Make dependency alerts the default signal

Author: mnkiefer

.github/workflows/dependabot-campaign.lock.yml

@@ -4,9 +4,9 @@ on:
   workflow_call:
     inputs:
       dependency-source:
-        description: Which dependency signals to process. Use auto to prefer PRs when present and fall back to security alerts.
+        description: Which dependency signals to process. Use alerts for the new default, or choose auto to prefer PRs when they are present.
         required: false
-        default: auto
+        default: alerts
         type: string
       mode:
         description: Operating mode for the caller repository or control plane.
@@ -107,7 +107,7 @@ Do not create custom databases or external trackers.
 
 Continuously reduce dependency risk and keep dependency remediation moving safely. Default to the lightweight path, and use campaign-style coordination only when project tracking or escalated routing adds value.
 
-Use `dependency-source`, `mode`, `project-sync`, and `summary-issue` as runtime toggles. Treat this workflow file as the source of truth for both policy and enrolled repositories.
+Use `dependency-source`, `mode`, `project-sync`, and `summary-issue` as runtime toggles. Default to `alerts` unless the caller explicitly wants PR-first handling. Treat this workflow file as the source of truth for both policy and enrolled repositories.
 
 ## Scope
 

.github/workflows/dependabot-campaign.md

@@ -57,7 +57,7 @@ The campaign workflow supports three signal modes through the `dependency-source
 - `prs`: operate only on Dependabot PRs
 - `alerts`: operate only on dependency security alerts, even if no PRs are raised
 
-Use `auto` as the default when you want one workflow that still works if a repository later moves away from opening Dependabot PRs.
+Use `alerts` as the default when you want security alerts to drive dependency operations without depending on Dependabot PRs. Choose `auto` only when you explicitly want PR-first behavior with an alerts fallback.
 
 ## Add To Another Repo