diff --git a/.github/dependabot.yml b/.github/dependabot.yml
index f6e1c9d..bb43ea7 100644
--- a/.github/dependabot.yml
+++ b/.github/dependabot.yml
@@ -8,7 +8,18 @@ updates:
     directory: '/'
     schedule:
       interval: 'weekly'
+    # Wait before opening a bump PR so we don't churn on a release
+    # that gets retracted or superseded shortly after it ships.
+    cooldown:
+      default-days: 7
+    open-pull-requests-limit: 15
   - package-ecosystem: 'github-actions'
     directory: '/'
     schedule:
       interval: 'weekly'
+    # Wait before opening a bump PR so we don't churn on a release
+    # that gets retracted or superseded shortly after it ships.
+    # This is required to satisfy the zizmor workflow auditing tool.
+    cooldown:
+      default-days: 7
+    open-pull-requests-limit: 15