From d9059ac3ff6299469f20f5bba30fed598f5d6e56 Mon Sep 17 00:00:00 2001
From: Anna Scholtz <anna@scholtzan.net>
Date: Fri, 12 Jun 2026 11:16:46 -0700
Subject: [PATCH 1/2] [DENG-8512] CI workflow to auto-approve dependabot PRs

---
 .github/workflows/dependabot-auto-merge.yml | 30 +++++++++++++++++++++
 1 file changed, 30 insertions(+)
 create mode 100644 .github/workflows/dependabot-auto-merge.yml

diff --git a/.github/workflows/dependabot-auto-merge.yml b/.github/workflows/dependabot-auto-merge.yml
new file mode 100644
index 00000000000..1057c60e03a
--- /dev/null
+++ b/.github/workflows/dependabot-auto-merge.yml
@@ -0,0 +1,30 @@
+name: Dependabot auto-merge
+on: pull_request
+
+permissions:
+  contents: read   # GITHUB_TOKEN stays read-only; the App token does the writes
+
+jobs:
+  auto-merge:
+    runs-on: ubuntu-latest
+    if: github.actor == 'dependabot[bot]'
+    steps:
+      - uses: actions/create-github-app-token@bcd2ba49218906704ab6c1aa796996da409d3eb1  # v3.2.0
+        id: app-token
+        with:
+          app-id: ${{ secrets.DEPENDABOT_APP_ID }}
+          private-key: ${{ secrets.DEPENDABOT_APP_PRIVATE_KEY }}
+
+      - uses: dependabot/fetch-metadata@25dd0e34f4fe68f24cc83900b1fe3fe149efef98  # v3.1.0
+        id: meta
+        with:
+          github-token: ${{ secrets.GITHUB_TOKEN }}   # read-only is fine for metadata
+
+      # only auto-merge patch/minor; majors fall through to a human
+      - if: contains(fromJSON('["version-update:semver-patch","version-update:semver-minor"]'), steps.meta.outputs.update-type)
+        env:
+          GH_TOKEN: ${{ steps.app-token.outputs.token }}
+          PR: ${{ github.event.pull_request.html_url }}
+        run: |
+          gh pr review --approve "$PR"
+          gh pr merge --auto --squash "$PR"

From 5cf69dcf1dcecd4bf6f5d4639d7a7dd58fbc40c0 Mon Sep 17 00:00:00 2001
From: Anna Scholtz <anna@scholtzan.net>
Date: Fri, 12 Jun 2026 11:31:24 -0700
Subject: [PATCH 2/2] fix zizmor

---
 .github/workflows/dependabot-auto-merge.yml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/.github/workflows/dependabot-auto-merge.yml b/.github/workflows/dependabot-auto-merge.yml
index 1057c60e03a..16bd32592a6 100644
--- a/.github/workflows/dependabot-auto-merge.yml
+++ b/.github/workflows/dependabot-auto-merge.yml
@@ -7,7 +7,7 @@ permissions:
 jobs:
   auto-merge:
     runs-on: ubuntu-latest
-    if: github.actor == 'dependabot[bot]'
+    if: github.event.pull_request.user.login == 'dependabot[bot]'
     steps:
       - uses: actions/create-github-app-token@bcd2ba49218906704ab6c1aa796996da409d3eb1  # v3.2.0
         id: app-token