version: 2 updates: - package-ecosystem: "github-actions" directory: "/" schedule: interval: "weekly" ignore: # gh-aw generated files — action SHAs are managed by `gh aw compile` # via .github/aw/actions-lock.json, not by Dependabot. # Dependabot's find-and-replace breaks lockfile metadata headers. - dependency-name: "actions/github-script" - dependency-name: "github/gh-aw-actions" # Major version bumps may have breaking changes and must be # evaluated and applied manually. - dependency-name: "*" update-types: ["version-update:semver-major"] groups: github-actions: patterns: - "*" - package-ecosystem: "maven" directory: "/" schedule: interval: "weekly" ignore: # Major version bumps often drop Java 17 support or have breaking # API changes. These must be evaluated and applied manually. - dependency-name: "*" update-types: ["version-update:semver-major"] groups: maven-deps: patterns: - "*"