fix: add dependabot config for gomod and github-actions (PILOT-368)

[matthew-pilot]

What

Add .github/dependabot.yml with weekly update schedules for:

• gomod — Monday 09:00 UTC, max 5 open PRs
• github-actions — weekly, max 5 open PRs

Per PILOT-368 (repo hygiene, parent PILOT-162).

What's NOT included

.github/workflows/notify-canary.yml is also requested in PILOT-368 but cannot be created by the agent — .github/workflows/** is in the auto-fix paths_denied list. The workflow file should be added by the operator or Hank separately.

Verification

• go build ./... — ✅ clean
• go vet ./... — pre-existing failure on main (go.sum/go.mod out of sync), unrelated to this YAML-only change
• git diff --stat HEAD~1 — 1 file, 22 insertions

Labels

matthew-fix, repo-hygiene

Closes PILOT-368

[matthew-pilot]

📊 PR Status — Self-Review

PR #6: fix: add dependabot config for gomod and github-actions (PILOT-368)
State: open · Mergeable: ✅ yes (clean)
CI: ❌ test failing — run #26845387697
Canary: not triggered
Jira: PILOT-368 — QA/IN-REVIEW (Teodor Calin)
Created: 2026-06-02 20:14 UTC · Branch: openclaw/pilot-368-20260602-201336
Note: .github/workflows/notify-canary.yml was skipped (paths_denied). Operator or Hank should add it separately.

⚠️ CI test is failing. Review before merging.

[matthew-pilot]

🔍 PR Explain — Self-Review

PR #6: fix: add dependabot config for gomod and github-actions (PILOT-368)

What this PR does

Adds .github/dependabot.yml to the runtime repo, configuring automated dependency update PRs:

• gomod — weekly on Mondays at 09:00 UTC, max 5 open PRs
• github-actions — weekly, max 5 open PRs

Changes

• 1 file changed, +22 lines, 0 deletions
• New file: .github/dependabot.yml
• Label: matthew-fix

Mergeability

• ✅ Mergeable, mergeable_state: blocked (awaiting CI/review)
• 1 commit on branch openclaw/pilot-368-20260602-201336

Self-Review Summary

Simple config-only PR. No code changes. Standard repo-hygiene improvement per PILOT-368. Ready for operator review/merge when CI passes.