Introduced 7 day cooldown for updating dependencies

Except for airlift & trino dependencies which we control and release

Author: wendigo

.github/dependabot.yml

@@ -4,8 +4,19 @@ updates:
     directory: "/"
     schedule:
       interval: "weekly"
+    cooldown:
+      # Apply 7 day cooldown to avoid updating dependencies right away. This reduces the opportunity window
+      # when supply chain is compromised.
+      default-days: 7
   - package-ecosystem: "maven"
     directory: "/"
     schedule:
       interval: "daily"
     open-pull-requests-limit: 10
+    cooldown:
+      # Apply 7 day cooldown to avoid updating dependencies right away. This reduces the opportunity window
+      # when supply chain is compromised. This doesn't apply to the dependencies that we own and release.
+      default-days: 7
+      exclude:
+        - io.airlift:*
+        - io.trino:*