version: 2

updates:

- package-ecosystem: "npm"

directory: "/scripts/codegen"

schedule:

interval: "daily"

open-pull-requests-limit: 1

allow:

- dependency-name: "@github/copilot"

- package-ecosystem: "github-actions"

directory: "/"

schedule:

interval: "weekly"

ignore:

# gh-aw generated files — action SHAs are managed by `gh aw compile`

# via .github/aw/actions-lock.json, not by Dependabot.

# Dependabot's find-and-replace breaks lockfile metadata headers.

- dependency-name: "actions/github-script"

- dependency-name: "github/gh-aw-actions"

# Major version bumps may have breaking changes and must be

# evaluated and applied manually.

- dependency-name: "*"

update-types: ["version-update:semver-major"]

groups:

github-actions:

patterns:

- "*"

- package-ecosystem: "maven"

directory: "/"

schedule:

interval: "weekly"

ignore:

# Major version bumps often drop Java 17 support or have breaking

# API changes. These must be evaluated and applied manually.

- dependency-name: "*"

update-types: ["version-update:semver-major"]

groups:

maven-deps:

patterns:

- "*"