From ff5d6736f8553ff91cce70c5b724219f593b9636 Mon Sep 17 00:00:00 2001
From: senke <okin.tcs@gmail.com>
Date: Wed, 11 Feb 2026 23:26:18 +0100
Subject: [PATCH] ci: add Dependabot configuration for automated dependency
 updates

Configure weekly automated dependency update PRs for all ecosystems:

- gomod: /veza-backend-api (Go modules)
- cargo: /veza-chat-server, /veza-stream-server (Rust crates)
- npm: /apps/web (frontend packages)
- github-actions: / (CI action versions)

Each ecosystem gets appropriate labels for easy triage.

Addresses audit finding A06: no automated dependency update mechanism.

Co-authored-by: Cursor <cursoragent@cursor.com>
---
 .github/dependabot.yml | 31 +++++++++++++++++++++++++++++++
 1 file changed, 31 insertions(+)
 create mode 100644 .github/dependabot.yml

diff --git a/.github/dependabot.yml b/.github/dependabot.yml
new file mode 100644
index 000000000..7739b9560
--- /dev/null
+++ b/.github/dependabot.yml
@@ -0,0 +1,31 @@
+version: 2
+updates:
+  - package-ecosystem: "gomod"
+    directory: "/veza-backend-api"
+    schedule:
+      interval: "weekly"
+    labels: ["dependencies", "go"]
+
+  - package-ecosystem: "cargo"
+    directory: "/veza-chat-server"
+    schedule:
+      interval: "weekly"
+    labels: ["dependencies", "rust"]
+
+  - package-ecosystem: "cargo"
+    directory: "/veza-stream-server"
+    schedule:
+      interval: "weekly"
+    labels: ["dependencies", "rust"]
+
+  - package-ecosystem: "npm"
+    directory: "/apps/web"
+    schedule:
+      interval: "weekly"
+    labels: ["dependencies", "frontend"]
+
+  - package-ecosystem: "github-actions"
+    directory: "/"
+    schedule:
+      interval: "weekly"
+    labels: ["dependencies", "ci"]