chore(github): finer grain schedules for dependency checking

- default to weekly instead of daily - check gluetun-servers daily - check some Go modules only quartely since they are not important
2026-06-10 06:12:27 +02:00 · 2026-05-24 20:34:57 +00:00
parent 1998e0d04f
commit 6f5f518d1d
1 changed files with 55 additions and 4 deletions
@@ -4,12 +4,63 @@ updates:
  - package-ecosystem: "github-actions"
    directory: "/"
    schedule:
-      interval: "daily"
+      interval: "weekly"
  - package-ecosystem: docker
    directory: /
    schedule:
-      interval: "daily"
-  - package-ecosystem: gomod
-    directory: /
+      interval: "weekly"
+  - # Servers data dependency that should be updated as soon as
+    # possible when a new version is released, to have the latest
+    # servers available
+    package-ecosystem: "gomod"
+    directory: "/"
    schedule:
      interval: "daily"
+    allow:
+      - dependency-name: "github.com/qdm12/gluetun-servers"
+  - # non important dependencies that do not need to be updated.
+    package-ecosystem: gomod
+    directory: /
+    schedule:
+      interval: "quarterly"
+    allow:
+      - dependency-name: "github.com/breml/rootcerts"
+      - dependency-name: "github.com/fatih/color"
+      - dependency-name: "github.com/golang/mock"
+      - dependency-name: "github.com/klauspost/compress"
+      - dependency-name: "github.com/klauspost/pgzip"
+      - dependency-name: "github.com/pelletier/go-toml/v2"
+      - dependency-name: "github.com/qdm12/goshutdown"
+      - dependency-name: "github.com/qdm12/gosplash"
+      - dependency-name: "github.com/qdm12/gotree"
+      - dependency-name: "github.com/qdm12/log"
+      - dependency-name: "github.com/stretchr/testify"
+      - dependency-name: "github.com/ulikunitz/xz"
+      - dependency-name: "gopkg.in/ini.v1"
+  - # The rest of Go modules are important and should be checked every week,
+    # instead of daily, to give a bit of time to avoid supply chain attacks.
+    package-ecosystem: gomod
+    directory: /
+    schedule:
+      interval: "weekly"
+    ignore:
+      - # In particular avoid amneziawg-go which have v1.x.y versions available
+        # on the Go modules proxy, but are not in the Github repository tags
+        # and are not the latest releases either. Most likely a mistake from the
+        # maintainers, which is persisted on the Go proxy.
+        dependency-name: "github.com/amnezia-vpn/amneziawg-go"
+        versions: ["1.x"]
+      - dependency-name: "github.com/qdm12/gluetun-servers"
+      - dependency-name: "github.com/breml/rootcerts"
+      - dependency-name: "github.com/fatih/color"
+      - dependency-name: "github.com/golang/mock"
+      - dependency-name: "github.com/klauspost/compress"
+      - dependency-name: "github.com/klauspost/pgzip"
+      - dependency-name: "github.com/pelletier/go-toml/v2"
+      - dependency-name: "github.com/qdm12/goshutdown"
+      - dependency-name: "github.com/qdm12/gosplash"
+      - dependency-name: "github.com/qdm12/gotree"
+      - dependency-name: "github.com/qdm12/log"
+      - dependency-name: "github.com/stretchr/testify"
+      - dependency-name: "github.com/ulikunitz/xz"
+      - dependency-name: "gopkg.in/ini.v1"