# Dependabot config — see arthur-debert/release/README.md "Dependabot policy"
#
# Application-dependency freshness (cargo) is deliberately not enabled.
# Major-version sweeps are evaluated as development work, not pushed by a bot.
# Security exposure for cargo deps is covered by Dependabot security updates,
# which are enabled per-repo via the GitHub API (not this file).
#
# Only github-actions freshness is enabled — old action versions silently
# break when GitHub deprecates a runtime, so a low-volume freshness stream
# here is worth the cost.
version: 2
updates:
- package-ecosystem: github-actions
directory: /
schedule:
interval: weekly
open-pull-requests-limit: 5
groups:
gh-actions:
patterns: