diff --git a/.github/dependabot.yaml b/.github/dependabot.yaml
new file mode 100644
index 000000000..9bcde8455
--- /dev/null
+++ b/.github/dependabot.yaml
@@ -0,0 +1,50 @@
+# Copyright 2026 The TensorFlow Quantum Authors
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     https://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+# ============================================================================
+
+version: 2
+updates:
+  - package-ecosystem: "pip"
+    directory: "/"
+    exclude-paths:
+      - "third_party/**"
+    schedule:
+      interval: "monthly"
+    versioning-strategy: "increase-if-necessary"
+    labels:
+      - "area/dependencies"
+      - "area/python"
+      - "area/health"
+
+  - package-ecosystem: "github-actions"
+    # The "github-actions" code explicitly looks in /.github/workflows if the
+    # value "/" is given for the directory attribute. Yes, that's confusing.
+    directory: "/"
+    schedule:
+      interval: "monthly"
+    groups:
+      # Ideally, we would group all monthly updates together into 1 group,
+      # but Dependabot does not support that. The best we can do is 2 groups.
+      actions-version-updates:
+        applies-to: "version-updates"
+        patterns:
+          - "*"
+      actions-security-updates:
+        applies-to: "security-updates"
+        patterns:
+          - "*"
+    labels:
+      - "area/devops"
+      - "area/health"
+      - "kind/chore"