diff --git a/.github/dependabot.yml b/.github/dependabot.yml
new file mode 100644
index 0000000..81decfc
--- /dev/null
+++ b/.github/dependabot.yml
@@ -0,0 +1,24 @@
+# Dependabot Configuration
+#
+# Weekly update checks balance responsiveness with notification fatigue.
+# Patch updates auto-merge via dependabot-automerge workflow.
+
+version: 2
+updates:
+  - package-ecosystem: gomod
+    directory: /
+    schedule:
+      interval: weekly
+    commit-message:
+      prefix: "go.mod"
+    labels:
+      - dependencies
+
+  - package-ecosystem: github-actions
+    directory: /
+    schedule:
+      interval: weekly
+    commit-message:
+      prefix: "github"
+    labels:
+      - dependencies
diff --git a/.github/workflows/dependabot-automerge.yml b/.github/workflows/dependabot-automerge.yml
new file mode 100644
index 0000000..fd66959
--- /dev/null
+++ b/.github/workflows/dependabot-automerge.yml
@@ -0,0 +1,67 @@
+# Dependabot Auto-merge Workflow
+#
+# Patch updates auto-merge after CI passes. Minor and major updates
+# require human review until LLM-assisted review is available (#5).
+#
+# Squash commits default to using the PR description as body, but
+# Dependabot PRs include lengthy changelogs and compatibility notes.
+# The merge step overrides the body to keep commit messages clean.
+
+name: "🤖 Dependabot"
+
+on:
+  pull_request:
+    branches: [main]
+    # Path filter avoids creating workflow runs for unrelated PRs while
+    # still catching all Dependabot updates (Go modules and Actions).
+    paths:
+      - "go.mod"
+      - "go.sum"
+      - ".github/workflows/**"
+
+permissions:
+  contents: write # Required by: gh pr merge --auto
+  pull-requests: write # Required by: gh pr review --approve
+
+jobs:
+  automerge:
+    name: Review & Merge
+    runs-on: ubuntu-latest
+    if: github.actor == 'dependabot[bot]'
+    steps:
+      - name: Fetch Dependabot metadata
+        id: metadata
+        uses: dependabot/fetch-metadata@v2
+        with:
+          github-token: "${{ secrets.GITHUB_TOKEN }}"
+          compat-lookup: true
+
+      - name: Approve patch
+        if: steps.metadata.outputs.update-type == 'version-update:semver-patch'
+        run: gh pr review --approve -b "Patch update — auto-approved" "$PR_URL"
+        env:
+          PR_URL: ${{ github.event.pull_request.html_url }}
+          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+
+      # TODO(#5): Review minor updates with Claude before auto-merging.
+      # Once the Claude Code workflow lands, add a step here that uses
+      # claude-code-action to review the diff and approve if acceptable,
+      # followed by an auto-merge step gated on the same condition.
+
+      # TODO(#5): Analyze major updates with Claude, require human merge.
+      # Major updates may contain breaking changes. The planned step uses
+      # claude-code-action to post a review comment with migration notes
+      # and risk analysis, but does not approve or merge. A human reads
+      # the analysis and decides whether to proceed.
+
+      - name: Auto-merge patch
+        if: steps.metadata.outputs.update-type == 'version-update:semver-patch'
+        run: gh pr merge --auto --squash "$PR_URL" --body "$BODY"
+        env:
+          PR_URL: ${{ github.event.pull_request.html_url }}
+          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+          BODY: |
+            This patch update was merged automatically since patch-level
+            changes carry minimal risk of breaking existing functionality.
+
+            Compatibility score: ${{ steps.metadata.outputs.compatibility-score }}%