diff --git a/.github/dependabot.yml b/.github/dependabot.yml
new file mode 100644
index 0000000..d8dbde0
--- /dev/null
+++ b/.github/dependabot.yml
@@ -0,0 +1,33 @@
+version: 2
+
+updates:
+  - package-ecosystem: "uv"
+    directory: "/"
+    schedule:
+      interval: "weekly"
+    open-pull-requests-limit: 5
+    commit-message:
+      prefix: "deps"
+    labels:
+      - "dependencies"
+    groups:
+      uv-minor-and-patch:
+        patterns:
+          - "*"
+        update-types:
+          - "minor"
+          - "patch"
+
+  - package-ecosystem: "github-actions"
+    directory: "/"
+    schedule:
+      interval: "weekly"
+    open-pull-requests-limit: 3
+    commit-message:
+      prefix: "deps"
+    labels:
+      - "dependencies"
+    groups:
+      github-actions:
+        patterns:
+          - "*"
diff --git a/scripts/README.md b/scripts/README.md
index f091b1c..e7c9608 100644
--- a/scripts/README.md
+++ b/scripts/README.md
@@ -21,4 +21,5 @@ Executable scripts live in this directory. This file is the entry index for the
 ## Notes
 
 - `doctor.sh` and `dependency_health.sh` intentionally remain separate entrypoints and share common prerequisites through [`health_common.sh`](./health_common.sh).
+- [`.github/dependabot.yml`](../.github/dependabot.yml) enables weekly Dependabot version updates for `uv` and GitHub Actions with grouped low-risk updates, while `dependency_health.sh` remains the explicit review/audit entrypoint.
 - External conformance experiments remain intentionally separate from the default regression path. See [`../docs/conformance.md`](../docs/conformance.md).
diff --git a/tests/scripts/test_script_health_contract.py b/tests/scripts/test_script_health_contract.py
index eb8382c..8a22843 100644
--- a/tests/scripts/test_script_health_contract.py
+++ b/tests/scripts/test_script_health_contract.py
@@ -8,6 +8,7 @@
 COVERAGE_GATE_TEXT = Path("scripts/check_coverage.py").read_text()
 SCRIPTS_INDEX_TEXT = Path("scripts/README.md").read_text()
 PYPROJECT_TEXT = Path("pyproject.toml").read_text()
+DEPENDABOT_TEXT = Path(".github/dependabot.yml").read_text()
 
 
 def test_shared_repo_health_prerequisites_live_in_common_helper() -> None:
@@ -45,6 +46,15 @@ def test_scripts_index_documents_split_health_entrypoints() -> None:
     assert "external A2A conformance experiment entrypoint" in SCRIPTS_INDEX_TEXT
     assert "dependency review entrypoint" in SCRIPTS_INDEX_TEXT
     assert "health_common.sh" in SCRIPTS_INDEX_TEXT
+    assert "weekly Dependabot version updates" in SCRIPTS_INDEX_TEXT
+
+
+def test_dependabot_configuration_covers_uv_and_github_actions() -> None:
+    assert 'package-ecosystem: "uv"' in DEPENDABOT_TEXT
+    assert 'package-ecosystem: "github-actions"' in DEPENDABOT_TEXT
+    assert "open-pull-requests-limit: 5" in DEPENDABOT_TEXT
+    assert "open-pull-requests-limit: 3" in DEPENDABOT_TEXT
+    assert "uv-minor-and-patch" in DEPENDABOT_TEXT
 
 
 def test_conformance_script_keeps_external_experiment_scope() -> None: