From f360c4c54bfcb7bab799fcbe501d6a2123d2f0b5 Mon Sep 17 00:00:00 2001
From: JSChronicles <135760373+JSChronicles@users.noreply.github.com>
Date: Sat, 9 May 2026 17:22:40 -0500
Subject: [PATCH 1/2] Add minor and patch auto approval for dependabot

Does anyone actually look at dependabot updates and review ALL the pieces?
Security is already "best" if dependabot is at 7-14 days cooldown. So I might as well just automate the dependabot PR's for minor and patch
---
 .../workflows/dependabot-auto-approve.yaml    | 39 +++++++++++++++++++
 1 file changed, 39 insertions(+)
 create mode 100644 .github/workflows/dependabot-auto-approve.yaml

diff --git a/.github/workflows/dependabot-auto-approve.yaml b/.github/workflows/dependabot-auto-approve.yaml
new file mode 100644
index 0000000..a0d00ef
--- /dev/null
+++ b/.github/workflows/dependabot-auto-approve.yaml
@@ -0,0 +1,39 @@
+name: Dependabot auto-approve
+
+on:
+  pull_request:
+
+permissions:
+  contents: write
+  pull-requests: write
+
+jobs:
+  dependabot:
+    runs-on: ubuntu-latest
+
+    if: github.event.pull_request.user.login == 'dependabot[bot]'
+
+    steps:
+      - name: Dependabot metadata
+        id: metadata
+        uses: dependabot/fetch-metadata@25dd0e34f4fe68f24cc83900b1fe3fe149efef98 # v3.1.0
+        with:
+          github-token: ${{ secrets.GITHUB_TOKEN }}
+
+      - name: Approve patch and minor updates
+        if: |
+          steps.metadata.outputs.update-type == 'version-update:semver-patch' ||
+          steps.metadata.outputs.update-type == 'version-update:semver-minor'
+        run: gh pr review --approve "$PR_URL"
+        env:
+          PR_URL: ${{ github.event.pull_request.html_url }}
+          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+
+      - name: Enable auto-merge for patch and minor updates
+        if: |
+          steps.metadata.outputs.update-type == 'version-update:semver-patch' ||
+          steps.metadata.outputs.update-type == 'version-update:semver-minor'
+        run: gh pr merge --auto --squash "$PR_URL"
+        env:
+          PR_URL: ${{ github.event.pull_request.html_url }}
+          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}

From e51d8beadebed3afdc27b2f81498a32e4f24fbd6 Mon Sep 17 00:00:00 2001
From: JSChronicles <135760373+JSChronicles@users.noreply.github.com>
Date: Sat, 9 May 2026 17:41:11 -0500
Subject: [PATCH 2/2] Refactor Dependabot workflow to use environment variables

Added environment variables for PR URL and GitHub token to simplify usage in steps.
---
 .github/workflows/dependabot-auto-approve.yaml | 10 ++++------
 1 file changed, 4 insertions(+), 6 deletions(-)

diff --git a/.github/workflows/dependabot-auto-approve.yaml b/.github/workflows/dependabot-auto-approve.yaml
index a0d00ef..b5dd357 100644
--- a/.github/workflows/dependabot-auto-approve.yaml
+++ b/.github/workflows/dependabot-auto-approve.yaml
@@ -13,6 +13,10 @@ jobs:
 
     if: github.event.pull_request.user.login == 'dependabot[bot]'
 
+    env:
+      PR_URL: ${{ github.event.pull_request.html_url }}
+      GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+
     steps:
       - name: Dependabot metadata
         id: metadata
@@ -25,15 +29,9 @@ jobs:
           steps.metadata.outputs.update-type == 'version-update:semver-patch' ||
           steps.metadata.outputs.update-type == 'version-update:semver-minor'
         run: gh pr review --approve "$PR_URL"
-        env:
-          PR_URL: ${{ github.event.pull_request.html_url }}
-          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
 
       - name: Enable auto-merge for patch and minor updates
         if: |
           steps.metadata.outputs.update-type == 'version-update:semver-patch' ||
           steps.metadata.outputs.update-type == 'version-update:semver-minor'
         run: gh pr merge --auto --squash "$PR_URL"
-        env:
-          PR_URL: ${{ github.event.pull_request.html_url }}
-          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}