From e8658121197ffefb4da5b6c8bdd4213cf48e3fba Mon Sep 17 00:00:00 2001
From: Andrei Zhukov <andrei.zhukov@getyourguide.com>
Date: Wed, 1 Oct 2025 10:50:04 +0200
Subject: [PATCH 1/3] SEC-3452: Allow zero value for open-pull-requests-limit

---
 internal/pkg/config/config.go      | 6 +++---
 internal/pkg/config/config_test.go | 5 +++--
 internal/pkg/util/util.go          | 5 +++++
 3 files changed, 11 insertions(+), 5 deletions(-)

diff --git a/internal/pkg/config/config.go b/internal/pkg/config/config.go
index 8bc522a..fb686f2 100644
--- a/internal/pkg/config/config.go
+++ b/internal/pkg/config/config.go
@@ -74,7 +74,7 @@ type DefaultRegistry struct {
 type UpdateDefaults struct {
 	Schedule                      Schedule      `yaml:"schedule"`
 	CommitMessage                 CommitMessage `yaml:"commit-message"`
-	OpenPullRequestsLimit         int           `yaml:"open-pull-requests-limit"`
+	OpenPullRequestsLimit         *int          `yaml:"open-pull-requests-limit,omitempty"`
 	InsecureExternalCodeExecution string        `yaml:"insecure-external-code-execution"`
 	RebaseStrategy                string        `yaml:"rebase-strategy"`
 	Cooldown                      Cooldown      `yaml:"cooldown"`
@@ -109,7 +109,7 @@ type Update struct {
 	Schedule                      Schedule         `yaml:"schedule,omitempty"`
 	Registries                    []string         `yaml:"registries,omitempty"`
 	CommitMessage                 CommitMessage    `yaml:"commit-message,omitempty"`
-	OpenPullRequestsLimit         int              `yaml:"open-pull-requests-limit,omitempty"`
+	OpenPullRequestsLimit         *int             `yaml:"open-pull-requests-limit,omitempty"`
 	Assignees                     []string         `yaml:"assignees,omitempty"`
 	Allow                         []Allow          `yaml:"allow,omitempty"`
 	Ignore                        []Ignore         `yaml:"ignore,omitempty"`
@@ -576,7 +576,7 @@ func applyOverrides(update *Update, overrides UpdateDefaults) {
 	if overrides.CommitMessage != (CommitMessage{}) {
 		update.CommitMessage = overrides.CommitMessage
 	}
-	if overrides.OpenPullRequestsLimit != 0 {
+	if overrides.OpenPullRequestsLimit != nil {
 		update.OpenPullRequestsLimit = overrides.OpenPullRequestsLimit
 	}
 	if overrides.RebaseStrategy != "" {
diff --git a/internal/pkg/config/config_test.go b/internal/pkg/config/config_test.go
index 412767a..daaec73 100644
--- a/internal/pkg/config/config_test.go
+++ b/internal/pkg/config/config_test.go
@@ -5,6 +5,7 @@ import (
 	"strings"
 	"testing"
 
+	"github.com/getyourguide/dependabutler/internal/pkg/util"
 	"gopkg.in/yaml.v3"
 )
 
@@ -52,7 +53,7 @@ registries:
 `,
 			&ToolConfig{
 				UpdateDefaults: UpdateDefaults{
-					OpenPullRequestsLimit:         10,
+					OpenPullRequestsLimit:         util.Ptr(10),
 					InsecureExternalCodeExecution: "allow",
 					Schedule: Schedule{
 						Interval: "daily",
@@ -276,7 +277,7 @@ func TestAddManifest(t *testing.T) {
 				Time:     "18:15",
 				Timezone: "Europe/Berlin",
 			},
-			OpenPullRequestsLimit: 9,
+			OpenPullRequestsLimit: util.Ptr(9),
 		},
 		UpdateOverrides: map[string]UpdateDefaults{
 			"docker": {
diff --git a/internal/pkg/util/util.go b/internal/pkg/util/util.go
index dba770c..07d9c76 100644
--- a/internal/pkg/util/util.go
+++ b/internal/pkg/util/util.go
@@ -94,3 +94,8 @@ func RandToken(n int) (string, error) {
 	}
 	return hex.EncodeToString(bytes), nil
 }
+
+// Ptr returns a pointer to the given value
+func Ptr[T any](v T) *T {
+	return &v
+}

From 6190b8e5ce998cbc49411f4b10b4fcf62f057610 Mon Sep 17 00:00:00 2001
From: Andrei Zhukov <andrei.zhukov@getyourguide.com>
Date: Wed, 12 Nov 2025 09:19:19 +0100
Subject: [PATCH 2/3] SEC-3452: add additional test cases

---
 internal/pkg/config/config_test.go | 31 ++++++++++++++++++++++++++++++
 1 file changed, 31 insertions(+)

diff --git a/internal/pkg/config/config_test.go b/internal/pkg/config/config_test.go
index 008f150..4839859 100644
--- a/internal/pkg/config/config_test.go
+++ b/internal/pkg/config/config_test.go
@@ -80,6 +80,37 @@ registries:
 				},
 			},
 		},
+		{
+			`
+update-defaults:
+  schedule:
+    interval: daily
+  open-pull-requests-limit: 0
+`,
+			&ToolConfig{
+				UpdateDefaults: UpdateDefaults{
+					OpenPullRequestsLimit: util.Ptr(0),
+					Schedule: Schedule{
+						Interval: "daily",
+					},
+				},
+			},
+		},
+		{
+			`
+update-defaults:
+  schedule:
+    interval: daily
+`,
+			&ToolConfig{
+				UpdateDefaults: UpdateDefaults{
+					OpenPullRequestsLimit: nil,
+					Schedule: Schedule{
+						Interval: "daily",
+					},
+				},
+			},
+		},
 	} {
 		got, err := ParseToolConfig([]byte(tt.configString))
 		if err != nil {

From 7d8507756482bf9a5eea0cfca3b9fd01f745fb98 Mon Sep 17 00:00:00 2001
From: Andrei Zhukov <andrei.zhukov@getyourguide.com>
Date: Wed, 12 Nov 2025 09:25:44 +0100
Subject: [PATCH 3/3] SEC-3452: fix go.yml

---
 .github/workflows/go.yml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/.github/workflows/go.yml b/.github/workflows/go.yml
index 6cbd36a..51c5cf6 100644
--- a/.github/workflows/go.yml
+++ b/.github/workflows/go.yml
@@ -39,7 +39,7 @@ jobs:
           golint -set_exit_status ./...
       - name: staticcheck.io
         if: matrix.platform == 'ubuntu-latest'
-        uses: dominikh/staticcheck-action@v1.4.0
+        uses: dominikh/staticcheck-action@024238d2898c874f26d723e7d0ff4308c35589a2 # v1.4.0
         with:
           install-go: false
       - name: gofumpt formatting