From 9c739bc47f83f07a3beaf3778fc11a907b363b1e Mon Sep 17 00:00:00 2001
From: Ed Burns <edburns@microsoft.com>
Date: Fri, 24 Apr 2026 18:27:06 -0400
Subject: [PATCH] Exclude gh-aw managed actions from Dependabot

Dependabot's mechanical SHA find-and-replace in workflow files breaks
gh-aw lockfile metadata headers, causing runtime validation failures.
The affected actions (`actions/github-script`, `github/gh-aw-actions/*`)
are only used in gh-aw generated files and their SHAs are managed via
`.github/aw/actions-lock.json` + `gh aw compile`.

Added `ignore` rules to `.github/dependabot.yml` for these dependencies.

Add maven ecosystem.
---
 .github/dependabot.yml | 11 +++++++++++
 1 file changed, 11 insertions(+)

diff --git a/.github/dependabot.yml b/.github/dependabot.yml
index 801e440e5..9917cdaa6 100644
--- a/.github/dependabot.yml
+++ b/.github/dependabot.yml
@@ -12,4 +12,15 @@ updates:
     directory: "/"
     schedule:
       interval: "weekly"
+    ignore:
+      # gh-aw generated files — action SHAs are managed by `gh aw compile`
+      # via .github/aw/actions-lock.json, not by Dependabot.
+      # Dependabot's find-and-replace breaks lockfile metadata headers.
+      - dependency-name: "actions/github-script"
+      - dependency-name: "github/gh-aw-actions/*"
 
+  - package-ecosystem: "maven"
+    directory: "/"
+    schedule:
+      interval: "weekly"
+    open-pull-requests-limit: 5