diff --git a/config.yml b/config.yml
index f843192..43937cf 100644
--- a/config.yml
+++ b/config.yml
@@ -63,6 +63,20 @@ controller_repo:
   # Reaction approvers must add to authorise provisioning.
   approval_reaction: "+1"
 
+# Configuration changes (dependabot.yml, templates, CODEOWNERS) are applied via
+# pull request rather than direct push. Required because branch protection
+# (PR #19) blocks direct commits to default branches.
+change_strategy:
+  use_pull_requests: true
+  pr_title: "[temper] Configuration update"
+  pr_body: |
+    Automated configuration update from the Temper bot.
+
+    Review the changes and merge if they match the org standard.
+  pr_labels:
+    - automation
+    - dependencies
+
 auto_merge:
   enabled: true
   on_dependabot: true
diff --git a/src/schema.js b/src/schema.js
index 1df4b08..880d532 100644
--- a/src/schema.js
+++ b/src/schema.js
@@ -140,6 +140,20 @@ export function validateConfig(config) {
     }
   }
 
+  if (config.change_strategy !== undefined) {
+    const cs = config.change_strategy;
+    if (typeof cs !== 'object' || cs === null) {
+      errors.push('change_strategy must be an object');
+    } else {
+      if (cs.use_pull_requests !== undefined && typeof cs.use_pull_requests !== 'boolean') {
+        errors.push('change_strategy.use_pull_requests must be a boolean');
+      }
+      if (cs.pr_labels !== undefined && !Array.isArray(cs.pr_labels)) {
+        errors.push('change_strategy.pr_labels must be an array');
+      }
+    }
+  }
+
   if (config.controller_repo !== undefined) {
     const cr = config.controller_repo;
     if (typeof cr !== 'object' || cr === null) {