From 16955e863bca0904100ea74439ee6644f741b97f Mon Sep 17 00:00:00 2001
From: Scott Leggett <scott@sl.id.au>
Date: Tue, 5 May 2026 22:35:49 +0800
Subject: [PATCH] chore: add dependency review and dependabot version update
 config

---
 .github/dependabot.yaml                  | 30 ++++++++++++++++++++++++
 .github/dependency-review-config.yaml    | 24 +++++++++++++++++++
 .github/workflows/dependency-review.yaml | 19 +++++++++++++++
 3 files changed, 73 insertions(+)
 create mode 100644 .github/dependabot.yaml
 create mode 100644 .github/dependency-review-config.yaml
 create mode 100644 .github/workflows/dependency-review.yaml

diff --git a/.github/dependabot.yaml b/.github/dependabot.yaml
new file mode 100644
index 0000000..d9b9c15
--- /dev/null
+++ b/.github/dependabot.yaml
@@ -0,0 +1,30 @@
+version: 2
+updates:
+- package-ecosystem: github-actions
+  commit-message:
+    prefix: chore
+    include: scope
+  directory: /
+  schedule:
+    interval: monthly
+  groups:
+    github-actions:
+      patterns:
+      - "*"
+      update-types:
+      - "minor"
+      - "patch"
+- package-ecosystem: composer
+  commit-message:
+    prefix: chore
+    include: scope
+  directory: /
+  schedule:
+    interval: monthly
+  groups:
+    composer:
+      patterns:
+      - "*"
+      update-types:
+      - "minor"
+      - "patch"
diff --git a/.github/dependency-review-config.yaml b/.github/dependency-review-config.yaml
new file mode 100644
index 0000000..0bd0c7a
--- /dev/null
+++ b/.github/dependency-review-config.yaml
@@ -0,0 +1,24 @@
+# https://github.com/cncf/foundation/blob/main/policies-guidance/allowed-third-party-license-policy.md
+allow-licenses:
+# default allowed
+- 'Apache-2.0'
+# explicit CNCF allowlist
+- '0BSD'
+- 'BSD-2-Clause'
+- 'BSD-2-Clause-FreeBSD'
+- 'BSD-3-Clause'
+- 'ISC'
+- 'MIT'
+- 'MIT-0'
+- 'OpenSSL'
+- 'OpenSSL-standalone'
+- 'PSF-2.0'
+- 'PostgreSQL'
+- 'Python-2.0'
+- 'Python-2.0.1'
+- 'SSLeay-standalone'
+- 'UPL-1.0'
+- 'X11'
+- 'Zlib'
+# Google's patent licence for Go
+- 'LicenseRef-scancode-google-patent-license-golang'
diff --git a/.github/workflows/dependency-review.yaml b/.github/workflows/dependency-review.yaml
new file mode 100644
index 0000000..8e4a0c0
--- /dev/null
+++ b/.github/workflows/dependency-review.yaml
@@ -0,0 +1,19 @@
+name: dependency review
+on:
+  pull_request:
+    branches:
+    - main
+  merge_group:
+    types:
+    - checks_requested
+permissions: {}
+jobs:
+  dependency-review:
+    permissions:
+      contents: read
+    runs-on: ubuntu-latest
+    steps:
+    - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+    - uses: actions/dependency-review-action@2031cfc080254a8a887f58cffee85186f0e49e48 # v4.9.0
+      with:
+        config-file: .github/dependency-review-config.yaml