Add cooldown to dependabot example

Author: fstewart-nhs

practices/actions-best-practices.md

@@ -109,8 +109,12 @@ updates:
     directory: "/"
     schedule:
       interval: "weekly"
+    cooldown:
+      default-days: 7
 ```
 
+The `cooldown` option tells Dependabot to delay version updates for newly released versions until they have aged past the configured threshold. This reduces the chance of immediately pulling in a compromised release. Security updates are not subject to cooldown, so known vulnerabilities are still flagged immediately.
+
 ### Verify Third-Party Actions
 
 Third-party actions must not be the default choice. Before introducing one, teams should confirm that the requirement cannot be met by: