diff --git a/.github/dependabot.yml b/.github/dependabot.yml
new file mode 100644
index 0000000..15e32e0
--- /dev/null
+++ b/.github/dependabot.yml
@@ -0,0 +1,26 @@
+version: 2
+updates:
+  - package-ecosystem: "github-actions"
+    directory: "/"
+    schedule:
+      interval: "weekly"
+      day: "monday"
+    open-pull-requests-limit: 5
+    commit-message:
+      prefix: "chore(ci)"
+
+  - package-ecosystem: "pip"
+    directory: "/"
+    schedule:
+      interval: "weekly"
+      day: "monday"
+    open-pull-requests-limit: 5
+    commit-message:
+      prefix: "chore(deps)"
+    groups:
+      python-minor:
+        patterns:
+          - "*"
+        update-types:
+          - "minor"
+          - "patch"
diff --git a/tests/test_ci_workflow.py b/tests/test_ci_workflow.py
index 613f32d..d739b14 100644
--- a/tests/test_ci_workflow.py
+++ b/tests/test_ci_workflow.py
@@ -28,3 +28,12 @@ def test_github_actions_are_pinned_to_commit_shas() -> None:
     ]
 
     assert offenders == []
+
+
+def test_dependabot_tracks_ci_and_python_updates() -> None:
+    config = ROOT / ".github" / "dependabot.yml"
+
+    assert config.exists()
+    content = config.read_text()
+    assert 'package-ecosystem: "github-actions"' in content
+    assert 'package-ecosystem: "pip"' in content