From 7a1a48cce83456fbe3ea029ae3129e7752bc69df Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Thomas=20V=C3=A9rin?= <thomas.verin@sonarsource.com>
Date: Thu, 2 Apr 2026 14:14:19 +0200
Subject: [PATCH] BUILD-10861: Dependabot cooldown (5 days) and internal
 excludes

- Version updates: minimum package age via cooldown (default-days: 5).
- Security updates are not affected by cooldown (GitHub behavior).
- exclude: org.sonarsource*, com.sonarsource*, npm @sonarsource/*, actions SonarSource/* as applicable.
- Aligns supply-chain policy with BUILD-10860 (Renovate) intent.
---
 .github/dependabot.yml | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/.github/dependabot.yml b/.github/dependabot.yml
index c5f33e3..480f81d 100644
--- a/.github/dependabot.yml
+++ b/.github/dependabot.yml
@@ -12,5 +12,9 @@ updates:
       interval: "daily"
       timezone: "CET"
     open-pull-requests-limit: 100
+    cooldown:
+      default-days: 5
+      exclude:
+        - "SonarSource/*"
     commit-message:
       prefix: "NO-JIRA "