chore: add Dependabot auto-merge workflow for patch/minor updates

[Copilot]

Dependabot PRs for patch/minor bumps pile up waiting for manual approval due to branch protection requiring 1 review + 9 status checks. This adds a workflow to auto-approve and squash-merge those PRs once CI passes, while leaving major bumps for human review.

Summary

• Add .github/workflows/dependabot-auto-merge.yml triggered on pull_request_target, scoped to branches: [master] and types: [opened, synchronize, reopened, ready_for_review] to avoid firing on closed PRs or non-default branches
• Job gated on both github.actor == 'dependabot[bot]' and github.event.pull_request.user.login == 'dependabot[bot]' to strictly target Dependabot-authored PRs
• Uses dependabot/fetch-metadata pinned to commit SHA c9c4182 (v2.3.0) instead of a moving tag, consistent with the scorecard.yml supply-chain pinning pattern
• patch / minor → gh pr review --approve + gh pr merge --auto --squash; auto-merge fires only after all required branch-protection checks pass
• major → no action; remains in the queue for manual review (e.g., chore(deps): bump jose from 5.10.0 to 6.2.1 #41 jose, chore(deps): bump @prisma/client from 5.22.0 to 7.5.0 #43 prisma)
• Prerequisite comment in the workflow documents required repo settings: "Allow GitHub Actions to create and approve pull requests" and "Allow auto-merge"
• Both gh pr review --approve and gh pr merge --auto --squash steps emit a ::error:: workflow annotation with a direct link to the relevant repo setting if they fail (e.g. due to a 403), making misconfiguration immediately diagnosable in the Actions UI

AI Disclosure (optional)

• AI-assisted changes are included in this PR

Review Checklist

• Human review requested
• Tests added or updated where appropriate
• No secrets, tokens, cookies, or raw PII were added to code, logs, fixtures, or docs
• Security impact and remaining risks are described

Security impact: pull_request_target is scoped to branches: [master] and open PR event types only. The dual dependabot[bot] guard (actor + PR author) ensures the job cannot be triggered by a maintainer re-running the workflow. dependabot/fetch-metadata is pinned to a full commit SHA to mitigate supply-chain risk. No elevated token scopes beyond contents: write and pull-requests: write are granted. Major version bumps are explicitly excluded from auto-merge.

Original prompt

Problem

The TrustSignal repo has branch protection rules requiring 1 approving review + 9 status checks before merging. This means Dependabot PRs for safe patch/minor dependency bumps pile up and require manual approval each time. Currently there are 5 blocked Dependabot PRs (#90, #89, #87, #42, #38).

Solution

Create a new GitHub Actions workflow at .github/workflows/dependabot-auto-merge.yml that:

1. Triggers on pull_request_target events
2. Only runs when the PR author is dependabot[bot]
3. Fetches Dependabot metadata using dependabot/fetch-metadata@v2 to determine the update type
4. Auto-approves the PR using gh pr review --approve for patch and minor version updates
5. Enables auto-merge using gh pr merge --auto --squash for patch and minor updates
6. For major version bumps, it should NOT auto-approve or auto-merge (those need human review)

Workflow file: .github/workflows/dependabot-auto-merge.yml

name: Dependabot auto-merge
on: pull_request_target

permissions:
  contents: write
  pull-requests: write

jobs:
  dependabot:
    runs-on: ubuntu-latest
    if: github.actor == 'dependabot[bot]'
    steps:
      - name: Dependabot metadata
        id: metadata
        uses: dependabot/fetch-metadata@v2
        with:
          github-token: "${{ secrets.GITHUB_TOKEN }}"

      - name: Auto-approve patch and minor updates
        if: steps.metadata.outputs.update-type == 'version-update:semver-patch' || steps.metadata.outputs.update-type == 'version-update:semver-minor'
        run: gh pr review --approve "$PR_URL"
        env:
          PR_URL: ${{ github.event.pull_request.html_url }}
          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}

      - name: Enable auto-merge for patch and minor updates
        if: steps.metadata.outputs.update-type == 'version-update:semver-patch' || steps.metadata.outputs.update-type == 'version-update:semver-minor'
        run: gh pr merge --auto --squash "$PR_URL"
        env:
          PR_URL: ${{ github.event.pull_request.html_url }}
          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}

Requirements

• The workflow should be placed at .github/workflows/dependabot-auto-merge.yml
• Only auto-approve and auto-merge for semver-patch and semver-minor updates
• Major version bumps should be left for human review
• Use pull_request_target (not pull_request) since Dependabot PRs come from forks/bot branches
• Use squash merge strategy
• The base branch is master (not main) for this repo

The following is the prior conversation context from the user's chat exploration (may be truncated):

User: fix security vaul

Assistant: It looks like your message got cut off. Could you please provide more details about what you'd like to do?

Based on what I can see, it seems like you might want to:

• Fix a security vulnerability in a repository related to a "vault" component
• Create an issue or PR related to a security fix

Could you clarify:

1. What repository are you working with? (in owner/repo format)
2. What specific security issue are you looking to fix?
3. What action would you like me to take? (e.g., create an issue, open a PR, search for vulnerabilities, etc.)

User: can you go through all of the issues and pr for trustsignal-dev and resolve what you. can and what you can t resollvelet me know what tod

Assistant:

Let me start by finding the repository and then go through all the issues and PRs.

Assistant: Now let me fetch all open issues and PRs from the repos that have them (TrustSignal has 15, v0-signal-new has 3, TrustSignal-App has 2):

Assistant: Here's a full audit of all 20 open PRs across the 3 active repos in the TrustSignal-dev org. I've categorized each by what I can resolve vs. what needs your manual action.

---

📊 Full Inventory

Repo 1: TrustSignal-dev/TrustSignal — 15 open PRs (all PRs, no standalone issues)

data:
- url: "https://github.com/TrustSignal-dev/TrustSignal/pull/92"
  repository: "TrustSignal-dev/TrustSignal"
  state: "open"
  draft: false
  title: "feat: add missing security workflows (dependency-review, trivy, zizmor)"
  number: 92
  created_at: "2026-03-28T00:00:00Z"
  closed_at: ""
  merged_at: ""
  labels: []
  author: "chrismaz11"
  comments: 1
- url: "https://github.com/TrustSignal-dev/TrustSignal/pull/91"
  repository: "TrustSignal-dev/TrustSignal"
  state: "open"
  draft: false
  title: "fix(api): verification engine modules, security hardening, new packages"
  number: 91
  created_at: "2026-03-28T00:00:00Z"
  closed_at: ""
  merged_at: ""
  labels: []
  author: "chrismaz11"
  comments: 1
- url: "https://github.com/TrustSignal-dev/TrustSignal/pull/90"
  repository: "TrustSignal-dev/TrustSignal"
  state: "open"
  draft: false
  title: "chore(deps): bump the npm_and_yarn group across 1 directory with 1 update"
  number: 90
  created_at: "2026-03-28T00:00:00Z"
  closed_at: ""
  merged_at: ""
  labels:
  - "dependen...

</details>



<!-- START COPILOT CODING AGENT SUFFIX -->

*This pull request was created from Copilot chat.*
>

[vercel]

The latest updates on your projects. Learn more about Vercel for GitHub.

Project	Deployment	Actions	Updated (UTC)
api	Ready	Preview, Comment	Apr 1, 2026 9:46am
trustsignal	Ready	Preview, Comment	Apr 1, 2026 9:46am

[chatgpt-codex-connector]

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: ec2959df52

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

[Copilot]

Pull request overview

Adds an automation workflow to reduce Dependabot patch/minor PR backlog by auto-approving and enabling squash auto-merge once required CI checks pass, while leaving major updates for manual review.

Changes:

• Introduces a pull_request_target workflow that runs only for Dependabot-triggered events.
• Uses dependabot/fetch-metadata@v2 to detect semver update type.
• Auto-approves and enables auto-merge (squash) for patch/minor updates.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.