chore: add Dependabot with auto-merge via GitHub App

[don-petry]

Summary

• Add Dependabot configuration for weekly dependency updates
• Add auto-merge workflow using org-wide GitHub App (dependabot-automerge-petry)
• Patch and minor updates are automatically approved and merged

Setup

Secrets APP_ID and APP_PRIVATE_KEY have been configured on this repo.

🤖 Generated with Claude Code

[Copilot]

Pull request overview

Adds Dependabot dependency update automation and a GitHub Actions workflow intended to auto-approve/merge safe Dependabot PRs using a GitHub App token.

Changes:

• Added .github/dependabot.yml to enable weekly Dependabot update PRs.
• Added .github/workflows/dependabot-automerge.yml to approve and merge certain Dependabot PRs via GitHub App authentication.

Reviewed changes

Copilot reviewed 2 out of 2 changed files in this pull request and generated 4 comments.

File	Description
.github/workflows/dependabot-automerge.yml	Adds an auto-approve/merge workflow for Dependabot PRs using fetch-metadata, a GitHub App token, and gh CLI.
.github/dependabot.yml	Configures weekly Dependabot updates for pip and github-actions.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[Copilot]

This workflow runs on pull_request, but Dependabot-triggered workflows do not receive repository secrets (and often get a read-only token). As a result, the APP_ID / APP_PRIVATE_KEY-based GitHub App token generation will fail and the job won’t be able to approve/merge. Switch the trigger to pull_request_target (still gated by github.event.pull_request.user.login == 'dependabot[bot]') so secrets and write permissions are available without checking out PR code.

[Copilot]

gh pr merge --squash --admin will bypass branch protections and can merge without required checks, which is risky for automated dependency updates. Prefer enabling GitHub auto-merge (gh pr merge --squash --auto ...) and avoid --admin so merges only occur after required checks/policies pass.

Suggested change

	gh pr merge --squash --admin "$PR_URL"
	gh pr merge --squash --auto "$PR_URL"

[Copilot]

The merge/approve condition also allows any update where dependency-type == 'indirect', which can include semver-major updates. If the intent is strictly “patch and minor updates are automatically approved and merged” (per PR description), tighten this condition (or update the description) so indirect major updates aren’t auto-merged unintentionally.

[Copilot]

Dependabot is configured for the pip ecosystem at /, but the repository doesn’t appear to contain a supported pip manifest in the root (e.g., requirements.txt, pyproject.toml, Pipfile). This will cause Dependabot run errors/no-op updates; either remove the pip entry or point it at the directory that actually contains the Python dependency manifest.

Suggested change

	- package-ecosystem: 'pip'
	directory: '/'
	schedule:
	interval: 'weekly'
	open-pull-requests-limit: 10