From 433b5e0676a16e5dd3679f8342416f6388399a29 Mon Sep 17 00:00:00 2001
From: Birgit Pauli-Haack <birgit.pauli@gmail.com>
Date: Thu, 27 Nov 2025 18:19:53 +0100
Subject: [PATCH 1/3] Add Dependabot configuration with auto-approve and
 auto-merge workflows

---
 .github/dependabot.yml                      | 17 ++++
 .github/workflows/dependabot-auto-merge.yml | 26 ++++++
 enforce_branch_protection.sh                | 89 +++++++++++++++++++++
 3 files changed, 132 insertions(+)
 create mode 100644 .github/dependabot.yml
 create mode 100644 .github/workflows/dependabot-auto-merge.yml
 create mode 100755 enforce_branch_protection.sh

diff --git a/.github/dependabot.yml b/.github/dependabot.yml
new file mode 100644
index 0000000..0b252ac
--- /dev/null
+++ b/.github/dependabot.yml
@@ -0,0 +1,17 @@
+# Dependabot configuration for a JavaScript/npm project
+# Based on the WP Training Team Dependabot guide (Example 2).
+
+version: 2
+updates:
+  - package-ecosystem: "npm"
+    directory: "/"              # location of package.json
+    schedule:
+      interval: "weekly"        # or "daily", "monthly"
+    assignees:
+      - "troychaplin"
+    reviewers:
+      - "troychaplin"
+    labels:
+      - "dependencies"
+      - "automated"
+    open-pull-requests-limit: 10
diff --git a/.github/workflows/dependabot-auto-merge.yml b/.github/workflows/dependabot-auto-merge.yml
new file mode 100644
index 0000000..b686c99
--- /dev/null
+++ b/.github/workflows/dependabot-auto-merge.yml
@@ -0,0 +1,26 @@
+name: Dependabot auto-merge
+
+on: pull_request
+
+permissions:
+  contents: write
+  pull-requests: write
+
+jobs:
+  dependabot:
+    runs-on: ubuntu-latest
+    if: github.event.pull_request.user.login == 'dependabot[bot]'
+    steps:
+      - name: Dependabot metadata
+        id: metadata
+        uses: dependabot/fetch-metadata@v2
+        with:
+          github-token: "${{ secrets.GITHUB_TOKEN }}"
+
+      - name: Auto-merge changes from Dependabot
+        # Auto-merge all non-major updates, and all GitHub Actions updates
+        if: steps.metadata.outputs.update-type != 'version-update:semver-major' || steps.metadata.outputs.package-ecosystem == 'github_actions'
+        run: gh pr merge --auto --squash "$PR_URL"
+        env:
+          PR_URL: ${{ github.event.pull_request.html_url }}
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
diff --git a/enforce_branch_protection.sh b/enforce_branch_protection.sh
new file mode 100755
index 0000000..e53183e
--- /dev/null
+++ b/enforce_branch_protection.sh
@@ -0,0 +1,89 @@
+#!/usr/bin/env bash
+set -euo pipefail
+
+# This script requires:
+#   - gh CLI installed and authenticated (`gh auth login`)
+#   - To be run from inside the target repository checkout
+#
+# It:
+#   - Detects owner, repo, and default branch
+#   - Configures branch protection to require status checks
+#   - Enables auto-merge on the repository
+
+echo "=== Enforcing branch protection and enabling auto-merge ==="
+
+# Get repo URL and parse owner/repo
+REPO_URL=$(git remote get-url origin)
+REPO_NAME=$(basename -s .git "$REPO_URL")
+
+# Supports both git@github.com:owner/repo.git and https://github.com/owner/repo.git
+if [[ "$REPO_URL" =~ github.com[:/]+([^/]+)/([^/]+)(\.git)?$ ]]; then
+  OWNER="${BASH_REMATCH[1]}"
+  REPO="${BASH_REMATCH[2]}"
+else
+  echo "Error: Could not parse owner/repo from origin URL: $REPO_URL"
+  exit 1
+fi
+
+# Determine default branch
+MAIN_BRANCH=$(git symbolic-ref --short HEAD 2>/dev/null || git rev-parse --abbrev-ref HEAD)
+
+echo "Repository: $OWNER/$REPO"
+echo "Default branch (detected): $MAIN_BRANCH"
+
+read -rp "Proceed to configure branch protection and enable auto-merge on '$MAIN_BRANCH'? [y/N] " CONFIRM
+if [[ ! "$CONFIRM" =~ ^[Yy]$ ]]; then
+  echo "Aborting."
+  exit 0
+fi
+
+echo "Configuring branch protection via GitHub API..."
+
+# Configure branch protection:
+# - require status checks (example: a generic 'test' check)
+# - require up-to-date branch (strict: true)
+# - require conversation resolution
+# - no specific user restrictions
+PROTECTION_PAYLOAD=$(
+  cat <<JSON
+{
+  "required_status_checks": {
+    "strict": true,
+    "checks": [
+      { "context": "test" }
+    ]
+  },
+  "enforce_admins": false,
+  "required_pull_request_reviews": null,
+  "required_conversation_resolution": true,
+  "restrictions": null
+}
+JSON
+)
+
+echo "$PROTECTION_PAYLOAD" | gh api \
+  repos/"$OWNER"/"$REPO"/branches/"$MAIN_BRANCH"/protection \
+  --method PUT \
+  --silent \
+  --header "Accept: application/vnd.github.v3+json" \
+  --input -
+
+echo "Enabling repository-level auto-merge..."
+
+AUTO_MERGE_PAYLOAD=$(
+  cat <<JSON
+{
+  "allow_auto_merge": true,
+  "delete_branch_on_merge": true
+}
+JSON
+)
+
+echo "$AUTO_MERGE_PAYLOAD" | gh api \
+  repos/"$OWNER"/"$REPO" \
+  --method PATCH \
+  --silent \
+  --header "Accept: application/vnd.github.v3+json" \
+  --input -
+
+echo "Done. Branch protection and auto-merge should now be configured for $OWNER/$REPO on branch $MAIN_BRANCH."

From 56b85a61e998208d0d561bc4f8dcb3e54ae91b65 Mon Sep 17 00:00:00 2001
From: Birgit Pauli-Haack <birgit.pauli@gmail.com>
Date: Thu, 27 Nov 2025 18:26:20 +0100
Subject: [PATCH 2/3] Delete enforce_branch_protection.sh

residues from ai testing.
---
 enforce_branch_protection.sh | 89 ------------------------------------
 1 file changed, 89 deletions(-)
 delete mode 100755 enforce_branch_protection.sh

diff --git a/enforce_branch_protection.sh b/enforce_branch_protection.sh
deleted file mode 100755
index e53183e..0000000
--- a/enforce_branch_protection.sh
+++ /dev/null
@@ -1,89 +0,0 @@
-#!/usr/bin/env bash
-set -euo pipefail
-
-# This script requires:
-#   - gh CLI installed and authenticated (`gh auth login`)
-#   - To be run from inside the target repository checkout
-#
-# It:
-#   - Detects owner, repo, and default branch
-#   - Configures branch protection to require status checks
-#   - Enables auto-merge on the repository
-
-echo "=== Enforcing branch protection and enabling auto-merge ==="
-
-# Get repo URL and parse owner/repo
-REPO_URL=$(git remote get-url origin)
-REPO_NAME=$(basename -s .git "$REPO_URL")
-
-# Supports both git@github.com:owner/repo.git and https://github.com/owner/repo.git
-if [[ "$REPO_URL" =~ github.com[:/]+([^/]+)/([^/]+)(\.git)?$ ]]; then
-  OWNER="${BASH_REMATCH[1]}"
-  REPO="${BASH_REMATCH[2]}"
-else
-  echo "Error: Could not parse owner/repo from origin URL: $REPO_URL"
-  exit 1
-fi
-
-# Determine default branch
-MAIN_BRANCH=$(git symbolic-ref --short HEAD 2>/dev/null || git rev-parse --abbrev-ref HEAD)
-
-echo "Repository: $OWNER/$REPO"
-echo "Default branch (detected): $MAIN_BRANCH"
-
-read -rp "Proceed to configure branch protection and enable auto-merge on '$MAIN_BRANCH'? [y/N] " CONFIRM
-if [[ ! "$CONFIRM" =~ ^[Yy]$ ]]; then
-  echo "Aborting."
-  exit 0
-fi
-
-echo "Configuring branch protection via GitHub API..."
-
-# Configure branch protection:
-# - require status checks (example: a generic 'test' check)
-# - require up-to-date branch (strict: true)
-# - require conversation resolution
-# - no specific user restrictions
-PROTECTION_PAYLOAD=$(
-  cat <<JSON
-{
-  "required_status_checks": {
-    "strict": true,
-    "checks": [
-      { "context": "test" }
-    ]
-  },
-  "enforce_admins": false,
-  "required_pull_request_reviews": null,
-  "required_conversation_resolution": true,
-  "restrictions": null
-}
-JSON
-)
-
-echo "$PROTECTION_PAYLOAD" | gh api \
-  repos/"$OWNER"/"$REPO"/branches/"$MAIN_BRANCH"/protection \
-  --method PUT \
-  --silent \
-  --header "Accept: application/vnd.github.v3+json" \
-  --input -
-
-echo "Enabling repository-level auto-merge..."
-
-AUTO_MERGE_PAYLOAD=$(
-  cat <<JSON
-{
-  "allow_auto_merge": true,
-  "delete_branch_on_merge": true
-}
-JSON
-)
-
-echo "$AUTO_MERGE_PAYLOAD" | gh api \
-  repos/"$OWNER"/"$REPO" \
-  --method PATCH \
-  --silent \
-  --header "Accept: application/vnd.github.v3+json" \
-  --input -
-
-echo "Done. Branch protection and auto-merge should now be configured for $OWNER/$REPO on branch $MAIN_BRANCH."

From 038e6a5780376d150fbdfb92cde72f6853798fd4 Mon Sep 17 00:00:00 2001
From: Birgit Pauli-Haack <birgit.pauli@gmail.com>
Date: Thu, 27 Nov 2025 18:32:16 +0100
Subject: [PATCH 3/3] added auto-approve

---
 .github/workflows/dependabot-auto-approve.yml | 22 +++++++++++++++++++
 1 file changed, 22 insertions(+)
 create mode 100644 .github/workflows/dependabot-auto-approve.yml

diff --git a/.github/workflows/dependabot-auto-approve.yml b/.github/workflows/dependabot-auto-approve.yml
new file mode 100644
index 0000000..decc048
--- /dev/null
+++ b/.github/workflows/dependabot-auto-approve.yml
@@ -0,0 +1,22 @@
+name: Dependabot Auto-Approve
+on: pull_request
+
+permissions:
+  pull-requests: write
+
+jobs:
+  dependabot-approve:
+    runs-on: ubuntu-latest
+    if: github.actor == 'dependabot[bot]'
+    steps:
+      - name: Dependabot metadata
+        id: metadata
+        uses: dependabot/fetch-metadata@v2
+        with:
+          github-token: "${{ secrets.GITHUB_TOKEN }}"
+
+      - name: Approve Dependabot PR
+        run: gh pr review --approve "$PR_URL"
+        env:
+          PR_URL: ${{ github.event.pull_request.html_url }}
+          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}