From 573d30a6fdb7ab1539c061685201dc51958324d9 Mon Sep 17 00:00:00 2001
From: DJ <dj@Rachels-Air.localdomain>
Date: Wed, 15 Apr 2026 18:41:53 -0700
Subject: [PATCH 1/2] feat(dependabot): auto-merge major GitHub Actions updates
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

GitHub Actions are SHA-pinned and don't affect app runtime, so major
version bumps carry minimal risk — CI catches any breaking interface
changes before the merge completes. This eliminates the manual review
bottleneck for Action updates while keeping major-update gating for
app ecosystem dependencies.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
---
 .../workflows/dependabot-automerge-reusable.yml  | 16 +++++++++-------
 .github/workflows/dependabot-automerge.yml       | 16 +++++++++-------
 standards/dependabot-policy.md                   | 15 +++++++++------
 3 files changed, 27 insertions(+), 20 deletions(-)

diff --git a/.github/workflows/dependabot-automerge-reusable.yml b/.github/workflows/dependabot-automerge-reusable.yml
index cfdad43..93ab6df 100644
--- a/.github/workflows/dependabot-automerge-reusable.yml
+++ b/.github/workflows/dependabot-automerge-reusable.yml
@@ -4,10 +4,10 @@
 # Standard: https://github.com/petry-projects/.github/blob/main/standards/dependabot-policy.md
 #
 # Auto-approves and enables auto-merge for Dependabot PRs that are:
-#   - GitHub Actions updates (patch or minor version bumps)
+#   - GitHub Actions updates (any version bump, including major)
 #   - Security updates for any ecosystem (patch or minor)
 #   - Indirect (transitive) dependency updates
-# Major version updates are always left for human review.
+# Major version updates for non-Actions ecosystems are left for human review.
 # Uses --auto so the merge waits for all required CI checks to pass.
 #
 # Safety model: application ecosystems use open-pull-requests-limit: 0 in
@@ -52,17 +52,19 @@ jobs:
           DEP_TYPE="${{ steps.metadata.outputs.dependency-type }}"
           ECOSYSTEM="${{ steps.metadata.outputs.package-ecosystem }}"
 
-          # Must be patch, minor, or indirect
-          if [[ "$UPDATE_TYPE" != "version-update:semver-patch" && \
+          # GitHub Actions are SHA-pinned and don't affect app runtime,
+          # so all version bumps (including major) are eligible.
+          # App ecosystem PRs can only exist as security updates (limit: 0)
+          # and must be patch/minor/indirect — major requires human review.
+          if [[ "$ECOSYSTEM" != "github-actions" && \
+                "$UPDATE_TYPE" != "version-update:semver-patch" && \
                 "$UPDATE_TYPE" != "version-update:semver-minor" && \
                 "$DEP_TYPE" != "indirect" ]]; then
             echo "eligible=false" >> "$GITHUB_OUTPUT"
-            echo "Skipping: major update requires human review"
+            echo "Skipping: major update for $ECOSYSTEM requires human review"
             exit 0
           fi
 
-          # GitHub Actions version updates are always eligible
-          # App ecosystem PRs can only exist as security updates (limit: 0)
           echo "eligible=true" >> "$GITHUB_OUTPUT"
           echo "Auto-merge eligible: ecosystem=$ECOSYSTEM update=$UPDATE_TYPE"
 
diff --git a/.github/workflows/dependabot-automerge.yml b/.github/workflows/dependabot-automerge.yml
index a5373e0..491de69 100644
--- a/.github/workflows/dependabot-automerge.yml
+++ b/.github/workflows/dependabot-automerge.yml
@@ -7,10 +7,10 @@
 #   APP_PRIVATE_KEY — GitHub App private key
 #
 # Auto-approves and enables auto-merge for Dependabot PRs that are:
-#   - GitHub Actions updates (patch or minor version bumps)
+#   - GitHub Actions updates (any version bump, including major)
 #   - Security updates for any ecosystem (patch or minor)
 #   - Indirect (transitive) dependency updates
-# Major version updates are always left for human review.
+# Major version updates for non-Actions ecosystems are left for human review.
 # Uses --auto so the merge waits for all required CI checks to pass.
 #
 # Safety model: application ecosystems use open-pull-requests-limit: 0 in
@@ -47,17 +47,19 @@ jobs:
           DEP_TYPE="${{ steps.metadata.outputs.dependency-type }}"
           ECOSYSTEM="${{ steps.metadata.outputs.package-ecosystem }}"
 
-          # Must be patch, minor, or indirect
-          if [[ "$UPDATE_TYPE" != "version-update:semver-patch" && \
+          # GitHub Actions are SHA-pinned and don't affect app runtime,
+          # so all version bumps (including major) are eligible.
+          # App ecosystem PRs can only exist as security updates (limit: 0)
+          # and must be patch/minor/indirect — major requires human review.
+          if [[ "$ECOSYSTEM" != "github-actions" && \
+                "$UPDATE_TYPE" != "version-update:semver-patch" && \
                 "$UPDATE_TYPE" != "version-update:semver-minor" && \
                 "$DEP_TYPE" != "indirect" ]]; then
             echo "eligible=false" >> "$GITHUB_OUTPUT"
-            echo "Skipping: major update requires human review"
+            echo "Skipping: major update for $ECOSYSTEM requires human review"
             exit 0
           fi
 
-          # GitHub Actions version updates are always eligible
-          # App ecosystem PRs can only exist as security updates (limit: 0)
           echo "eligible=true" >> "$GITHUB_OUTPUT"
           echo "Auto-merge eligible: ecosystem=$ECOSYSTEM update=$UPDATE_TYPE"
 
diff --git a/standards/dependabot-policy.md b/standards/dependabot-policy.md
index 4a3be07..ede8be7 100644
--- a/standards/dependabot-policy.md
+++ b/standards/dependabot-policy.md
@@ -15,8 +15,10 @@ security posture than chasing every minor/patch release.
 2. **Version updates weekly** for GitHub Actions, since pinned action versions do not
    affect application stability and staying current reduces CI attack surface.
 3. **Labels** `security` and `dependencies` on every Dependabot PR for filtering and audit.
-4. **Auto-merge** security patches and minor updates after all CI checks pass, using a
-   GitHub App token to satisfy branch protection (CODEOWNERS review bypass for bot PRs).
+4. **Auto-merge** after all CI checks pass, using a GitHub App token to satisfy
+   branch protection (CODEOWNERS review bypass for bot PRs). Eligible updates:
+   - **GitHub Actions**: all version bumps including major (SHA-pinned, no runtime impact)
+   - **App ecosystems**: patch and minor security updates only (major requires human review)
    Uses `gh pr merge --auto` to wait for required checks before merging.
 5. **Vulnerability audit CI check** runs on every PR and push to `main`, failing the
    build if any dependency has a known advisory. This is a required status check.
@@ -142,10 +144,11 @@ See [`workflows/dependabot-automerge.yml`](workflows/dependabot-automerge.yml).
 Behavior:
 
 - Triggers on `pull_request_target` from `dependabot[bot]`
-- Fetches Dependabot metadata to determine update type
-- For **patch** and **minor** updates (and indirect dependency updates):
-  approves the PR and enables auto-merge (waits for all required CI checks)
-- **Major** updates are left for human review
+- Fetches Dependabot metadata to determine update type and ecosystem
+- For **GitHub Actions**: approves and auto-merges all version bumps including
+  major, since actions are SHA-pinned and CI catches breaking interface changes
+- For **app ecosystems**: approves **patch** and **minor** updates (and indirect
+  dependency updates); **major** updates are left for human review
 - Uses `gh pr merge --auto --squash` so the merge only happens after CI passes
 
 ## Update and Merge Behind PRs Workflow

From 3069e055b95d20740fd65b0b8627d959714d01ef Mon Sep 17 00:00:00 2001
From: DJ <dj@Rachels-Air.localdomain>
Date: Wed, 15 Apr 2026 18:48:02 -0700
Subject: [PATCH 2/2] docs(dependabot-policy): add indirect dependencies to
 auto-merge summary

Address review comment: the policy summary omitted that indirect
(transitive) dependency updates are also auto-merge eligible regardless
of version bump, which is consistent with the workflow logic and the
Behavior section.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
---
 standards/dependabot-policy.md | 1 +
 1 file changed, 1 insertion(+)

diff --git a/standards/dependabot-policy.md b/standards/dependabot-policy.md
index ede8be7..bae08ea 100644
--- a/standards/dependabot-policy.md
+++ b/standards/dependabot-policy.md
@@ -19,6 +19,7 @@ security posture than chasing every minor/patch release.
    branch protection (CODEOWNERS review bypass for bot PRs). Eligible updates:
    - **GitHub Actions**: all version bumps including major (SHA-pinned, no runtime impact)
    - **App ecosystems**: patch and minor security updates only (major requires human review)
+   - **Indirect (transitive) dependencies**: all updates regardless of version bump
    Uses `gh pr merge --auto` to wait for required checks before merging.
 5. **Vulnerability audit CI check** runs on every PR and push to `main`, failing the
    build if any dependency has a known advisory. This is a required status check.