Add Dependabot auto-merge workflow

[Copilot]

Dependabot patch/minor PRs were piling up waiting for manual approval. This adds a GitHub Actions workflow to auto-approve and squash-merge safe dependency bumps.

Changes

• .github/workflows/dependabot-auto-merge.yml — new workflow that:
  • Triggers on pull_request_target (required for bot-authored PRs)
  • Guards on github.actor == 'dependabot[bot]'
  • Uses dependabot/fetch-metadata@v2 to detect semver update type
  • Auto-approves + enables squash auto-merge for semver-patch and semver-minor
  • Takes no action on semver-major — those remain in the manual review queue

Note: Requires "Allow auto-merge" to be enabled in repo settings (Settings → General → Pull Requests).

Original prompt

Problem

The TrustSignal-App repo needs a Dependabot auto-merge workflow so that safe patch/minor dependency bumps don't pile up waiting for manual approval. This is the same workflow being added to the main TrustSignal repo.

Solution

Create a new GitHub Actions workflow at .github/workflows/dependabot-auto-merge.yml that:

1. Triggers on pull_request_target events
2. Only runs when the PR author is dependabot[bot]
3. Fetches Dependabot metadata using dependabot/fetch-metadata@v2 to determine the update type
4. Auto-approves the PR using gh pr review --approve for patch and minor version updates
5. Enables auto-merge using gh pr merge --auto --squash for patch and minor updates
6. For major version bumps, it should NOT auto-approve or auto-merge (those need human review)

Workflow file: .github/workflows/dependabot-auto-merge.yml

name: Dependabot auto-merge
on: pull_request_target

permissions:
  contents: write
  pull-requests: write

jobs:
  dependabot:
    runs-on: ubuntu-latest
    if: github.actor == 'dependabot[bot]'
    steps:
      - name: Dependabot metadata
        id: metadata
        uses: dependabot/fetch-metadata@v2
        with:
          github-token: "${{ secrets.GITHUB_TOKEN }}"

      - name: Auto-approve patch and minor updates
        if: steps.metadata.outputs.update-type == 'version-update:semver-patch' || steps.metadata.outputs.update-type == 'version-update:semver-minor'
        run: gh pr review --approve "$PR_URL"
        env:
          PR_URL: ${{ github.event.pull_request.html_url }}
          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}

      - name: Enable auto-merge for patch and minor updates
        if: steps.metadata.outputs.update-type == 'version-update:semver-patch' || steps.metadata.outputs.update-type == 'version-update:semver-minor'
        run: gh pr merge --auto --squash "$PR_URL"
        env:
          PR_URL: ${{ github.event.pull_request.html_url }}
          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}

Requirements

• The workflow should be placed at .github/workflows/dependabot-auto-merge.yml
• Only auto-approve and auto-merge for semver-patch and semver-minor updates
• Major version bumps should be left for human review
• Use pull_request_target (not pull_request) since Dependabot PRs come from forks/bot branches
• Use squash merge strategy
• The base branch is main for this repo

The following is the prior conversation context from the user's chat exploration (may be truncated):

User: fix security vaul

Assistant: It looks like your message got cut off. Could you please provide more details about what you'd like to do?

Based on what I can see, it seems like you might want to:

• Fix a security vulnerability in a repository related to a "vault" component
• Create an issue or PR related to a security fix

Could you clarify:

1. What repository are you working with? (in owner/repo format)
2. What specific security issue are you looking to fix?
3. What action would you like me to take? (e.g., create an issue, open a PR, search for vulnerabilities, etc.)

User: can you go through all of the issues and pr for trustsignal-dev and resolve what you. can and what you can t resollvelet me know what tod

Assistant:

Let me start by finding the repository and then go through all the issues and PRs.

Assistant: Now let me fetch all open issues and PRs from the repos that have them (TrustSignal has 15, v0-signal-new has 3, TrustSignal-App has 2):

Assistant: Here's a full audit of all 20 open PRs across the 3 active repos in the TrustSignal-dev org. I've categorized each by what I can resolve vs. what needs your manual action.

---

📊 Full Inventory

Repo 1: TrustSignal-dev/TrustSignal — 15 open PRs (all PRs, no standalone issues)

data:
- url: "https://github.com/TrustSignal-dev/TrustSignal/pull/92"
  repository: "TrustSignal-dev/TrustSignal"
  state: "open"
  draft: false
  title: "feat: add missing security workflows (dependency-review, trivy, zizmor)"
  number: 92
  created_at: "2026-03-28T00:00:00Z"
  closed_at: ""
  merged_at: ""
  labels: []
  author: "chrismaz11"
  comments: 1
- url: "https://github.com/TrustSignal-dev/TrustSignal/pull/91"
  repository: "TrustSignal-dev/TrustSignal"
  state: "open"
  draft: false
  title: "fix(api): verification engine modules, security hardening, new packages"
  number: 91
  created_at: "2026-03-28T00:00:00Z"
  closed_at: ""
  merged_at: ""
  labels: []
  author: "chrismaz11"
  comments: 1
- url: "https://github.com/TrustSignal-dev/TrustSignal/pull/90"
  repository: "TrustSignal-dev/TrustSignal"
  state: "open"
  draft: false
  title: "chore(deps): bump the npm_and_yarn group across 1 directory with 1 update"
  number: 90
  created_at: "2026-03-28T00:00:00Z"
  closed_at: ""
  merged_at: ""
  labels:
  - "dependencies"
  - "security"
  author: "dependabot[bot]"
  comments: 1
- url: "https://github.com/Tru...

</details>



<!-- START COPILOT CODING AGENT SUFFIX -->

*This pull request was created from Copilot chat.*
>

[chatgpt-codex-connector]

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: ee279a8f15

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

[chatgpt-codex-connector]

Check PR author instead of event actor

Use the pull request author field here (github.event.pull_request.user.login) rather than github.actor. On pull_request_target, github.actor is the user that triggered the current event, so a Dependabot PR reopened or synchronized by a maintainer/bot will skip this job even though the PR is still authored by Dependabot, which breaks the intended auto-approve/auto-merge behavior for eligible dependency updates.

Useful? React with 👍 / 👎.