feat: add Dependabot automation for weekly dependency updates

Configure Dependabot for npm and github-actions ecosystems with:
- Weekly schedule (Monday 09:55 for actions, 10:00 for npm)
- Grouped updates to minimize PR noise
- `increase-if-necessary` strategy to keep package.json ranges clean

Add workflow to handle Dependabot PRs:
- Rebuild TypeScript dist for npm updates (javascript label)
- Auto-approve and merge via GitHub App token

Update release workflow to ignore .github/** changes so action
updates don't trigger unnecessary releases.

Author: peterdeme

.github/dependabot.yml

@@ -0,0 +1,28 @@
+version: 2
+updates:
+  - package-ecosystem: github-actions
+    directory: /
+    schedule:
+      interval: weekly
+      day: monday
+      time: "09:55"
+      timezone: Europe/Dublin
+    open-pull-requests-limit: 1
+    groups:
+      github-actions:
+        patterns:
+          - "*"
+
+  - package-ecosystem: npm
+    directory: /
+    schedule:
+      interval: weekly
+      day: monday
+      time: "10:00"
+      timezone: Europe/Dublin
+    versioning-strategy: increase-if-necessary
+    open-pull-requests-limit: 1
+    groups:
+      npm-dependencies:
+        patterns:
+          - "*"

.github/workflows/test.yml .github/workflows/build.yml.github/workflows/test.yml renamed to .github/workflows/build.yml

@@ -0,0 +1,67 @@
+name: dependabot
+
+on:
+  pull_request_target:
+    branches:
+      - main
+
+permissions:
+  contents: write
+  pull-requests: write
+  repository-projects: read
+
+jobs:
+  build:
+    name: 🔧 Rebuild TypeScript
+    if: github.actor == 'dependabot[bot]' && contains(github.event.pull_request.labels.*.name, 'javascript')
+    runs-on: ubuntu-latest
+
+    steps:
+      - name: Generate token
+        id: generate
+        uses: actions/create-github-app-token@v2
+        with:
+          app-id: ${{ vars.DEPENDENCY_AUTOMATION_APP_ID }}
+          private-key: ${{ secrets.DEPENDENCY_AUTOMATION_APP_KEY }}
+
+      - uses: actions/checkout@main
+        with:
+          ref: ${{ github.head_ref }}
+          token: ${{ steps.generate.outputs.token }}
+
+      - name: Format & rebuild
+        run: |
+          npm ci
+          npm run format
+          npm run build
+
+      - name: Commit changes
+        run: |
+          git config --local user.name "github-actions[bot]"
+          git config --local user.email "${GITHUB_ACTOR_ID}+${GITHUB_ACTOR}@users.noreply.github.com"
+          git add dist/ src/
+          git diff --staged --quiet || git commit -m "chore: rebuild dist"
+          git push
+
+  # Github Action bump PRs skip the TypeScript rebuild since they don't have the 'javascript' label
+  # hence the 'always()' condition - to ensure this job runs for those PRs, too.
+  auto-merge:
+    name: 🤖 Approve and auto-merge
+    needs: build
+    if: always() && github.actor == 'dependabot[bot]' && !contains(needs.*.result, 'failure')
+    runs-on: ubuntu-latest
+
+    steps:
+      - name: Generate token
+        id: generate
+        uses: actions/create-github-app-token@v2
+        with:
+          app-id: ${{ vars.DEPENDENCY_AUTOMATION_APP_ID }}
+          private-key: ${{ secrets.DEPENDENCY_AUTOMATION_APP_KEY }}
+
+      - name: Approve and auto-merge
+        env:
+          GITHUB_TOKEN: ${{ steps.generate.outputs.token }}
+        run: |
+          gh pr review "${{ github.event.pull_request.html_url }}" --approve
+          gh pr merge --auto --squash "${{ github.event.pull_request.html_url }}"

.github/workflows/dependabot.yml

@@ -6,6 +6,7 @@ on:
       - main
     paths-ignore:
       - "**.md"
+      - ".github/**"
 
 concurrency:
   group: ${{ github.workflow }}-${{ github.head_ref || github.run_id }}