version: 2
updates:
  # Keep all third-party GitHub Actions on verified, pinned commit SHAs.
  # Pairs with the SHA pinning in security-scan.yml and ci.yml so that
  # future bumps stay automated and reviewable rather than drifting back
  # to mutable @master / @main refs. See issue #442.
  - package-ecosystem: github-actions
    directory: /
    schedule:
      interval: weekly
    open-pull-requests-limit: 5
    labels:
      - dependencies
      - github-actions

  # Mobile app npm deps. Includes the @xmldom/xmldom, node-forge, and
  # picomatch advisories from #442 plus axios and any future surface.
  - package-ecosystem: npm
    directory: /ui/mobile
    schedule:
      interval: weekly
    open-pull-requests-limit: 10
    labels:
      - dependencies
      - mobile

  # Desktop UI npm deps. Direct vite devDep currently has a HIGH advisory
  # (dev-server-only path traversal); track future bumps automatically.
  - package-ecosystem: npm
    directory: /v2/crates/wifi-densepose-desktop/ui
    schedule:
      interval: weekly
    open-pull-requests-limit: 5
    labels:
      - dependencies
      - desktop

  # Python deps used by v1/ and the FastAPI service. requirements.txt is
  # only loosely pinned; let Dependabot surface upstream CVE bumps.
  - package-ecosystem: pip
    directory: /
    schedule:
      interval: weekly
    open-pull-requests-limit: 10
    labels:
      - dependencies
      - python

  # Rust workspace (15+ crates). cargo audit is not currently wired into
  # any workflow, so Dependabot is the primary automated bump path.
  - package-ecosystem: cargo
    directory: /v2
    schedule:
      interval: weekly
    open-pull-requests-limit: 10
    labels:
      - dependencies
      - rust