From de224675589b915a8e74c9ffed632cfa412a22f5 Mon Sep 17 00:00:00 2001
From: Pieter Noordhuis <pieter.noordhuis@databricks.com>
Date: Mon, 23 Mar 2026 16:26:08 +0100
Subject: [PATCH] Add GitHub Actions to Dependabot configuration

Limit version update PRs to security-only by setting
open-pull-requests-limit to 0, matching the approach used in the Go SDK
(see databricks/databricks-sdk-go#988).

Add the github-actions package ecosystem with a monthly update interval.
Monthly keeps churn low while ensuring deprecation notices and security
fixes flow in through PRs. The 7-day cooldown avoids bumping actions
that were just released, letting them bake first.

Exclude tagging.yml because it is generated and maintained externally.

Co-authored-by: Isaac
---
 .github/dependabot.yml | 11 +++++++++++
 1 file changed, 11 insertions(+)

diff --git a/.github/dependabot.yml b/.github/dependabot.yml
index daec31893..269f77579 100644
--- a/.github/dependabot.yml
+++ b/.github/dependabot.yml
@@ -4,3 +4,14 @@ updates:
     directory: "/"
     schedule:
       interval: "daily"
+    # Disable version update PRs; only security updates are opened.
+    open-pull-requests-limit: 0
+  - package-ecosystem: github-actions
+    directory: /
+    schedule:
+      interval: monthly
+    cooldown:
+      default-days: 7
+    # tagging.yml is generated and maintained externally.
+    exclude-paths:
+      - .github/workflows/tagging.yml