diff --git a/.github/dependabot.yml b/.github/dependabot.yml
index 60b670878..4f285be44 100644
--- a/.github/dependabot.yml
+++ b/.github/dependabot.yml
@@ -1,3 +1,4 @@
+# Dependabot PRs are auto-tidied by .github/workflows/dependabot-tidy.yml
 version: 2
 updates:
   - package-ecosystem: "github-actions"
@@ -26,3 +27,14 @@ updates:
       golang-x:
         patterns:
           - "golang.org/x/*"
+      opentelemetry:
+        patterns:
+          - "go.opentelemetry.io/*"
+      prometheus:
+        patterns:
+          - "github.com/prometheus/*"
+          - "contrib.go.opencensus.io/*"
+          - "go.opencensus.io"
+      uber:
+        patterns:
+          - "go.uber.org/*"
diff --git a/.github/workflows/dependabot-tidy.yml b/.github/workflows/dependabot-tidy.yml
new file mode 100644
index 000000000..49bdbc9f0
--- /dev/null
+++ b/.github/workflows/dependabot-tidy.yml
@@ -0,0 +1,61 @@
+# Dependabot only updates go.mod/go.sum in the root module, but this repo has
+# multiple Go modules (see docs/examples/). This workflow runs `make mod_tidy`
+# on Dependabot PRs to keep all go.sum files in sync, preventing go-check CI
+# failures.
+name: Dependabot Tidy
+
+on:
+  pull_request_target:
+    types: [opened, synchronize]
+  workflow_dispatch:
+    inputs:
+      pr_number:
+        description: 'PR number to run mod_tidy on'
+        required: true
+        type: number
+
+permissions:
+  contents: write
+  pull-requests: write
+
+jobs:
+  tidy:
+    if: github.actor == 'dependabot[bot]' || github.event_name == 'workflow_dispatch'
+    runs-on: ubuntu-latest
+    steps:
+      - name: Get PR info
+        id: pr
+        env:
+          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+        run: |
+          if [[ "${{ github.event_name }}" == "workflow_dispatch" ]]; then
+            pr_number="${{ inputs.pr_number }}"
+          else
+            pr_number="${{ github.event.pull_request.number }}"
+          fi
+          echo "number=$pr_number" >> $GITHUB_OUTPUT
+          branch=$(gh pr view "$pr_number" --repo "${{ github.repository }}" --json headRefName -q '.headRefName')
+          echo "branch=$branch" >> $GITHUB_OUTPUT
+      - uses: actions/checkout@v4
+        with:
+          ref: ${{ steps.pr.outputs.branch }}
+          token: ${{ secrets.GITHUB_TOKEN }}
+      - uses: actions/setup-go@v5
+        with:
+          go-version-file: go.mod
+      - name: Run make mod_tidy
+        run: make mod_tidy
+      - name: Check for changes
+        id: git-check
+        run: |
+          if [[ -n $(git status --porcelain) ]]; then
+            echo "modified=true" >> $GITHUB_OUTPUT
+          fi
+      - name: Commit changes
+        if: steps.git-check.outputs.modified == 'true'
+        run: |
+          git config user.name "github-actions[bot]"
+          git config user.email "41898282+github-actions[bot]@users.noreply.github.com"
+          git add -A
+          git commit -m "chore: run make mod_tidy"
+          git push
diff --git a/go.mod b/go.mod
index 109a2ca99..10124e22e 100644
--- a/go.mod
+++ b/go.mod
@@ -271,3 +271,10 @@ require (
 	gopkg.in/yaml.v3 v3.0.1 // indirect
 	lukechampine.com/blake3 v1.4.1 // indirect
 )
+
+// Exclude ancient +incompatible versions that confuse Dependabot.
+// These pre-Go-modules versions reference packages that no longer exist.
+exclude (
+	github.com/ipfs/go-ipfs-cmds v2.0.1+incompatible
+	github.com/libp2p/go-libp2p v6.0.23+incompatible
+)