From d595080579f03bca86a4c5c7fd5afa43122b665a Mon Sep 17 00:00:00 2001
From: Call Telemetry <57885211+calltelemetry-jason@users.noreply.github.com>
Date: Fri, 29 May 2026 15:01:40 -0300
Subject: [PATCH] chore(ci): add Dependabot with grouped, cooldown-gated
 auto-merge

- dependabot.yml: weekly npm updates, group minor/patch into one rolling
  PR, 3-day cooldown (supply-chain release-age delay), majors ignored
- dependabot-automerge.yml: auto-merge patch/minor Dependabot PRs once the
  required 'Test & Coverage' check passes; actor+author gated to
  dependabot[bot], job-level least-privilege perms, per-PR concurrency
---
 .github/dependabot.yml                     | 25 ++++++++++++++++
 .github/workflows/dependabot-automerge.yml | 35 ++++++++++++++++++++++
 2 files changed, 60 insertions(+)
 create mode 100644 .github/dependabot.yml
 create mode 100644 .github/workflows/dependabot-automerge.yml

diff --git a/.github/dependabot.yml b/.github/dependabot.yml
new file mode 100644
index 0000000..5c00164
--- /dev/null
+++ b/.github/dependabot.yml
@@ -0,0 +1,25 @@
+version: 2
+updates:
+  - package-ecosystem: "npm"
+    directory: "/"
+    schedule:
+      interval: "weekly"
+    commit-message:
+      prefix: "chore"
+      include: "scope"
+    # Collapse the weekly minor/patch churn into a single rolling PR
+    # instead of one PR per package.
+    groups:
+      npm-minor-patch:
+        patterns: ["*"]
+        update-types: ["minor", "patch"]
+    # Supply-chain delay: don't propose an update until the new version
+    # has been published for at least 3 days. Mitigates auto-merging a
+    # freshly-published malicious release.
+    cooldown:
+      semver-minor-days: 3
+      semver-patch-days: 3
+    # Majors always require a human; never auto-bumped or auto-merged.
+    ignore:
+      - dependency-name: "*"
+        update-types: ["version-update:semver-major"]
diff --git a/.github/workflows/dependabot-automerge.yml b/.github/workflows/dependabot-automerge.yml
new file mode 100644
index 0000000..93a6a38
--- /dev/null
+++ b/.github/workflows/dependabot-automerge.yml
@@ -0,0 +1,35 @@
+name: Dependabot auto-merge
+
+# Auto-enable GitHub auto-merge ("--auto") for Dependabot patch/minor PRs.
+# The PR still only merges once branch protection's required checks
+# (the "Test & Coverage" job) pass. Gated to the trusted dependabot[bot] actor
+# AND author; on: pull_request (not pull_request_target); never runs or
+# trusts third-party PR code.
+on: pull_request
+
+concurrency:
+  group: dependabot-automerge-${{ github.event.pull_request.number }}
+  cancel-in-progress: false
+
+jobs:
+  dependabot:
+    name: Auto-merge Dependabot patch/minor PRs
+    runs-on: ubuntu-latest
+    # Verify both the triggering actor and the PR author to avoid actor spoofing.
+    if: github.actor == 'dependabot[bot]' && github.event.pull_request.user.login == 'dependabot[bot]'
+    permissions:
+      contents: write
+      pull-requests: write
+    steps:
+      - name: Fetch Dependabot metadata
+        id: metadata
+        uses: dependabot/fetch-metadata@21025c705c08248db411dc16f3619e6b5f9ea21a # v2
+        with:
+          github-token: "${{ secrets.GITHUB_TOKEN }}"
+
+      - name: Enable auto-merge for patch and minor updates
+        if: steps.metadata.outputs.update-type == 'version-update:semver-patch' || steps.metadata.outputs.update-type == 'version-update:semver-minor'
+        run: gh pr merge --auto --squash "$PR_URL"
+        env:
+          PR_URL: ${{ github.event.pull_request.html_url }}
+          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}