diff --git a/.github/dependabot.yml b/.github/dependabot.yml
new file mode 100644
index 0000000..967d7ed
--- /dev/null
+++ b/.github/dependabot.yml
@@ -0,0 +1,63 @@
+# Dependabot version-update configuration for mcp-clipboard.
+#
+# Two ecosystems are tracked:
+#   - pip:            runtime + dev dependencies declared in
+#                     pyproject.toml (also picks up uv.lock so bumps
+#                     stay reproducible)
+#   - github-actions: workflow files under .github/workflows/
+#                     (CI matrix, publish workflows, label automation)
+#
+# Schedule is weekly (Monday 06:00 America/Chicago) so PRs don't pile
+# up faster than they can be reviewed solo. Each ecosystem groups its
+# updates into a single PR per week to reduce notification noise.
+#
+# Labels named here are applied only if they already exist on the
+# repo; Dependabot does not auto-create labels. The label-automation
+# workflows handle the QA-flow labels separately.
+#
+# Docs:
+# https://docs.github.com/code-security/dependabot/dependabot-version-updates/configuration-options-for-the-dependabot.yml-file
+
+version: 2
+updates:
+  # Python deps: pyproject.toml + uv.lock at the repo root.
+  # Covers runtime (mcp[cli]) and the dev extras declared in
+  # pyproject.toml.
+  - package-ecosystem: "pip"
+    directory: "/"
+    schedule:
+      interval: "weekly"
+      day: "monday"
+      time: "06:00"
+      timezone: "America/Chicago"
+    open-pull-requests-limit: 5
+    groups:
+      python:
+        patterns:
+          - "*"
+    labels:
+      - "dependencies"
+      - "python"
+    commit-message:
+      prefix: "chore"
+      include: "scope"
+
+  # GitHub Actions used by .github/workflows/*.yml.
+  - package-ecosystem: "github-actions"
+    directory: "/"
+    schedule:
+      interval: "weekly"
+      day: "monday"
+      time: "06:00"
+      timezone: "America/Chicago"
+    open-pull-requests-limit: 5
+    groups:
+      github-actions:
+        patterns:
+          - "*"
+    labels:
+      - "dependencies"
+      - "github-actions"
+    commit-message:
+      prefix: "chore"
+      include: "scope"
diff --git a/CHANGELOG.md b/CHANGELOG.md
index 8402046..a1d56d8 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -4,6 +4,17 @@ All notable changes to this project will be documented here.
 
 ## [Unreleased]
 
+### Added
+- Dependabot version-update configuration (`.github/dependabot.yml`)
+  for pip and github-actions ecosystems. Weekly schedule (Monday
+  06:00 America/Chicago), grouped per ecosystem to reduce noise.
+  Commit-message uses `prefix: chore` with `include: scope` so
+  Dependabot's auto-appended `(deps)` scope yields canonical
+  `chore(deps): bump <foo>` subjects (avoids the doubled-prefix
+  failure mode documented in the dependabot-pr-hygiene playbook).
+  Labels `dependencies`, `python`, and `github-actions` are
+  pre-created on the repo so PRs are categorized on creation.
+
 ### Changed
 - Add `workflow_dispatch:` trigger to `pr-labels-ci.yml` to restore
   template parity with `cmeans/yt-dont-recommend`. Gives maintainers a