From d4992c8139107d34b014761f4e15688ea08a59be Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Constantin=20Kr=C3=BCger?= <github@constantin-krueger.com>
Date: Mon, 8 Sep 2025 22:43:20 +0200
Subject: [PATCH 1/4] Build: introduce a reusable workflow for Dependabot
 metadata

---
 .github/workflows/dependabot-metadata.yml | 63 +++++++++++++++++++++++
 1 file changed, 63 insertions(+)
 create mode 100644 .github/workflows/dependabot-metadata.yml

diff --git a/.github/workflows/dependabot-metadata.yml b/.github/workflows/dependabot-metadata.yml
new file mode 100644
index 0000000..e54a08d
--- /dev/null
+++ b/.github/workflows/dependabot-metadata.yml
@@ -0,0 +1,63 @@
+name: Get Dependabot Metadata
+
+on:
+  workflow_call:
+    inputs:
+      github-token:
+        description: 'GitHub token for authentication'
+        required: false
+        type: string
+        default: ${{ github.token }}
+    outputs:
+      dependency-names:
+        description: 'Dependency names from metadata'
+        value: ${{ jobs.metadata.outputs.dependency-names }}
+      dependency-type:
+        description: 'Dependency type from metadata'
+        value: ${{ jobs.metadata.outputs.dependency-type }}
+      update-type:
+        description: 'Update type from metadata'
+        value: ${{ jobs.metadata.outputs.update-type }}
+      package-ecosystem:
+        description: 'Package ecosystem from metadata'
+        value: ${{ jobs.metadata.outputs.package-ecosystem }}
+      target-branch:
+        description: 'Target branch from metadata'
+        value: ${{ jobs.metadata.outputs.target-branch }}
+      previous-version:
+        description: 'Previous version from metadata'
+        value: ${{ jobs.metadata.outputs.previous-version }}
+      new-version:
+        description: 'New version from metadata'
+        value: ${{ jobs.metadata.outputs.new-version }}
+      alert-state:
+        description: 'Alert state from metadata'
+        value: ${{ jobs.metadata.outputs.alert-state }}
+      ghsa-id:
+        description: 'GHSA ID from metadata'
+        value: ${{ jobs.metadata.outputs.ghsa-id }}
+      cvss:
+        description: 'CVSS score from metadata'
+        value: ${{ jobs.metadata.outputs.cvss }}
+
+jobs:
+  metadata:
+    runs-on: ubuntu-latest
+    if: github.event.pull_request.user.login == 'dependabot[bot]'
+    outputs:
+      dependency-names: ${{ steps.metadata.outputs.dependency-names }}
+      dependency-type: ${{ steps.metadata.outputs.dependency-type }}
+      update-type: ${{ steps.metadata.outputs.update-type }}
+      package-ecosystem: ${{ steps.metadata.outputs.package-ecosystem }}
+      target-branch: ${{ steps.metadata.outputs.target-branch }}
+      previous-version: ${{ steps.metadata.outputs.previous-version }}
+      new-version: ${{ steps.metadata.outputs.new-version }}
+      alert-state: ${{ steps.metadata.outputs.alert-state }}
+      ghsa-id: ${{ steps.metadata.outputs.ghsa-id }}
+      cvss: ${{ steps.metadata.outputs.cvss }}
+    steps:
+      - name: Dependabot metadata
+        id: metadata
+        uses: dependabot/fetch-metadata@v1
+        with:
+          github-token: ${{ inputs.github-token }}

From 6c8161365aa2748370e41334447ce3253b9985ae Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Constantin=20Kr=C3=BCger?= <github@constantin-krueger.com>
Date: Mon, 1 Sep 2025 21:44:08 +0200
Subject: [PATCH 2/4] Build: Add labels based on Dependabot PRs

---
 .github/workflows/dependabot-auto-label.yml | 33 +++++++++++++++++++++
 1 file changed, 33 insertions(+)
 create mode 100644 .github/workflows/dependabot-auto-label.yml

diff --git a/.github/workflows/dependabot-auto-label.yml b/.github/workflows/dependabot-auto-label.yml
new file mode 100644
index 0000000..210af68
--- /dev/null
+++ b/.github/workflows/dependabot-auto-label.yml
@@ -0,0 +1,33 @@
+name: Dependabot auto-label
+on: pull_request
+
+permissions:
+  pull-requests: write
+  issues: write
+
+jobs:
+  get-metadata:
+    uses: ./.github/workflows/dependabot-metadata.yml
+
+  dependabot:
+    runs-on: ubuntu-latest
+    needs: get-metadata
+    steps:
+      - name: Add a label for all production dependencies
+        if: needs.get-metadata.outputs.dependency-type == 'direct:production'
+        run: gh pr edit "$PR_URL" --add-label "dep:production"
+        env:
+          PR_URL: ${{ github.event.pull_request.html_url }}
+          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+      - name: Add a label for all development dependencies
+        if: needs.get-metadata.outputs.dependency-type == 'direct:development'
+        run: gh pr edit "$PR_URL" --add-label "dep:development"
+        env:
+          PR_URL: ${{ github.event.pull_request.html_url }}
+          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+      - name: Add a label for all indirect dependencies
+        if: needs.get-metadata.outputs.dependency-type == 'indirect'
+        run: gh pr edit "$PR_URL" --add-label "dep:indirect"
+        env:
+          PR_URL: ${{ github.event.pull_request.html_url }}
+          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
\ No newline at end of file

From a6886199540816dc7f889500606f5a97ba45f230 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Constantin=20Kr=C3=BCger?= <github@constantin-krueger.com>
Date: Mon, 1 Sep 2025 21:48:56 +0200
Subject: [PATCH 3/4] Build: Auto approve patch version Dependabot PRs

---
 .github/workflows/dependabot-auto-approve.yml | 20 +++++++++++++++++++
 1 file changed, 20 insertions(+)
 create mode 100644 .github/workflows/dependabot-auto-approve.yml

diff --git a/.github/workflows/dependabot-auto-approve.yml b/.github/workflows/dependabot-auto-approve.yml
new file mode 100644
index 0000000..e60be6e
--- /dev/null
+++ b/.github/workflows/dependabot-auto-approve.yml
@@ -0,0 +1,20 @@
+name: Dependabot auto-approve
+on: pull_request
+
+permissions:
+  pull-requests: write
+  
+jobs:
+  get-metadata:
+    uses: ./.github/workflows/dependabot-metadata.yml
+
+  dependabot:
+    runs-on: ubuntu-latest
+    needs: get-metadata
+    steps:
+      - name: Approve a PR
+        if: needs.get-metadata.outputs.update-type == 'version-update:semver-patch'
+        run: gh pr review --approve "$PR_URL"
+        env:
+          PR_URL: ${{ github.event.pull_request.html_url }}
+          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
\ No newline at end of file

From c7aa5fc0a72c9b7eb5c9f41ab809a3134f8df6fb Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Constantin=20Kr=C3=BCger?= <github@constantin-krueger.com>
Date: Mon, 1 Sep 2025 21:50:25 +0200
Subject: [PATCH 4/4] Build: Auto merge patch version Dependabot PRs

---
 .github/workflows/dependabot-auto-merge.yml | 21 +++++++++++++++++++++
 1 file changed, 21 insertions(+)
 create mode 100644 .github/workflows/dependabot-auto-merge.yml

diff --git a/.github/workflows/dependabot-auto-merge.yml b/.github/workflows/dependabot-auto-merge.yml
new file mode 100644
index 0000000..0e09b92
--- /dev/null
+++ b/.github/workflows/dependabot-auto-merge.yml
@@ -0,0 +1,21 @@
+name: Dependabot auto-merge
+on: pull_request
+
+permissions:
+  contents: write
+  pull-requests: write
+  
+jobs:
+  get-metadata:
+    uses: ./.github/workflows/dependabot-metadata.yml
+
+  dependabot:
+    runs-on: ubuntu-latest
+    needs: get-metadata
+    steps:
+      - name: Enable auto-merge for Dependabot PRs
+        if: needs.get-metadata.outputs.update-type == 'version-update:semver-patch'
+        run: gh pr merge --auto --merge "$PR_URL"
+        env:
+          PR_URL: ${{ github.event.pull_request.html_url }}
+          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
\ No newline at end of file