From 588bf9e3d4e57f76674d59f28efd92b1d26b7cab Mon Sep 17 00:00:00 2001
From: Scott Leggett <scott@sl.id.au>
Date: Mon, 15 Jun 2026 16:07:58 +0800
Subject: [PATCH 1/2] chore: add new option to dependabot enable list

---
 README.md | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/README.md b/README.md
index f26993c..8459eb2 100644
--- a/README.md
+++ b/README.md
@@ -92,13 +92,14 @@ Configure the repository:
         * Allow auto-merge
         * Automatically delete head branches
 
-1. Go to repository Settings > Advanced Security, and enable:
+1. Go to repository Settings > Advanced Security, and ensure these are enabled:
 
     * Private vulnerability reporting
 
     * Dependabot
 
         * Dependabot alerts
+        * Dependabot malware alerts
         * Dependabot security updates
         * Grouped security updates
         * Dependabot on Actions runners

From bdee8a2dcdbb79cc1b6f8c53c9c7de911c2654e2 Mon Sep 17 00:00:00 2001
From: Scott Leggett <scott@sl.id.au>
Date: Mon, 15 Jun 2026 16:11:49 +0800
Subject: [PATCH 2/2] chore: document enterprise requirement for code quality

---
 README.md | 1 +
 1 file changed, 1 insertion(+)

diff --git a/README.md b/README.md
index 8459eb2..54ead71 100644
--- a/README.md
+++ b/README.md
@@ -64,6 +64,7 @@ Then customize the code for your repository:
     * update `.goreleaser.yaml` to build `cmd/$YOUR_COMMAND`
     * update the links at the top of `README.md`
     * update the contact email in `SECURITY.md`
+    * if you aren't [in an enterprise that has code quality enabled](https://github.com/orgs/community/discussions/194833#discussioncomment-17174472), delete the coverage workflow (`.github/workflows/coverage.yaml`)
 
 1. Commit and push: