version: 2
updates:
  # Keep GitHub Actions pinned SHAs up-to-date
  - package-ecosystem: 'github-actions'
    directory: '/'
    schedule:
      interval: 'weekly'
    open-pull-requests-limit: 5
    labels:
      - 'dependencies'
      - 'ci'

  # Enable security updates for npm dependencies
  - package-ecosystem: 'npm'
    directory: '/'
    schedule:
      interval: 'weekly'
    # Automatically create PRs for security updates
    open-pull-requests-limit: 10
    # Group minor and patch updates
    groups:
      dependencies:
        patterns:
          - '*'
        update-types:
          - 'minor'
          - 'patch'
    # Auto-label PRs
    labels:
      - 'dependencies'
      - 'security'