Auto-merge Dependabot minor/patch updates, group PRs by severity

claude · claude · commit eca04acfb45d · 2026-03-29T23:10:37.000-06:00
Groups minor+patch bumps into single PRs per ecosystem to reduce
noise. Major version bumps get their own PRs for manual review.
Auto-merge workflow squash-merges minor/patch PRs once CI passes.

Co-Authored-By: Claude Opus 4.6 &lt;noreply@anthropic.com&gt;
diff --git a/.github/dependabot.yml b/.github/dependabot.yml
@@ -10,13 +10,26 @@ updates:
    directory: "/"
    schedule:
      interval: weekly
+   groups:
+     devcontainers:
+       patterns: ["*"]
 
  - package-ecosystem: "npm"
    directory: "/"
    schedule:
      interval: weekly
+   groups:
+     npm-minor-patch:
+       update-types: ["minor", "patch"]
+     npm-major:
+       update-types: ["major"]
 
  - package-ecosystem: "nuget"
    directory: "/src"
    schedule:
      interval: weekly
+   groups:
+     nuget-minor-patch:
+       update-types: ["minor", "patch"]
+     nuget-major:
+       update-types: ["major"]
diff --git a/.github/workflows/dependabot-automerge.yml b/.github/workflows/dependabot-automerge.yml
@@ -0,0 +1,26 @@
+name: Dependabot Auto-Merge
+
+on:
+  pull_request:
+
+permissions:
+  contents: write
+  pull-requests: write
+
+jobs:
+  automerge:
+    if: github.actor == 'dependabot[bot]'
+    runs-on: ubuntu-24.04
+    steps:
+      - name: Fetch Dependabot metadata
+        id: metadata
+        uses: dependabot/fetch-metadata@v2
+        with:
+          github-token: ${{ secrets.GITHUB_TOKEN }}
+
+      - name: Auto-merge minor and patch updates
+        if: steps.metadata.outputs.update-type != 'version-update:semver-major'
+        run: gh pr merge "$PR_URL" --squash --auto
+        env:
+          PR_URL: ${{ github.event.pull_request.html_url }}
+          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
