fix: add .github/dependabot.yml for gomod + github-actions (PILOT-380)

[matthew-pilot]

What

Add .github/dependabot.yml to enable automated dependency updates for:

• Go modules (gomod) — weekly schedule, max 5 open PRs
• GitHub Actions — weekly schedule, max 5 open PRs

Partial

.github/workflows/notify-canary.yml was also requested in PILOT-380 but is blocked by global paths_denied (.github/workflows/**). This file must be created manually by the operator.

Verification

go build ./...   ✅
go vet ./...     ✅
go test ./...    ✅ (ok, 0.218s)

Tier

small — 1 file, +19 lines.

---

Closes partial PILOT-380

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.

📢 Thoughts on this report? Let us know!

[matthew-pilot]

🤖 PR Status — eventstream#9 (PILOT-380)

State: OPEN · Mergeable: MERGEABLE · Draft: no
CI: test ✅ · codecov/patch ✅ (all passing)
Changes: +19/−0 in 1 file (.github/dependabot.yml)
Labels: none

Summary: Adds Dependabot config for gomod + github-actions weekly updates. Partial PILOT-380 — the notify-canary.yml workflow is blocked by paths_denied and requires manual creation.

Ready for operator review/merge when convenient.