diff --git a/.github/dependabot.yml b/.github/dependabot.yml
index 1d2d7036120ab..4c1f82202a719 100644
--- a/.github/dependabot.yml
+++ b/.github/dependabot.yml
@@ -4,6 +4,8 @@ updates:
     directory: "/"
     schedule:
       interval: weekly
+      day: "sunday"
+      time: "09:00" # 9am UTC
     ignore:
       # Deprecated APIs, requires manual changes.
       # TODO(xacrimon): Update Firestore and solve deprecations.
@@ -29,6 +31,10 @@ updates:
       - dependency-name: github.com/vulcand/predicate
       # TODO(tross): Update after Firestore is updated
       - dependency-name: google.golang.org/genproto
+      # TODO(tross): Update after Firestore is updated
+      - dependency-name: cloud.google.com/go/iam
+      # TODO(tross): Update after /x/crypto is updated
+      - dependency-name: github.com/go-webauthn/webauthn
     open-pull-requests-limit: 10
     reviewers:
       - codingllama
@@ -39,6 +45,8 @@ updates:
     directory: "/api"
     schedule:
       interval: weekly
+      day: "sunday"
+      time: "09:00" # 9am UTC
     ignore:
       # TODO(codingllama): Allow /x/crypto updates after upstream patch.
       - dependency-name: golang.org/x/crypto
@@ -54,6 +62,8 @@ updates:
     directory: "/"
     schedule:
       interval: weekly
+      day: "sunday"
+      time: "09:00" # 9am UTC
     open-pull-requests-limit: 10
     reviewers:
       - codingllama
diff --git a/.github/workflows/assign.yaml b/.github/workflows/assign.yaml
index c3b5be8e993b1..e03927799bfe7 100644
--- a/.github/workflows/assign.yaml
+++ b/.github/workflows/assign.yaml
@@ -30,7 +30,7 @@ permissions:
 jobs:
   auto-request-review:
     name: Auto Request Review
-    if: ${{ !github.event.pull_request.draft }}
+    if: ${{ !github.event.pull_request.draft && !startsWith(github.head_ref, 'dependabot/') }}
     runs-on: ubuntu-latest
     steps:
       # Checkout main branch of shared-workflow repository.
diff --git a/.github/workflows/build-macos.yaml b/.github/workflows/build-macos.yaml
index 5d6de4fefe5d3..f2ba3bcf4e3f3 100644
--- a/.github/workflows/build-macos.yaml
+++ b/.github/workflows/build-macos.yaml
@@ -19,6 +19,7 @@ on:
 jobs:
   build:
     name: Build on Mac OS
+    if: ${{ !startsWith(github.head_ref, 'dependabot/') }}
     runs-on: macos-12 # TODO(r0mant): Update with large runner when it's available
 
     permissions:
diff --git a/.github/workflows/build-windows.yaml b/.github/workflows/build-windows.yaml
index bc09713a7d15a..be18f546905d7 100644
--- a/.github/workflows/build-windows.yaml
+++ b/.github/workflows/build-windows.yaml
@@ -18,6 +18,7 @@ on:
 jobs:
   build:
     name: Build on Windows
+    if: ${{ !startsWith(github.head_ref, 'dependabot/') }}
     runs-on: windows-2022-16core
 
     permissions:
diff --git a/.github/workflows/check.yaml b/.github/workflows/check.yaml
index dabd2720f75f2..2ece9dd01749c 100644
--- a/.github/workflows/check.yaml
+++ b/.github/workflows/check.yaml
@@ -32,7 +32,7 @@ permissions:
 jobs:
   check-reviews:
     name: Checking reviewers
-    if: ${{ !github.event.pull_request.draft }}
+    if: ${{ !github.event.pull_request.draft && !startsWith(github.head_ref, 'dependabot/') }}
     runs-on: ubuntu-latest
     steps:
       # Checkout main branch of shared-workflow repository.
diff --git a/.github/workflows/cifuzz.yml b/.github/workflows/cifuzz.yml
index 1499bd7e188f7..9a673726b4b09 100644
--- a/.github/workflows/cifuzz.yml
+++ b/.github/workflows/cifuzz.yml
@@ -18,6 +18,7 @@ on:
 
 jobs:
   fuzzing:
+    if: ${{ !startsWith(github.head_ref, 'dependabot/') }}
     name: Fuzzing
     runs-on: ubuntu-22.04-32core
     permissions:
diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml
index 5c3c58f2b9304..59d6b2a2e9b26 100644
--- a/.github/workflows/codeql.yml
+++ b/.github/workflows/codeql.yml
@@ -17,6 +17,7 @@ on:
 jobs:
   analyze:
     name: Analyze
+    if: ${{ !startsWith(github.head_ref, 'dependabot/') }}
     runs-on: ubuntu-22.04-32core
     permissions:
       actions: read
diff --git a/.github/workflows/dependabot-batcher.yaml b/.github/workflows/dependabot-batcher.yaml
new file mode 100644
index 0000000000000..2cf6d88b692c8
--- /dev/null
+++ b/.github/workflows/dependabot-batcher.yaml
@@ -0,0 +1,27 @@
+# This workflow combines all open Dependabot PRs into a single batched
+# PR, links all the Dependabot PRs to the new one, and closes all the
+# Dependabot PRs. The schedule is set to exactly 12 hours after the
+# Dependabot schedule.
+#
+# All workflows that run on PR should be skipped for Dependabot PRs
+# to prevent wasting CI cycles.
+name: 'Dependabot Batcher'
+on:
+  workflow_dispatch:
+  schedule:
+    - cron: '0 21 * * 0' # At 9:00 PM every Sunday
+
+permissions:
+    pull-requests: write
+    contents: write
+
+jobs:
+  dependabot-batcher:
+    name: 'Combine Dependabot PRs'
+    runs-on: ubuntu-latest
+    steps:
+      - name: 'Dependabot Batcher'
+        uses: Legal-and-General/dependabot-batcher@v1.0.2
+        with:
+          token: ${{ secrets.GITHUB_TOKEN }} #required
+          baseBranchName: 'master'
diff --git a/.github/workflows/dependency-review.yaml b/.github/workflows/dependency-review.yaml
index 5eb64ee3c73ad..1033917e0c578 100644
--- a/.github/workflows/dependency-review.yaml
+++ b/.github/workflows/dependency-review.yaml
@@ -5,6 +5,7 @@ on:
 
 jobs:
   dependency-review:
+    if: ${{ !startsWith(github.head_ref, 'dependabot/') }}
     uses: gravitational/shared-workflows/.github/workflows/dependency-review.yaml@main
     permissions:
       contents: read
diff --git a/.github/workflows/doc-tests.yaml b/.github/workflows/doc-tests.yaml
index c4800de972371..e7ecc07e38bfe 100644
--- a/.github/workflows/doc-tests.yaml
+++ b/.github/workflows/doc-tests.yaml
@@ -9,6 +9,7 @@ on:
 jobs:
   doc-tests:
     name: Lint (Docs)
+    if: ${{ !startsWith(github.head_ref, 'dependabot/') }}
     runs-on: ubuntu-latest
 
     permissions:
diff --git a/.github/workflows/integration-tests-non-root.yaml b/.github/workflows/integration-tests-non-root.yaml
index 72c4c714f2789..829a2bee27684 100644
--- a/.github/workflows/integration-tests-non-root.yaml
+++ b/.github/workflows/integration-tests-non-root.yaml
@@ -16,6 +16,7 @@ on:
 jobs:
   test:
     name: Integration Tests (Non-root)
+    if: ${{ !startsWith(github.head_ref, 'dependabot/') }}
     runs-on: ubuntu-22.04-16core
 
     permissions:
diff --git a/.github/workflows/integration-tests-root.yaml b/.github/workflows/integration-tests-root.yaml
index 6fb697736c385..5ef21233e7b24 100644
--- a/.github/workflows/integration-tests-root.yaml
+++ b/.github/workflows/integration-tests-root.yaml
@@ -16,6 +16,7 @@ on:
 jobs:
   test:
     name: Integration Tests (Root)
+    if: ${{ !startsWith(github.head_ref, 'dependabot/') }}
     runs-on: ubuntu-22.04-16core
 
     permissions:
diff --git a/.github/workflows/label.yaml b/.github/workflows/label.yaml
index cb19fb81702ee..28f60ba2f164c 100644
--- a/.github/workflows/label.yaml
+++ b/.github/workflows/label.yaml
@@ -30,7 +30,7 @@ permissions:
 jobs:
   auto-label-pr:
     name: Label Pull Request
-    if: ${{ !github.event.pull_request.draft }}
+    if: ${{ !github.event.pull_request.draft && !startsWith(github.head_ref, 'dependabot/') }}
     runs-on: ubuntu-latest
     steps:
       # Checkout main branch of shared-workflow repository.
diff --git a/.github/workflows/lint.yaml b/.github/workflows/lint.yaml
index 6dfff140e242d..4d32b681fb790 100644
--- a/.github/workflows/lint.yaml
+++ b/.github/workflows/lint.yaml
@@ -8,6 +8,7 @@ on:
 
 jobs:
   lint:
+    if: ${{ !startsWith(github.head_ref, 'dependabot/') }}
     name: Lint (Go)
     runs-on: ubuntu-22.04-16core
 
diff --git a/.github/workflows/os-compatibility-test.yaml b/.github/workflows/os-compatibility-test.yaml
index 876f9fe982f18..14846a1b26ba5 100644
--- a/.github/workflows/os-compatibility-test.yaml
+++ b/.github/workflows/os-compatibility-test.yaml
@@ -9,6 +9,7 @@ on:
 jobs:
   build:
     name: OS Compatibility Build
+    if: ${{ !startsWith(github.head_ref, 'dependabot/') }}
     runs-on: ubuntu-22.04-16core
 
     permissions:
diff --git a/.github/workflows/unit-tests-code.yaml b/.github/workflows/unit-tests-code.yaml
index d7d07313eb577..457d2aae15d2e 100644
--- a/.github/workflows/unit-tests-code.yaml
+++ b/.github/workflows/unit-tests-code.yaml
@@ -16,6 +16,7 @@ on:
 jobs:
   test:
     name: Unit Tests (Go)
+    if: ${{ !startsWith(github.head_ref, 'dependabot/') }}
     runs-on: ubuntu-22.04-32core
 
     permissions:
diff --git a/.github/workflows/unit-tests-operator.yaml b/.github/workflows/unit-tests-operator.yaml
index 65c8e6a90c66e..3d95d5b298564 100644
--- a/.github/workflows/unit-tests-operator.yaml
+++ b/.github/workflows/unit-tests-operator.yaml
@@ -18,6 +18,7 @@ on:
 jobs:
   test:
     name: Unit Tests (Operator)
+    if: ${{ !startsWith(github.head_ref, 'dependabot/') }}
     runs-on: ubuntu-22.04-16core
 
     permissions:
diff --git a/.github/workflows/unit-tests-rust.yaml b/.github/workflows/unit-tests-rust.yaml
index c68f76c91b8a5..f3812b9546858 100644
--- a/.github/workflows/unit-tests-rust.yaml
+++ b/.github/workflows/unit-tests-rust.yaml
@@ -16,6 +16,7 @@ on:
 jobs:
   test:
     name: Unit Tests (Rust)
+    if: ${{ !startsWith(github.head_ref, 'dependabot/') }}
     runs-on: ubuntu-latest
 
     permissions: