diff --git a/.github/dependabot.yml b/.github/dependabot.yml
index 801e440e5..9917cdaa6 100644
--- a/.github/dependabot.yml
+++ b/.github/dependabot.yml
@@ -12,4 +12,15 @@ updates:
     directory: "/"
     schedule:
       interval: "weekly"
+    ignore:
+      # gh-aw generated files — action SHAs are managed by `gh aw compile`
+      # via .github/aw/actions-lock.json, not by Dependabot.
+      # Dependabot's find-and-replace breaks lockfile metadata headers.
+      - dependency-name: "actions/github-script"
+      - dependency-name: "github/gh-aw-actions/*"
 
+  - package-ecosystem: "maven"
+    directory: "/"
+    schedule:
+      interval: "weekly"
+    open-pull-requests-limit: 5