From 7fb1d4b2b2ed9ce372ca7f0c6f0e2cec24e6958e Mon Sep 17 00:00:00 2001
From: Parth Bansal <parth.bansal@databricks.com>
Date: Tue, 16 Jun 2026 11:12:30 +0000
Subject: [PATCH] Configure Dependabot for npm and GitHub Actions

The repo had no dependabot.yml, so only security updates ran and they
opened PRs that bump npm dev-dependencies to brand-new versions which
CI's JFrog db-npm registry blocks under its 7-day package cooldown,
failing every check. Disable routine npm version-update PRs (security
updates only) and enable GitHub Actions updates with a 7-day cooldown,
matching the other Databricks SDK repos.

Co-authored-by: Isaac
---
 .github/dependabot.yml | 17 +++++++++++++++++
 1 file changed, 17 insertions(+)
 create mode 100644 .github/dependabot.yml

diff --git a/.github/dependabot.yml b/.github/dependabot.yml
new file mode 100644
index 00000000..41698a96
--- /dev/null
+++ b/.github/dependabot.yml
@@ -0,0 +1,17 @@
+version: 2
+updates:
+  - package-ecosystem: npm
+    directory: /
+    schedule:
+      interval: daily
+    # Disable version update PRs; only security updates are opened.
+    open-pull-requests-limit: 0
+  - package-ecosystem: github-actions
+    directory: /
+    schedule:
+      interval: monthly
+    cooldown:
+      default-days: 7
+    # tagging.yml is generated and maintained externally.
+    exclude-paths:
+      - .github/workflows/tagging.yml