From b54ab911f88dce844f05a700a063aaf3dad5aa5a Mon Sep 17 00:00:00 2001
From: FBumann <117816358+FBumann@users.noreply.github.com>
Date: Tue, 24 Mar 2026 15:22:29 +0100
Subject: [PATCH] ci: auto-approve and auto-merge patch dependabot PRs

GITHUB_TOKEN can't approve its own PRs when reviews are required.
Only auto-merge patch updates, not minor.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
---
 .github/workflows/dependabot-auto-merge.yml | 37 +++++++++++++++------
 1 file changed, 26 insertions(+), 11 deletions(-)

diff --git a/.github/workflows/dependabot-auto-merge.yml b/.github/workflows/dependabot-auto-merge.yml
index 3a701d5..89a1a13 100644
--- a/.github/workflows/dependabot-auto-merge.yml
+++ b/.github/workflows/dependabot-auto-merge.yml
@@ -1,24 +1,39 @@
 name: Dependabot auto-merge
-on: pull_request
+
+on:
+  pull_request:
 
 permissions:
   contents: write
   pull-requests: write
 
 jobs:
-  dependabot:
-    runs-on: ubuntu-latest
+  auto-merge:
+    name: Auto-merge patch
     if: github.actor == 'dependabot[bot]'
+    runs-on: ubuntu-24.04
     steps:
-      - name: Dependabot metadata
+      - uses: dependabot/fetch-metadata@v2
         id: metadata
-        uses: dependabot/fetch-metadata@v2
+
+      - name: Generate app token
+        if: steps.metadata.outputs.update-type == 'version-update:semver-patch'
+        id: app-token
+        uses: actions/create-github-app-token@v2
         with:
-          github-token: "${{ secrets.GITHUB_TOKEN }}"
+          app-id: ${{ secrets.APP_ID }}
+          private-key: ${{ secrets.APP_PRIVATE_KEY }}
+
+      - name: Approve PR
+        if: steps.metadata.outputs.update-type == 'version-update:semver-patch'
+        run: gh pr review "$PR" --approve
+        env:
+          PR: ${{ github.event.pull_request.html_url }}
+          GH_TOKEN: ${{ steps.app-token.outputs.token }}
 
-      - name: Auto-merge minor and patch updates
-        if: steps.metadata.outputs.update-type == 'version-update:semver-patch' || steps.metadata.outputs.update-type == 'version-update:semver-minor'
-        run: gh pr merge --auto --squash "$PR_URL"
+      - name: Enable auto-merge
+        if: steps.metadata.outputs.update-type == 'version-update:semver-patch'
+        run: gh pr merge "$PR" --auto --squash
         env:
-          PR_URL: ${{ github.event.pull_request.html_url }}
-          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+          PR: ${{ github.event.pull_request.html_url }}
+          GH_TOKEN: ${{ github.token }}