dependabot: add configuration, ignore indirect Python dependencies

What it says on the tin. We immediately got slapped with a dependabot PR after merging the documentation. Ignore security vulnerabilities in transient dependencies, we're only interested in keeping up with direct dependencies since Python code is only run during documentation build. Signed-off-by: Timo Beckers <timo@isovalent.com>
cilium · Oct 4, 2023 · 45d00de · 45d00de
1 parent fe03e6e
commit 45d00de
Showing 1 changed file with 12 additions and 0 deletions.
diff --git a/.github/dependabot.yml b/.github/dependabot.yml
@@ -0,0 +1,12 @@
+---
+version: 2
+updates:
+  - package-ecosystem: "pip"
+    directory: "/docs"
+    schedule:
+      interval: "weekly"
+    allow:
+      # Only manage direct dependencies in Pipfile, ignore transient
+      # dependencies only appearing in Pipfile.lock.
+      - dependency-name: "*"
+        dependency-type: "direct"