From 805d191ef9ccd630f9f04822a186872e3296ff43 Mon Sep 17 00:00:00 2001
From: Ed Burns <edburns@microsoft.com>
Date: Sat, 25 Apr 2026 10:42:42 -0400
Subject: [PATCH] On branch edburns/dd-2969317-dependabot-only-minor-bumps
 modified:   .github/dependabot.yml

- Both `github-actions` and `maven` ecosystems now ignore semver-major bumps. Those will be done manually.
---
 .github/dependabot.yml | 9 +++++++++
 1 file changed, 9 insertions(+)

diff --git a/.github/dependabot.yml b/.github/dependabot.yml
index 48a36ddb3..03f0f715a 100644
--- a/.github/dependabot.yml
+++ b/.github/dependabot.yml
@@ -18,6 +18,10 @@ updates:
       # Dependabot's find-and-replace breaks lockfile metadata headers.
       - dependency-name: "actions/github-script"
       - dependency-name: "github/gh-aw-actions"
+      # Major version bumps may have breaking changes and must be
+      # evaluated and applied manually.
+      - dependency-name: "*"
+        update-types: ["version-update:semver-major"]
     groups:
       github-actions:
         patterns:
@@ -27,6 +31,11 @@ updates:
     directory: "/"
     schedule:
       interval: "weekly"
+    ignore:
+      # Major version bumps often drop Java 17 support or have breaking
+      # API changes. These must be evaluated and applied manually.
+      - dependency-name: "*"
+        update-types: ["version-update:semver-major"]
     groups:
       maven-deps:
         patterns: