diff --git a/.github/dependabot.yml b/.github/dependabot.yml
index 4f7d58111..4d2e05c22 100644
--- a/.github/dependabot.yml
+++ b/.github/dependabot.yml
@@ -1,3 +1,14 @@
+# Dependabot configuration
+#
+# Grouping behavior (see inline comments for details):
+#   - Minor + patch updates: grouped into a single PR per ecosystem
+#   - Major version bumps: individual PR per dependency
+#   - Security updates: individual PR per dependency
+#
+# Note: "patch" refers to semver version bumps (1.2.3 -> 1.2.4), not security fixes.
+# Security updates are identified separately via GitHub's Advisory Database and
+# can be any version bump (patch, minor, or major) that fixes a known CVE.
+
 version: 2
 
 updates:
@@ -5,23 +16,35 @@ updates:
   - package-ecosystem: gomod
     directory: "/"
     schedule:
-      interval: "daily"
+      interval: "weekly"
+      day: "friday"
     open-pull-requests-limit: 10
     labels:
       - "dependencies"
+    groups:
+      go-minor-patch:
+        applies-to: version-updates  # security updates get individual PRs
+        patterns:
+          - "*"
+        update-types:  # major omitted, gets individual PRs
+          - "minor"
+          - "patch"
 
   - package-ecosystem: "github-actions"
-    directory: "/"
+    directories:
+      - "/"
+      - "/.github/actions/bootstrap"
     schedule:
-      interval: "daily"
-    open-pull-requests-limit: 10
-    labels:
-      - "dependencies"
-
-  - package-ecosystem: "github-actions"
-    directory: "/.github/actions/bootstrap"
-    schedule:
-      interval: "daily"
+      interval: "weekly"
+      day: "friday"
     open-pull-requests-limit: 10
     labels:
       - "dependencies"
+    groups:
+      actions-minor-patch:
+        applies-to: version-updates  # security updates get individual PRs
+        patterns:
+          - "*"
+        update-types:  # major omitted, gets individual PRs
+          - "minor"
+          - "patch"