From 8b06a888c062ca4537f750ae801dcf0eebcdedf1 Mon Sep 17 00:00:00 2001
From: Christopher Maher <chris@mahercode.io>
Date: Sun, 17 May 2026 10:14:22 -0700
Subject: [PATCH] chore: add Dependabot for SwiftPM and Actions

Weekly Dependabot updates for the ranged SwiftPM dependencies and the
GitHub Actions used by CI and the release workflow. mlx-swift-lm is
pinned exact to an alpha tag; a Dependabot PR for it is a useful
notification but must be integration-tested before merge.

Signed-off-by: Christopher Maher <chris@mahercode.io>
---
 .github/dependabot.yml | 24 ++++++++++++++++++++++++
 1 file changed, 24 insertions(+)
 create mode 100644 .github/dependabot.yml

diff --git a/.github/dependabot.yml b/.github/dependabot.yml
new file mode 100644
index 0000000..c67bd89
--- /dev/null
+++ b/.github/dependabot.yml
@@ -0,0 +1,24 @@
+version: 2
+updates:
+  # SwiftPM dependencies. Dependabot keeps Package.swift requirements and
+  # Package.resolved current within their declared ranges.
+  #
+  # Note on mlx-swift-lm: it is pinned `exact:` to an alpha tag. A Dependabot
+  # PR bumping it is a useful "new alpha is available" signal, but it is alpha
+  # software on which the whole inference path depends, so such a PR must be
+  # integration-tested against a real model before merging, never auto-merged.
+  - package-ecosystem: "swift"
+    directory: "/"
+    schedule:
+      interval: "weekly"
+    open-pull-requests-limit: 5
+    commit-message:
+      prefix: "chore"
+
+  # GitHub Actions used by the CI and release workflows.
+  - package-ecosystem: "github-actions"
+    directory: "/"
+    schedule:
+      interval: "weekly"
+    commit-message:
+      prefix: "chore"