Split Dependabot auto-merge logic by ecosystem

.github/workflows/dependabot-auto-merge.yml

@@ -12,7 +12,7 @@ permissions:
   pull-requests: write
 
 jobs:
-  enable-automerge:
+  enable-automerge-bundler:
     if: ${{ github.actor == 'dependabot[bot]' }}
     runs-on: ubuntu-latest
 
@@ -23,8 +23,73 @@ jobs:
         with:
           github-token: ${{ secrets.GITHUB_TOKEN }}
 
-      - name: Enable auto-merge for rails_app or direct development patch/minor updates
-        if: ${{ (steps.metadata.outputs.update-type == 'version-update:semver-patch' || steps.metadata.outputs.update-type == 'version-update:semver-minor') && (contains(github.event.pull_request.head.ref, '/rails_app/') || steps.metadata.outputs.dependency-type == 'direct:development') }}
+      - name: Enable auto-merge for bundler patch/minor updates (rails_app or direct development)
+        if: ${{ steps.metadata.outputs.package-ecosystem == 'bundler' && (steps.metadata.outputs.update-type == 'version-update:semver-patch' || steps.metadata.outputs.update-type == 'version-update:semver-minor') && (contains(github.event.pull_request.head.ref, '/rails_app/') || steps.metadata.outputs.dependency-type == 'direct:development') }}
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+          PR_NUMBER: ${{ github.event.pull_request.number }}
+        run: gh pr merge --repo "$GITHUB_REPOSITORY" --auto --merge "$PR_NUMBER"
+
+  enable-automerge-github-actions:
+    if: ${{ github.actor == 'dependabot[bot]' }}
+    runs-on: ubuntu-latest
+
+    steps:
+      - name: Fetch Dependabot metadata
+        id: metadata
+        uses: dependabot/fetch-metadata@v2
+        with:
+          github-token: ${{ secrets.GITHUB_TOKEN }}
+
+      - name: Validate GitHub Actions update safety
+        id: guard
+        if: ${{ steps.metadata.outputs.package-ecosystem == 'github-actions' }}
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+          PR_NUMBER: ${{ github.event.pull_request.number }}
+          UPDATE_TYPE: ${{ steps.metadata.outputs.update-type }}
+          DEPENDENCY_NAME: ${{ steps.metadata.outputs.dependency-name }}
+          DEPENDENCY_NAMES: ${{ steps.metadata.outputs.dependency-names }}
+        run: |
+          set -euo pipefail
+
+          safe=true
+
+          if [[ "$UPDATE_TYPE" != "version-update:semver-patch" && "$UPDATE_TYPE" != "version-update:semver-minor" ]]; then
+            echo "Skip auto-merge: update type is not patch/minor ($UPDATE_TYPE)."
+            safe=false
+          fi
+
+          deps="$DEPENDENCY_NAMES"
+          if [[ -z "$deps" ]]; then
+            deps="$DEPENDENCY_NAME"
+          fi
+
+          if [[ -z "$deps" ]]; then
+            echo "Skip auto-merge: dependency name is missing."
+            safe=false
+          else
+            while IFS= read -r dep; do
+              dep="$(echo "$dep" | xargs)"
+              [[ -z "$dep" ]] && continue
+
+              if [[ ! "$dep" =~ ^actions/ && ! "$dep" =~ ^github/ ]]; then
+                echo "Skip auto-merge: non-GitHub official action detected ($dep)."
+                safe=false
+              fi
+            done < <(echo "$deps" | tr ',' '\n')
+          fi
+
+          files_json="$(gh api -H "Accept: application/vnd.github+json" "/repos/$GITHUB_REPOSITORY/pulls/$PR_NUMBER/files?per_page=100")"
+          if echo "$files_json" | jq -r '.[] | select((.patch // "") | test("(?m)^[+-]\\s*(permissions|pull_request_target)\\s*:")) | .filename' | grep -q .; then
+            echo "Skip auto-merge: permissions or pull_request_target changes were detected."
+            safe=false
+          fi
+
+          echo "safe=$safe" >> "$GITHUB_OUTPUT"
+
+      - name: Enable auto-merge for safe GitHub Actions patch/minor updates
+        if: ${{ steps.metadata.outputs.package-ecosystem == 'github-actions' && steps.guard.outputs.safe == 'true' }}
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
           PR_NUMBER: ${{ github.event.pull_request.number }}

docs/runbooks/dependabot_pr_auto_merge.md

@@ -21,6 +21,15 @@ git pull --ff-only origin master
 sed -n '1,260p' AGENTS.md
 ```
 
+## Auto-merge workflow policy
+- Keep `package-ecosystem` decisions separated in `.github/workflows/dependabot-auto-merge.yml`.
+- Apply independent conditions for each ecosystem to avoid cross-ecosystem condition mixing.
+- For `github-actions` ecosystem auto-merge, require all of the following:
+  - GitHub official actions only (`actions/*` or `github/*`)
+  - non-major updates only (patch/minor)
+  - no changes related to `permissions` or `pull_request_target`
+- CI pass/fail gating is controlled by branch protection and required checks on GitHub.
+
 ## Step-by-step
 1. Open PR metadata and changed files.