Weekly scan to open PRs upgrading third-party actions used in CI. pip dependencies remain pinned and are covered by Dependabot security updates separately.
