Revise security-only upgrade mode with curated keyword set #18
Description
Summary
Ship a refreshed security-only mode that defaults to true for weekly runs, upgrades only when curated security keywords match release notes, and relies on vetted Python release feeds.
Why
The current keyword gate is opt-in and requires users to supply their own list. Providing a maintained keyword set and documented defaults helps teams adopt safer automation without configuration overhead.
What needs to happen
- Maintain a curated keyword list (covering CVEs, PSRT advisories, etc.) inside the repo, with a clear update path.
- Default
security_only(or similar) to true for scheduled runs while allowing overrides. - Integrate optional feeds (RSS or release notes snapshots) to cross-check security relevance.
- Update PR body and summaries to note when upgrades were skipped due to missing security signals.
- Add tests around keyword matching and feed fallbacks.
- Document the new defaults, including how to opt out or supply custom keywords.
References
- Roadmap policy item: "Security-only mode".
Acceptance criteria
- Action skips non-security releases by default (unless users disable the mode).
- Users can override keywords or disable the gate entirely.
- Tests cover positive and negative matches, and docs explain behavior.