chore: add Dependabot auto-merge workflow for patch/minor updates

[Copilot]

Dependabot PRs for patch/minor bumps pile up waiting for manual approval due to branch protection requiring 1 review + 9 status checks. This adds a workflow to auto-approve and squash-merge those PRs once CI passes, while leaving major bumps for human review.

Summary

• Add .github/workflows/dependabot-auto-merge.yml triggered on pull_request_target, gated to dependabot[bot] actor only
• Uses dependabot/fetch-metadata@v2 to detect semver update type
• patch / minor → gh pr review --approve + gh pr merge --auto --squash; auto-merge fires only after all required branch-protection checks pass
• major → no action; remains in the queue for manual review (e.g., chore(deps): bump jose from 5.10.0 to 6.2.1 #41 jose, chore(deps): bump @prisma/client from 5.22.0 to 7.5.0 #43 prisma)

AI Disclosure (optional)

• AI-assisted changes are included in this PR

Review Checklist

• Human review requested
• Tests added or updated where appropriate
• No secrets, tokens, cookies, or raw PII were added to code, logs, fixtures, or docs
• Security impact and remaining risks are described

Security impact: pull_request_target + contents: write is the canonical GitHub pattern for Dependabot auto-merge. The dependabot[bot] actor guard and the existing 9-check branch-protection requirement together ensure only validated, bot-authored patch/minor bumps are merged automatically. No elevated token scopes beyond contents: write and pull-requests: write are granted. Major version bumps are explicitly excluded.

Original prompt

Problem

The TrustSignal repo has branch protection rules requiring 1 approving review + 9 status checks before merging. This means Dependabot PRs for safe patch/minor dependency bumps pile up and require manual approval each time. Currently there are 5 blocked Dependabot PRs (#90, #89, #87, #42, #38).

Solution

Create a new GitHub Actions workflow at .github/workflows/dependabot-auto-merge.yml that:

1. Triggers on pull_request_target events
2. Only runs when the PR author is dependabot[bot]
3. Fetches Dependabot metadata using dependabot/fetch-metadata@v2 to determine the update type
4. Auto-approves the PR using gh pr review --approve for patch and minor version updates
5. Enables auto-merge using gh pr merge --auto --squash for patch and minor updates
6. For major version bumps, it should NOT auto-approve or auto-merge (those need human review)

Workflow file: .github/workflows/dependabot-auto-merge.yml

name: Dependabot auto-merge
on: pull_request_target

permissions:
  contents: write
  pull-requests: write

jobs:
  dependabot:
    runs-on: ubuntu-latest
    if: github.actor == 'dependabot[bot]'
    steps:
      - name: Dependabot metadata
        id: metadata
        uses: dependabot/fetch-metadata@v2
        with:
          github-token: "${{ secrets.GITHUB_TOKEN }}"

      - name: Auto-approve patch and minor updates
        if: steps.metadata.outputs.update-type == 'version-update:semver-patch' || steps.metadata.outputs.update-type == 'version-update:semver-minor'
        run: gh pr review --approve "$PR_URL"
        env:
          PR_URL: ${{ github.event.pull_request.html_url }}
          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}

      - name: Enable auto-merge for patch and minor updates
        if: steps.metadata.outputs.update-type == 'version-update:semver-patch' || steps.metadata.outputs.update-type == 'version-update:semver-minor'
        run: gh pr merge --auto --squash "$PR_URL"
        env:
          PR_URL: ${{ github.event.pull_request.html_url }}
          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}

Requirements

• The workflow should be placed at .github/workflows/dependabot-auto-merge.yml
• Only auto-approve and auto-merge for semver-patch and semver-minor updates
• Major version bumps should be left for human review
• Use pull_request_target (not pull_request) since Dependabot PRs come from forks/bot branches
• Use squash merge strategy
• The base branch is master (not main) for this repo

The following is the prior conversation context from the user's chat exploration (may be truncated):

User: fix security vaul

Assistant: It looks like your message got cut off. Could you please provide more details about what you'd like to do?

Based on what I can see, it seems like you might want to:

• Fix a security vulnerability in a repository related to a "vault" component
• Create an issue or PR related to a security fix

Could you clarify:

1. What repository are you working with? (in owner/repo format)
2. What specific security issue are you looking to fix?
3. What action would you like me to take? (e.g., create an issue, open a PR, search for vulnerabilities, etc.)

User: can you go through all of the issues and pr for trustsignal-dev and resolve what you. can and what you can t resollvelet me know what tod

Assistant:

Let me start by finding the repository and then go through all the issues and PRs.

Assistant: Now let me fetch all open issues and PRs from the repos that have them (TrustSignal has 15, v0-signal-new has 3, TrustSignal-App has 2):

Assistant: Here's a full audit of all 20 open PRs across the 3 active repos in the TrustSignal-dev org. I've categorized each by what I can resolve vs. what needs your manual action.

---

📊 Full Inventory

Repo 1: TrustSignal-dev/TrustSignal — 15 open PRs (all PRs, no standalone issues)

data:
- url: "https://github.com/TrustSignal-dev/TrustSignal/pull/92"
  repository: "TrustSignal-dev/TrustSignal"
  state: "open"
  draft: false
  title: "feat: add missing security workflows (dependency-review, trivy, zizmor)"
  number: 92
  created_at: "2026-03-28T00:00:00Z"
  closed_at: ""
  merged_at: ""
  labels: []
  author: "chrismaz11"
  comments: 1
- url: "https://github.com/TrustSignal-dev/TrustSignal/pull/91"
  repository: "TrustSignal-dev/TrustSignal"
  state: "open"
  draft: false
  title: "fix(api): verification engine modules, security hardening, new packages"
  number: 91
  created_at: "2026-03-28T00:00:00Z"
  closed_at: ""
  merged_at: ""
  labels: []
  author: "chrismaz11"
  comments: 1
- url: "https://github.com/TrustSignal-dev/TrustSignal/pull/90"
  repository: "TrustSignal-dev/TrustSignal"
  state: "open"
  draft: false
  title: "chore(deps): bump the npm_and_yarn group across 1 directory with 1 update"
  number: 90
  created_at: "2026-03-28T00:00:00Z"
  closed_at: ""
  merged_at: ""
  labels:
  - "dependen...

</details>



<!-- START COPILOT CODING AGENT SUFFIX -->

*This pull request was created from Copilot chat.*
>

[vercel]

The latest updates on your projects. Learn more about Vercel for GitHub.

Project	Deployment	Actions	Updated (UTC)
api	Ready	Preview, Comment	Mar 30, 2026 5:31pm
trustsignal	Ready	Preview, Comment	Mar 30, 2026 5:31pm