/dependabot.yml and adjust directory paths as needed
+#
+# Application ecosystems use open-pull-requests-limit: 0 to suppress version
+# update PRs. Dependabot security updates bypass this limit.
+#
+# Example layout:
+#   apps/mobile/package.json  (or markets-app/package.json)
+#   apps/api/go.mod           (or markets-api/go.mod)
+#   infra/terraform/main.tf
+version: 2
+updates:
+  # npm — security updates only (limit 0 suppresses version updates)
+  - package-ecosystem: "npm"
+    directory: "/"
+    schedule:
+      interval: "weekly"
+    open-pull-requests-limit: 0
+    labels:
+      - "security"
+      - "dependencies"
+
+  # Go modules — security updates only (limit 0 suppresses version updates)
+  - package-ecosystem: "gomod"
+    directory: "/apps/api"
+    schedule:
+      interval: "weekly"
+    open-pull-requests-limit: 0
+    labels:
+      - "security"
+      - "dependencies"
+
+  # Terraform — security updates only (limit 0 suppresses version updates)
+  - package-ecosystem: "terraform"
+    directory: "/infra/terraform"
+    schedule:
+      interval: "weekly"
+    open-pull-requests-limit: 0
+    labels:
+      - "security"
+      - "dependencies"
+
+  # GitHub Actions — version updates (keep actions current)
+  - package-ecosystem: "github-actions"
+    directory: "/"
+    schedule:
+      interval: "weekly"
+    open-pull-requests-limit: 10
+    labels:
+      - "security"
+      - "dependencies"
@@ -0,0 +1,26 @@
+# Dependabot configuration for Terraform infrastructure repositories
+# Copy to .github/dependabot.yml and adjust directory paths as needed
+#
+# terraform uses open-pull-requests-limit: 0 to suppress version update PRs.
+# Dependabot security updates bypass this limit, so security PRs still open.
+version: 2
+updates:
+  # Terraform — security updates only (limit 0 suppresses version updates)
+  - package-ecosystem: "terraform"
+    directory: "/infra/terraform"
+    schedule:
+      interval: "weekly"
+    open-pull-requests-limit: 0
+    labels:
+      - "security"
+      - "dependencies"
+
+  # GitHub Actions — version updates (keep actions current)
+  - package-ecosystem: "github-actions"
+    directory: "/"
+    schedule:
+      interval: "weekly"
+    open-pull-requests-limit: 10
+    labels:
+      - "security"
+      - "dependencies"