From 709778b3f03e762585fa374bbeb10ade06910dfd Mon Sep 17 00:00:00 2001
From: Kent Gruber <kent.gruber@temporal.io>
Date: Thu, 21 May 2026 14:07:04 -0400
Subject: [PATCH] Disable gomod version-bump PRs, keep security alerts

Set open-pull-requests-limit: 0 for all gomod ecosystems to suppress
automatic version update PRs while still allowing security PRs through.
Go dependencies are upgraded on-demand, not automatically.
---
 .github/dependabot.yml | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/.github/dependabot.yml b/.github/dependabot.yml
index b3c4fadd..a5dc2935 100644
--- a/.github/dependabot.yml
+++ b/.github/dependabot.yml
@@ -4,6 +4,7 @@ updates:
     directory: "/"
     schedule:
       interval: weekly
+    open-pull-requests-limit: 0
     cooldown:
       default-days: 14
 
@@ -11,6 +12,7 @@ updates:
     directory: "/build"
     schedule:
       interval: weekly
+    open-pull-requests-limit: 0
     cooldown:
       default-days: 14
 
@@ -18,6 +20,7 @@ updates:
     directory: "/cmd/proxygenerator"
     schedule:
       interval: weekly
+    open-pull-requests-limit: 0
     cooldown:
       default-days: 14