From 99153ff7343c4ef377f7181c599b114a94636fb0 Mon Sep 17 00:00:00 2001
From: James <james.bradley7@nhs.net>
Date: Tue, 13 Jan 2026 10:52:59 +0000
Subject: [PATCH 1/4] mesh-2092: workflow pushes changes

---
 .github/workflows/dependabot-auto-merge.yaml | 16 ++++++++++++++++
 1 file changed, 16 insertions(+)

diff --git a/.github/workflows/dependabot-auto-merge.yaml b/.github/workflows/dependabot-auto-merge.yaml
index bc523aa..bebb417 100644
--- a/.github/workflows/dependabot-auto-merge.yaml
+++ b/.github/workflows/dependabot-auto-merge.yaml
@@ -14,12 +14,16 @@ jobs:
     # Only run on Dependabot PRs
     if: github.event.pull_request.user.login == 'dependabot[bot]'
     runs-on: ubuntu-latest
+    permissions:
+      contents: write
 
     steps:
       - name: Checkout
         uses: actions/checkout@v4
         with:
           fetch-depth: 0
+          ref: ${{ github.event.pull_request.head.ref }}
+          repository: ${{ github.event.pull_request.head.repo.full_name }}
 
       - name: Install Python 3.11
         uses: actions/setup-python@v4
@@ -38,6 +42,18 @@ jobs:
       - name: Lint (make lint)
         run: make lint
 
+      - name: Commit and push changes
+        run: |
+          git config user.name "github-actions[bot]"
+          git config user.email "github-actions[bot]@users.noreply.github.com"
+          if git status --porcelain | grep .; then
+            git add -A
+            git commit -m "mesh-2092: apply make update changes"
+            git push
+          else
+            echo "No changes to commit"
+          fi
+
   enable-automerge:
     # Only run on Dependabot PRs after make update succeeds
     if: github.event.pull_request.user.login == 'dependabot[bot]'

From 7dcd6f78453dbcdb7e29c3bbb7935570fd646a09 Mon Sep 17 00:00:00 2001
From: James <james.bradley7@nhs.net>
Date: Tue, 13 Jan 2026 11:14:49 +0000
Subject: [PATCH 2/4] mesh-2092: secure from parameter injection

---
 .github/workflows/dependabot-auto-merge.yaml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/.github/workflows/dependabot-auto-merge.yaml b/.github/workflows/dependabot-auto-merge.yaml
index bebb417..07150fc 100644
--- a/.github/workflows/dependabot-auto-merge.yaml
+++ b/.github/workflows/dependabot-auto-merge.yaml
@@ -22,7 +22,7 @@ jobs:
         uses: actions/checkout@v4
         with:
           fetch-depth: 0
-          ref: ${{ github.event.pull_request.head.ref }}
+          ref: ${{ startsWith(github.event.pull_request.head.ref, 'dependabot/') && github.event.pull_request.head.ref || github.ref }}
           repository: ${{ github.event.pull_request.head.repo.full_name }}
 
       - name: Install Python 3.11

From af19943fdc5b99f8a8b6d5493887421ab5124e53 Mon Sep 17 00:00:00 2001
From: James <james.bradley7@nhs.net>
Date: Tue, 13 Jan 2026 12:58:36 +0000
Subject: [PATCH 3/4] mesh-2092: secure from parameter injection

---
 .github/workflows/dependabot-auto-merge.yaml | 11 +++++++++--
 1 file changed, 9 insertions(+), 2 deletions(-)

diff --git a/.github/workflows/dependabot-auto-merge.yaml b/.github/workflows/dependabot-auto-merge.yaml
index 07150fc..521b069 100644
--- a/.github/workflows/dependabot-auto-merge.yaml
+++ b/.github/workflows/dependabot-auto-merge.yaml
@@ -22,7 +22,6 @@ jobs:
         uses: actions/checkout@v4
         with:
           fetch-depth: 0
-          ref: ${{ startsWith(github.event.pull_request.head.ref, 'dependabot/') && github.event.pull_request.head.ref || github.ref }}
           repository: ${{ github.event.pull_request.head.repo.full_name }}
 
       - name: Install Python 3.11
@@ -43,13 +42,21 @@ jobs:
         run: make lint
 
       - name: Commit and push changes
+        env:
+          PR_HEAD_REF: ${{ github.event.pull_request.head.ref }}
         run: |
           git config user.name "github-actions[bot]"
           git config user.email "github-actions[bot]@users.noreply.github.com"
+
+          if [ -z "$PR_HEAD_REF" ] || ! echo "$PR_HEAD_REF" | grep -Eq '^dependabot/'; then
+            echo "PR head ref '$PR_HEAD_REF' is not a allowed Dependabot branch; skipping push."
+            exit 1
+          fi
+
           if git status --porcelain | grep .; then
             git add -A
             git commit -m "mesh-2092: apply make update changes"
-            git push
+            git push origin HEAD:"$PR_HEAD_REF"
           else
             echo "No changes to commit"
           fi

From d94909fea839b6b428406f7215fe61abd735dabb Mon Sep 17 00:00:00 2001
From: James <james.bradley7@nhs.net>
Date: Tue, 13 Jan 2026 15:30:32 +0000
Subject: [PATCH 4/4] mesh-2092: remove make update and add auto approve

---
 .github/workflows/dependabot-auto-merge.yaml | 60 +++-----------------
 1 file changed, 7 insertions(+), 53 deletions(-)

diff --git a/.github/workflows/dependabot-auto-merge.yaml b/.github/workflows/dependabot-auto-merge.yaml
index 521b069..6641bc7 100644
--- a/.github/workflows/dependabot-auto-merge.yaml
+++ b/.github/workflows/dependabot-auto-merge.yaml
@@ -10,61 +10,9 @@ on:
       - labeled
 
 jobs:
-  dependabot-make-update:
-    # Only run on Dependabot PRs
-    if: github.event.pull_request.user.login == 'dependabot[bot]'
-    runs-on: ubuntu-latest
-    permissions:
-      contents: write
-
-    steps:
-      - name: Checkout
-        uses: actions/checkout@v4
-        with:
-          fetch-depth: 0
-          repository: ${{ github.event.pull_request.head.repo.full_name }}
-
-      - name: Install Python 3.11
-        uses: actions/setup-python@v4
-        with:
-          python-version: '3.11'
-
-      - name: Install poetry
-        run: python -m pip install --upgrade pip setuptools wheel poetry
-
-      - name: Install project dependencies
-        run: make install-ci
-
-      - name: Update dependencies (make update)
-        run: make update
-
-      - name: Lint (make lint)
-        run: make lint
-
-      - name: Commit and push changes
-        env:
-          PR_HEAD_REF: ${{ github.event.pull_request.head.ref }}
-        run: |
-          git config user.name "github-actions[bot]"
-          git config user.email "github-actions[bot]@users.noreply.github.com"
-
-          if [ -z "$PR_HEAD_REF" ] || ! echo "$PR_HEAD_REF" | grep -Eq '^dependabot/'; then
-            echo "PR head ref '$PR_HEAD_REF' is not a allowed Dependabot branch; skipping push."
-            exit 1
-          fi
-
-          if git status --porcelain | grep .; then
-            git add -A
-            git commit -m "mesh-2092: apply make update changes"
-            git push origin HEAD:"$PR_HEAD_REF"
-          else
-            echo "No changes to commit"
-          fi
-
   enable-automerge:
-    # Only run on Dependabot PRs after make update succeeds
+    # Only run on Dependabot PRs
     if: github.event.pull_request.user.login == 'dependabot[bot]'
-    needs: dependabot-make-update
     runs-on: ubuntu-latest
     permissions:
       contents: write
@@ -77,6 +25,12 @@ jobs:
         with:
           github-token: ${{ secrets.GITHUB_TOKEN }}
 
+      - name: Auto-approve Dependabot PR
+        if: steps.metadata.outputs.update-type == 'version-update:semver-patch'
+        uses: hmarr/auto-approve-action@v4
+        with:
+          github-token: ${{ secrets.GITHUB_TOKEN }}
+
       - name: Enable auto-merge for Dependabot PRs
         if: steps.metadata.outputs.update-type == 'version-update:semver-patch'
         run: gh pr merge --auto --squash "$PR_URL"