chore(deps): add dependabot for github-actions

Mlaz-code · claude · Mlaz-code · commit 19caadeac7e6 · 2026-04-22T13:54:09.000-04:00
Weekly PR bumps SHA-pinned actions when upstream tags move. Grouped
so all action updates arrive in one PR per week instead of per-action.
Scope limited to github-actions only — pip/npm/gomod ecosystems are a
separate decision (higher volume).

Co-Authored-By: Claude Opus 4.7 (1M context) &lt;noreply@anthropic.com&gt;
diff --git a/.github/dependabot.yml b/.github/dependabot.yml
@@ -0,0 +1,22 @@
+# Dependabot keeps SHA-pinned GitHub Actions fresh.
+#
+# We pin third-party actions by full commit SHA (e.g. orhun/git-cliff-action
+# @c93ef52f... # v4) so tag moves can't silently propagate into our runners.
+# But frozen SHAs also freeze security fixes. This config opens a weekly PR
+# to bump any action whose upstream tag has advanced since our last pin,
+# with the changelog inlined so review is short. All action updates are
+# grouped into a single PR per week to avoid a Monday flood.
+#
+# Scope: github-actions only. Adding gomod/pip/npm ecosystems is a separate
+# decision — those PRs are much higher volume.
+version: 2
+updates:
+  - package-ecosystem: "github-actions"
+    directory: "/"
+    schedule:
+      interval: "weekly"
+    groups:
+      actions:
+        patterns: ["*"]
+    commit-message:
+      prefix: "chore(deps)"
