dependabot.yml

# NatLibFi/Melinda maintenance strategy
# https://docs.github.com/en/code-security/supply-chain-security/keeping-your-dependencies-updated-automatically/configuration-options-for-dependency-updates

version: 2
updates:
  # Maintain dependencies for GitHub Actions
  - package-ecosystem: "github-actions"
    directory: "/"
    schedule:
      interval: "daily"
      time: "06:30"
      timezone: "Europe/Helsinki"
    target-branch: "next"

  # Minor updates to npm production dependencies daily
  - package-ecosystem: "npm"
    directory: "/"
    schedule:
      interval: "daily"
      time: "06:45"
      timezone: "Europe/Helsinki"
    versioning-strategy: lockfile-only
    target-branch: "next"
    pull-request-branch-name:
      separator: "-"
    groups:
      production-dependencies:
        dependency-type: "production"
      development-dependencies:
        dependency-type: "development"

  # Major updates to npm dependencies weekly @tuesday
  # Not possible yet https://github.com/dependabot/dependabot-core/issues/1778
  # - package-ecosystem: "npm"
  #   directory: "/"
  #   schedule:
  #     interval: "weekly"
  #     day: "tuesday"
  #     time: "07:00"
  #     timezone: "Europe/Helsinki"
  #   versioning-strategy: increase-if-necessary
  #   labels:
  #     - "npm major dependencies"
  #   reviewers:
  #     - "natlibfi/melinda-js-lead"