From f4c2c85d28ae11d1b0aaf10132d591cfd288ac3c Mon Sep 17 00:00:00 2001
From: Kevin Liu <kevin.jq.liu@gmail.com>
Date: Thu, 26 Mar 2026 22:01:03 -0700
Subject: [PATCH] Fix dependabot cooldown config: use default-days and increase
 to 7

- Fix key name from 'default' to 'default-days' per GitHub docs
- Increase cooldown period from 4 to 7 days as recommended by zizmor
- Update README to reflect the corrected key name and new value

See: https://docs.zizmor.sh/audits/\#dependabot-cooldown
---
 .github/dependabot.yml | 2 +-
 README.md              | 6 +++---
 2 files changed, 4 insertions(+), 4 deletions(-)

diff --git a/.github/dependabot.yml b/.github/dependabot.yml
index 27fdc60d..ac195fb1 100644
--- a/.github/dependabot.yml
+++ b/.github/dependabot.yml
@@ -36,4 +36,4 @@ updates:
         versions: ">=2.16"
     open-pull-requests-limit: 50
     cooldown:
-      default: 4
+      default-days: 7
diff --git a/README.md b/README.md
index ab9d66c1..1a1e0e04 100644
--- a/README.md
+++ b/README.md
@@ -146,7 +146,7 @@ This will:
 
 #### Dependabot Cooldown Period
 
-This repository uses a [Dependabot cooldown period](https://docs.github.com/en/code-security/dependabot/dependabot-version-updates/configuration-options-for-the-dependabot.yml-file#cooldown) of 4 days. After a Dependabot PR is merged or closed, Dependabot will wait 4 days before opening the next PR for the same ecosystem. This helps keep the volume of update PRs manageable and gives reviewers time to catch up.
+This repository uses a [Dependabot cooldown period](https://docs.github.com/en/code-security/dependabot/dependabot-version-updates/configuration-options-for-the-dependabot.yml-file#cooldown) of 7 days. After a Dependabot PR is merged or closed, Dependabot will wait 7 days before opening the next PR for the same ecosystem. This helps keep the volume of update PRs manageable and gives reviewers time to catch up.
 
 > [!TIP]
 > We recommend that ASF projects configure a similar cooldown in their own `dependabot.yml` to avoid being overwhelmed by update PRs and to catch up with approved actions here:
@@ -157,9 +157,9 @@ This repository uses a [Dependabot cooldown period](https://docs.github.com/en/c
 >     schedule:
 >       interval: "weekly"
 >     cooldown:
->       default: 4
+>       default-days: 7
 > ```
-> Adjust the `default` value (in days) to match your project's review capacity.
+> Adjust the `default-days` value to match your project's review capacity.
 
 ### Manual Addition of Specific Versions