diff --git a/.github/dependabot.yml b/.github/dependabot.yml
index da32536..0f54bf4 100644
--- a/.github/dependabot.yml
+++ b/.github/dependabot.yml
@@ -1,7 +1,7 @@
 version: 2
 updates:
   - package-ecosystem: npm
-    directory: /happyhq
+    directory: /
     schedule:
       interval: weekly
     open-pull-requests-limit: 5
diff --git a/happyhq/.dev/dependency-rules.md b/happyhq/.dev/dependency-rules.md
index caa7eac..156a49b 100644
--- a/happyhq/.dev/dependency-rules.md
+++ b/happyhq/.dev/dependency-rules.md
@@ -14,7 +14,7 @@ Apply in order — bail at the earliest stop. The first three are evaluable from
 
 | #   | Condition                                                                                                                                                                                                                      | Label applied                      | What unblocks it                                     |
 | --- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ | ---------------------------------- | ---------------------------------------------------- |
-| 1   | PR diff would touch `happyhq/ee/`, `.github/`, CI workflows, `dependabot.yml`, or licensing files                                                                                                                              | `ralphie:skip-out-of-scope`        | Maintainer scopes the change; remove label           |
+| 1   | PR diff would touch `happyhq/ee/`, `.github/`, CI workflows, `dependabot.yml`, or licensing files — **except** PRs from the `dependabot/github_actions/*` branch family where the diff is limited to `uses:` line changes in workflow files (those are mechanical version pins, not authored CI edits, and are eligible for Phase 2) | `ralphie:skip-out-of-scope`        | Maintainer scopes the change; remove label           |
 | 2   | CI on the PR is red and the failure is unrelated to the version bump (infra flake, lint config drift, network timeout, etc.)                                                                                                   | `ralphie:skip-ci-red`              | Investigate the CI failure; remove label             |
 | 3   | Update is one of: framework major (`next`, `react`, `react-dom`); security-sensitive runtime major (auth, crypto, billing — e.g., `stripe` ≥2 majors at once, `instantdb`, JWT/OIDC libs); pre-1.0 → 1.0 jump on a runtime dep | `ralphie:skip-manual-upgrade`      | Maintainer upgrades and reviews; remove label        |
 | 4   | (Phase 2) Fixups would exceed 10 files or 300 lines net added (`*.md`/`*.mdx` and lockfile/package.json excluded from the count)                                                                                               | `ralphie:skip-too-big`             | Scope it down or do it manually                      |