Enable auto-merge for dependabot & docwhat (#8)

Auto-approve and auto-merge dependabot PRs and auto-emerge docwhat PRs.

Author: docwhat

.github/CODEOWNERS

@@ -0,0 +1,5 @@
+/.github/ @docwhat
+
+* @docwhat
+
+# EOF

.github/workflows/auto-merge-dependabot.yaml

@@ -0,0 +1,56 @@
+name: Automatically Update Dependencies
+
+# `pull_request_target` grants access to secrets and runs in the scope of the *destination* branch.
+# Specifically we listen for the labelled event.
+on:
+  pull_request_target:
+    types:
+      # Dependabot will label the PR
+      - labeled
+      # Dependabot has rebased the PR
+      - synchronize
+
+permissions:
+  contents: read
+
+jobs:
+  enable-dependabot-automerge:
+    name: Enable auto-merge for Dependabot PRs
+    runs-on: ubuntu-latest
+    permissions:
+      # enable-automerge is a graphql query, not REST, so isn't documented,
+      # except in a mention in
+      # https://github.blog/changelog/2021-02-04-pull-request-auto-merge-is-now-generally-available/
+      # which says "can only be enabled by users with permissino to merge"; the
+      # REST documentation says you need contents: write to perform a merge.
+      # https://github.community/t/what-permission-does-a-github-action-need-to-call-graphql-enablepullrequestautomerge/197708
+      # says this is it
+      contents: write
+    # Specifically check the creator of the pull-request, not the actor.
+    if: github.event.pull_request.user.login == 'dependabot[bot]' && contains(github.event.pull_request.labels.*.name, 'dependencies')
+
+    steps:
+      - name: Enable GitHub Auto-Merge
+        # Reference by commit SHA as it is an immutable reference to a
+        # known, "trusted" version of this 3rd party code.
+        uses: alexwilson/enable-github-automerge-action@56e3117d1ae1540309dc8f7a9f2825bc3c5f06ff
+        with:
+          github-token: "${{ secrets.GITHUB_TOKEN }}"
+
+  approve-dependabot:
+    needs: enable-dependabot-automerge
+    runs-on: ubuntu-latest
+    permissions:
+      # https://github.com/hmarr/auto-approve-action/issues/183 says
+      # auto-approve-action requires write on pull-requests
+      pull-requests: write
+    # Specifically check the creator of the pull-request, not the actor.
+    if: github.event.pull_request.user.login == 'dependabot[bot]' && contains(github.event.pull_request.labels.*.name, 'dependencies')
+    steps:
+      - name: Approve dependabot PRs
+        # Reference by commit SHA as it is an immutable reference to a
+        # known, "trusted" version of this 3rd party code.
+        uses: hmarr/auto-approve-action@8f929096a962e83ccdfa8afcf855f39f12d4dac7
+        with:
+          github-token: "${{ secrets.GITHUB_TOKEN }}"
+# EOF

.github/workflows/auto-merge-docwhat.yaml

@@ -0,0 +1,33 @@
+name: Auto-Merge for docwhat
+
+# `pull_request_target` grants access to secrets and runs in the scope of the *destination* branch.
+# Specifically we listen for the labelled event.
+on:
+  pull_request_target:
+    types:
+      - labeled
+
+permissions:
+  contents: read
+
+jobs:
+  enable-auto-merge-for-docwhat:
+    name: Enable Auto-Merge for docwhat
+    runs-on: ubuntu-latest
+    permissions:
+      # enable-automerge is a graphql query, not REST, so isn't documented,
+      # except in a mention in
+      # https://github.blog/changelog/2021-02-04-pull-request-auto-merge-is-now-generally-available/
+      # which says "can only be enabled by users with permissino to merge"; the
+      # REST documentation says you need contents: write to perform a merge.
+      # https://github.community/t/what-permission-does-a-github-action-need-to-call-graphql-enablepullrequestautomerge/197708
+      # says this is it
+      contents: write
+    # Specifically check that dependabot (or another trusted party) created this pull-request, and that it has been labelled correctly.
+    if: github.event.pull_request.user.login == 'docwhat'
+    steps:
+      - name: Enable GitHub Auto-Merge
+        uses: alexwilson/enable-github-automerge-action@56e3117d1ae1540309dc8f7a9f2825bc3c5f06ff
+        with:
+          github-token: "${{ secrets.GITHUB_TOKEN }}"
+# EOF

.trunk/trunk.yaml

@@ -7,7 +7,7 @@ cli:
 plugins:
   sources:
     - id: trunk
-      ref: v1.6.0
+      ref: v1.6.1
       uri: https://github.com/trunk-io/plugins
 # Many linters and tools depend on runtimes - configure them here. (https://docs.trunk.io/runtimes)
 runtimes:
@@ -18,21 +18,21 @@ runtimes:
 # This is the section where you manage your linters. (https://docs.trunk.io/check/configuration)
 lint:
   enabled:
-    - bandit@1.7.8
+    - bandit@1.7.9
     - black@24.4.2
     - isort@5.13.2
     - perltidy
-    - ruff@0.4.8
+    - ruff@0.5.3
     - actionlint@1.7.1
     - hadolint@2.12.0
-    - checkov@3.2.133
+    - checkov@3.2.194
     - git-diff-check
     - markdownlint@0.41.0
-    - prettier@3.3.2
+    - prettier@3.3.3
     - shellcheck@0.10.0
     - shfmt@3.6.0
-    - trivy@0.52.1
-    - trufflehog@3.78.0
+    - trivy@0.53.0
+    - trufflehog@3.80.1
     - yamllint@1.35.1
   ignore:
     - linters: [ALL]