Add Dependabot config template

README.md

@@ -172,9 +172,14 @@ Workflows/
 │   │   ├── cargo_test.bats
 │   │   ├── jest.bats
 │   │   └── xcodebuild_test.bats
+│   ├── dependabot/
+│   │   └── dependabot.bats         # validates the Dependabot template
 │   └── helpers/
 │       └── common.bash             # shared test utilities (mocks, temp dirs)
 │
+├── dependabot/
+│   └── dependabot.yml              # Dependabot config template (copy to .github/)
+│
 └── rules/                          # living documentation for contributors
     ├── README.md
     ├── _meta/how-to-write-rules.md
@@ -323,6 +328,31 @@ jobs:
 
 ---
 
+## Dependabot template
+
+`dependabot/dependabot.yml` is a ready-to-copy [Dependabot](https://docs.github.com/en/code-security/dependabot)
+configuration template. Unlike the CI snippets in `CI/`, this file is not a GitHub Actions job — it is a
+repository-level configuration that GitHub reads natively from `.github/dependabot.yml`.
+
+**This artefact does not follow the three-layer pattern** (`shell → source YAML → assembled YAML`). There is
+no shell script or assembler step. Copy the file directly into your project's `.github/` directory.
+
+### Usage
+
+```bash
+cp dependabot/dependabot.yml <your-project>/.github/dependabot.yml
+```
+
+The template enables weekly automated dependency-update PRs for seven ecosystems:
+`github-actions`, `npm`, `pip`, `bundler`, `composer`, `cargo`, and `gomod`.
+Each entry uses `open-pull-requests-limit: 5` and a stable `commit-message` prefix so the
+resulting PRs are easy to filter and review.
+
+Adjust the `directory` field per entry if your dependency manifests live in a subdirectory
+rather than the repository root.
+
+---
+
 ## Shell script conventions
 
 Every script in `scripts/shell/` follows the same patterns defined in `rules/process/ci-cd.md`:

dependabot/dependabot.yml

@@ -0,0 +1,58 @@
+version: 2
+
+updates:
+  - package-ecosystem: "github-actions"
+    directory: "/"
+    schedule:
+      interval: "weekly"
+    open-pull-requests-limit: 5
+    commit-message:
+      prefix: "ci(deps)"
+
+  - package-ecosystem: "npm"
+    directory: "/"
+    schedule:
+      interval: "weekly"
+    open-pull-requests-limit: 5
+    commit-message:
+      prefix: "chore(deps)"
+
+  - package-ecosystem: "pip"
+    directory: "/"
+    schedule:
+      interval: "weekly"
+    open-pull-requests-limit: 5
+    commit-message:
+      prefix: "chore(deps)"
+
+  - package-ecosystem: "bundler"
+    directory: "/"
+    schedule:
+      interval: "weekly"
+    open-pull-requests-limit: 5
+    commit-message:
+      prefix: "chore(deps)"
+
+  - package-ecosystem: "composer"
+    directory: "/"
+    schedule:
+      interval: "weekly"
+    open-pull-requests-limit: 5
+    commit-message:
+      prefix: "chore(deps)"
+
+  - package-ecosystem: "cargo"
+    directory: "/"
+    schedule:
+      interval: "weekly"
+    open-pull-requests-limit: 5
+    commit-message:
+      prefix: "chore(deps)"
+
+  - package-ecosystem: "gomod"
+    directory: "/"
+    schedule:
+      interval: "weekly"
+    open-pull-requests-limit: 5
+    commit-message:
+      prefix: "chore(deps)"

tests/dependabot/dependabot.bats

@@ -0,0 +1,28 @@
+#!/usr/bin/env bats
+
+TEMPLATE="$BATS_TEST_DIRNAME/../../dependabot/dependabot.yml"
+
+@test "file parses as valid YAML" {
+  run yamllint "$TEMPLATE"
+  [ "$status" -eq 0 ]
+}
+
+@test "version is 2" {
+  grep -q "^version: 2$" "$TEMPLATE"
+}
+
+@test "all required ecosystems are present" {
+  grep -q "package-ecosystem: \"github-actions\"" "$TEMPLATE"
+  grep -q "package-ecosystem: \"npm\""            "$TEMPLATE"
+  grep -q "package-ecosystem: \"pip\""            "$TEMPLATE"
+  grep -q "package-ecosystem: \"bundler\""        "$TEMPLATE"
+  grep -q "package-ecosystem: \"composer\""       "$TEMPLATE"
+  grep -q "package-ecosystem: \"cargo\""          "$TEMPLATE"
+  grep -q "package-ecosystem: \"gomod\""          "$TEMPLATE"
+}
+
+@test "every entry has schedule.interval set" {
+  ecosystem_count=$(grep -c "package-ecosystem:" "$TEMPLATE")
+  interval_count=$(grep -c "interval:" "$TEMPLATE")
+  [ "$interval_count" -eq "$ecosystem_count" ]
+}