version: 2
updates:
- package-ecosystem: "cargo"
directory: "/"
schedule:
interval: "weekly"
open-pull-requests-limit: 10
commit-message:
prefix: "chore(deps)"
# SHA-pinned third-party GitHub Actions need an automated bumper or they
# rot. Dependabot resolves the SHA behind each `@<hash>` against the
# action's latest release and opens PRs with the new SHA + the resolved
# tag in the commit body, so reviewers can confirm intent.
- package-ecosystem: "github-actions"
directory: "/"
schedule:
interval: "weekly"
open-pull-requests-limit: 10
commit-message:
prefix: "chore(actions)"
# The Dockerfile's `rust:1.85-slim-bookworm` and `debian:bookworm-slim`
# base images are tag-pinned. Dependabot bumps both on upstream release;
# until a digest pin lands at 1.0, this is the live-link to upstream
# security fixes.
- package-ecosystem: "docker"
directory: "/"
schedule:
interval: "weekly"
open-pull-requests-limit: 5
commit-message:
prefix: "chore(docker)"