From 50fcf5c412353a74ed2f5c91cafd1f2d0100348b Mon Sep 17 00:00:00 2001 From: Darren Dooley Date: Mon, 22 Jun 2026 10:14:38 +0100 Subject: [PATCH] Add 7-day supply-chain cooldown for package updates Set Poetry solver.min-release-age=7 (requires Poetry >=2.4.0) and add a Dependabot cooldown of 10 days on the github-actions and pip ecosystems. Dependabot's window is longer than Poetry's floor so it never proposes a version the solver would reject as too young. --- .github/dependabot.yml | 4 ++++ poetry.toml | 2 ++ pyproject.toml | 2 +- 3 files changed, 7 insertions(+), 1 deletion(-) create mode 100644 poetry.toml diff --git a/.github/dependabot.yml b/.github/dependabot.yml index 0b845d3b..e46640bc 100644 --- a/.github/dependabot.yml +++ b/.github/dependabot.yml @@ -4,8 +4,12 @@ updates: directory: "/" schedule: interval: "monthly" + cooldown: + default-days: 10 - package-ecosystem: "pip" directory: "/" schedule: interval: "monthly" + cooldown: + default-days: 10 diff --git a/poetry.toml b/poetry.toml new file mode 100644 index 00000000..4d265f3d --- /dev/null +++ b/poetry.toml @@ -0,0 +1,2 @@ +[solver] +min-release-age = 7 diff --git a/pyproject.toml b/pyproject.toml index bfb34e90..8620a586 100644 --- a/pyproject.toml +++ b/pyproject.toml @@ -29,7 +29,7 @@ cycode = "cycode.cli.app:app" repository = "https://github.com/cycodehq/cycode-cli" [tool.poetry] -requires-poetry = ">=2.0" +requires-poetry = ">=2.4.0" version = "0.0.0" # DON'T TOUCH. Placeholder. Will be filled automatically on poetry build from Git Tag [tool.poetry.dependencies]