From 200fed3cdb236290a39f4c69e0d45a2b8289b663 Mon Sep 17 00:00:00 2001
From: Alejandro Bordallo <alex.bordallo@ed.ac.uk>
Date: Tue, 21 Apr 2026 12:20:57 +0100
Subject: [PATCH] Fix .github workflows and update frequency

 - Add dependabot for security and github action version updates
 - Remove pre-commit auto-approve and auto-merge steps
 - Change pre-commit update frequency to yearly instead of monthly
---
 .github/dependabot.yml                        | 23 +++++++++++++++++++
 .../workflows/reusable-update-pre-commit.yml  | 20 ----------------
 .github/workflows/update-pre-commit.yml       |  2 +-
 3 files changed, 24 insertions(+), 21 deletions(-)
 create mode 100644 .github/dependabot.yml

diff --git a/.github/dependabot.yml b/.github/dependabot.yml
new file mode 100644
index 0000000..400aa6b
--- /dev/null
+++ b/.github/dependabot.yml
@@ -0,0 +1,23 @@
+# Please see the documentation for all configuration options:
+# https://docs.github.com/code-security/dependabot/dependabot-version-updates/configuration-options-for-the-dependabot.yml-file
+
+version: 2
+
+multi-ecosystem-groups:
+  infrastructure:
+    schedule:
+      interval: "yearly"
+    commit-message:
+      prefix: ⬆
+    assignees:
+      - "GreatAlexander"
+
+updates:
+  - package-ecosystem: "github-actions"
+    directory: "/"
+    multi-ecosystem-group: "infrastructure"
+    patterns: ['*']
+  - package-ecosystem: "docker"
+    directory: "/"
+    multi-ecosystem-group: "infrastructure"
+    patterns: ['*']
diff --git a/.github/workflows/reusable-update-pre-commit.yml b/.github/workflows/reusable-update-pre-commit.yml
index eb49871..b8ebd9f 100644
--- a/.github/workflows/reusable-update-pre-commit.yml
+++ b/.github/workflows/reusable-update-pre-commit.yml
@@ -13,10 +13,6 @@ on:
         default: ''
         required: false
         type: string
-    secrets:
-      precommit-pr-token:
-        description: 'PAT from GreatAlexander for PR auto-approval'
-        required: true
 
 jobs:
   auto_update_and_create_pr:
@@ -93,19 +89,3 @@ jobs:
           delete-branch: true
           draft: false
           path: ${{ env.path }}
-
-      - name: Enable Pull Request Automerge
-        if: steps.cpr.outputs.pull-request-operation == 'created'
-        run: |
-          cd ${{ env.path }}
-          gh pr merge --squash --auto "${{ steps.cpr.outputs.pull-request-number }}"
-        env:
-          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-
-      - name: Auto approve
-        if: steps.cpr.outputs.pull-request-operation == 'created'
-        run: |
-          cd ${{ env.path }}
-          gh pr review --approve "${{ steps.cpr.outputs.pull-request-number }}"
-        env:
-          GH_TOKEN: ${{ secrets.precommit-pr-token }}
diff --git a/.github/workflows/update-pre-commit.yml b/.github/workflows/update-pre-commit.yml
index 1948cde..47a4bca 100644
--- a/.github/workflows/update-pre-commit.yml
+++ b/.github/workflows/update-pre-commit.yml
@@ -6,7 +6,7 @@ name: Auto Update pre-commit
 on:
   workflow_dispatch:
   schedule:
-    - cron: '0 0 2 * *'  # Runs at 00:00, on day 2 of the month
+    - cron: '0 0 2 12 *'  # Runs at 00:00, on day 2 of December (yearly)
 
 jobs:
   auto_update_and_create_pr: