ci: add Dependabot with auto-merge for patch/minor updates

[StuMason]

• Daily npm dependency scanning at 6am UK time
• Weekly GitHub Actions updates on Mondays
• Auto-merge patch and minor updates after CI passes
• Major updates require manual review with checklist comment
• Groups minor/patch updates to reduce PR noise

🤖 Generated with Claude Code

[claude]

PR Review: Dependabot with Auto-Merge Configuration

Thanks for setting up automated dependency management. This is a solid approach for keeping the project secure and up-to-date. Here's my feedback:

✅ What Looks Good

1. Security-conscious defaults: Auto-merging only patch/minor updates while requiring manual review for majors is a sensible policy
2. Grouped updates: Grouping minor/patch updates reduces PR noise - good choice
3. Timezone consistency: Using Europe/London timezone keeps scheduling predictable
4. Proper permissions: The workflow has minimal, appropriate permissions (contents + pull-requests)
5. CI integration: The auto-merge relies on CI passing, which aligns with existing CI workflow

🔍 Suggestions for Improvement

1. Wait for CI before auto-merging

The current workflow triggers on pull_request events and immediately calls gh pr merge --auto. While --auto waits for required status checks, consider adding an explicit wait for CI or using pull_request_target with appropriate guards:

# Option: Add a needs dependency on a CI check job
# Or ensure branch protection requires CI to pass before merge

The current setup should work if branch protection rules require CI to pass, but it's worth verifying that's configured.

2. Consider adding security-versions-only for certain packages

For security-sensitive dependencies, you might want to only auto-merge security updates:

ignore:
  - dependency-name: "*"
    update-types: ["version-update:semver-major"]

3. Branch name mismatch

The PR is from branch feature/delete-endpoints but contains Dependabot configuration. Consider renaming the branch or clarifying if this was intended to be part of a larger feature branch.

4. Consider adding ecosystem-specific ignores

If there are packages you never want auto-updated (e.g., packages with known breaking changes in minors), you can add:

ignore:
  - dependency-name: "some-problematic-package"

🔐 Security Considerations

1. Auto-merge is only for Dependabot: The if: github.actor == 'dependabot[bot]' check is correct - this prevents other actors from exploiting the auto-merge
2. GITHUB_TOKEN permissions: Using the default GITHUB_TOKEN is appropriate; avoid using PATs for auto-merge workflows

📋 Minor Nits

1. The open-pull-requests-limit: 10 is reasonable; you might lower this if you find PR noise is still high
2. The checklist in the major update comment is helpful for reviewers

Verdict

Approve with minor suggestions. The implementation follows best practices and should work well with the existing CI setup. The suggestions above are optional enhancements rather than blockers.

---

🤖 Reviewed by Claude Code