From 2bf0f68f978446058465d801fef467098e8ab071 Mon Sep 17 00:00:00 2001
From: ryz310 <ryz310@gmail.com>
Date: Thu, 5 Mar 2026 12:49:58 +0900
Subject: [PATCH 1/2] Split dependabot auto-merge by ecosystem and tighten
 actions checks

---
 .github/workflows/dependabot-auto-merge.yml | 71 ++++++++++++++++++++-
 1 file changed, 68 insertions(+), 3 deletions(-)

diff --git a/.github/workflows/dependabot-auto-merge.yml b/.github/workflows/dependabot-auto-merge.yml
index 835bbab4..e9aace12 100644
--- a/.github/workflows/dependabot-auto-merge.yml
+++ b/.github/workflows/dependabot-auto-merge.yml
@@ -12,7 +12,7 @@ permissions:
   pull-requests: write
 
 jobs:
-  enable-automerge:
+  enable-automerge-bundler:
     if: ${{ github.actor == 'dependabot[bot]' }}
     runs-on: ubuntu-latest
 
@@ -23,8 +23,73 @@ jobs:
         with:
           github-token: ${{ secrets.GITHUB_TOKEN }}
 
-      - name: Enable auto-merge for rails_app or direct development patch/minor updates
-        if: ${{ (steps.metadata.outputs.update-type == 'version-update:semver-patch' || steps.metadata.outputs.update-type == 'version-update:semver-minor') && (contains(github.event.pull_request.head.ref, '/rails_app/') || steps.metadata.outputs.dependency-type == 'direct:development') }}
+      - name: Enable auto-merge for bundler patch/minor updates (rails_app or direct development)
+        if: ${{ steps.metadata.outputs.package-ecosystem == 'bundler' && (steps.metadata.outputs.update-type == 'version-update:semver-patch' || steps.metadata.outputs.update-type == 'version-update:semver-minor') && (contains(github.event.pull_request.head.ref, '/rails_app/') || steps.metadata.outputs.dependency-type == 'direct:development') }}
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+          PR_NUMBER: ${{ github.event.pull_request.number }}
+        run: gh pr merge --repo "$GITHUB_REPOSITORY" --auto --merge "$PR_NUMBER"
+
+  enable-automerge-github-actions:
+    if: ${{ github.actor == 'dependabot[bot]' }}
+    runs-on: ubuntu-latest
+
+    steps:
+      - name: Fetch Dependabot metadata
+        id: metadata
+        uses: dependabot/fetch-metadata@v2
+        with:
+          github-token: ${{ secrets.GITHUB_TOKEN }}
+
+      - name: Validate GitHub Actions update safety
+        id: guard
+        if: ${{ steps.metadata.outputs.package-ecosystem == 'github-actions' }}
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+          PR_NUMBER: ${{ github.event.pull_request.number }}
+          UPDATE_TYPE: ${{ steps.metadata.outputs.update-type }}
+          DEPENDENCY_NAME: ${{ steps.metadata.outputs.dependency-name }}
+          DEPENDENCY_NAMES: ${{ steps.metadata.outputs.dependency-names }}
+        run: |
+          set -euo pipefail
+
+          safe=true
+
+          if [[ "$UPDATE_TYPE" != "version-update:semver-patch" && "$UPDATE_TYPE" != "version-update:semver-minor" ]]; then
+            echo "Skip auto-merge: update type is not patch/minor ($UPDATE_TYPE)."
+            safe=false
+          fi
+
+          deps="$DEPENDENCY_NAMES"
+          if [[ -z "$deps" ]]; then
+            deps="$DEPENDENCY_NAME"
+          fi
+
+          if [[ -z "$deps" ]]; then
+            echo "Skip auto-merge: dependency name is missing."
+            safe=false
+          else
+            while IFS= read -r dep; do
+              dep="$(echo "$dep" | xargs)"
+              [[ -z "$dep" ]] && continue
+
+              if [[ ! "$dep" =~ ^actions/ && ! "$dep" =~ ^github/ ]]; then
+                echo "Skip auto-merge: non-GitHub official action detected ($dep)."
+                safe=false
+              fi
+            done < <(echo "$deps" | tr ',' '\n')
+          fi
+
+          files_json="$(gh api -H "Accept: application/vnd.github+json" "/repos/$GITHUB_REPOSITORY/pulls/$PR_NUMBER/files?per_page=100")"
+          if echo "$files_json" | jq -r '.[] | select((.patch // "") | test("(?m)^[+-]\\s*(permissions|pull_request_target)\\s*:")) | .filename' | grep -q .; then
+            echo "Skip auto-merge: permissions or pull_request_target changes were detected."
+            safe=false
+          fi
+
+          echo "safe=$safe" >> "$GITHUB_OUTPUT"
+
+      - name: Enable auto-merge for safe GitHub Actions patch/minor updates
+        if: ${{ steps.metadata.outputs.package-ecosystem == 'github-actions' && steps.guard.outputs.safe == 'true' }}
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
           PR_NUMBER: ${{ github.event.pull_request.number }}

From 082b32738cda9641ba7fa508727601147b2a3766 Mon Sep 17 00:00:00 2001
From: ryz310 <ryz310@gmail.com>
Date: Thu, 5 Mar 2026 12:54:13 +0900
Subject: [PATCH 2/2] Document Dependabot auto-merge policy in runbook

---
 docs/runbooks/dependabot_pr_auto_merge.md | 9 +++++++++
 1 file changed, 9 insertions(+)

diff --git a/docs/runbooks/dependabot_pr_auto_merge.md b/docs/runbooks/dependabot_pr_auto_merge.md
index 497d4390..bdb629fe 100644
--- a/docs/runbooks/dependabot_pr_auto_merge.md
+++ b/docs/runbooks/dependabot_pr_auto_merge.md
@@ -21,6 +21,15 @@ git pull --ff-only origin master
 sed -n '1,260p' AGENTS.md
 ```
 
+## Auto-merge workflow policy
+- Keep `package-ecosystem` decisions separated in `.github/workflows/dependabot-auto-merge.yml`.
+- Apply independent conditions for each ecosystem to avoid cross-ecosystem condition mixing.
+- For `github-actions` ecosystem auto-merge, require all of the following:
+  - GitHub official actions only (`actions/*` or `github/*`)
+  - non-major updates only (patch/minor)
+  - no changes related to `permissions` or `pull_request_target`
+- CI pass/fail gating is controlled by branch protection and required checks on GitHub.
+
 ## Step-by-step
 1. Open PR metadata and changed files.