Automate dependency monitoring and patch-level auto-merge (#16)

With CI in place (#15), the repository can gate dependency updates on
passing checks. Dependabot now monitors both Go modules and GitHub
Actions on a weekly schedule, and patch-level updates auto-merge once CI
passes.

Minor and major updates still require human review. TODO comments in the
automerge workflow mark where Claude-assisted review steps will slot in
once the Claude Code workflow (#5) lands: approve-and-merge for minor
updates, comment-only analysis for major ones. This addresses three of
the four checkboxes in #6; the remaining one (LLM-assisted review) is
blocked on #5.

Relates to #6

Author: danielorbach

.github/dependabot.yml

@@ -0,0 +1,24 @@
+# Dependabot Configuration
+#
+# Weekly update checks balance responsiveness with notification fatigue.
+# Patch updates auto-merge via dependabot-automerge workflow.
+
+version: 2
+updates:
+  - package-ecosystem: gomod
+    directory: /
+    schedule:
+      interval: weekly
+    commit-message:
+      prefix: "go.mod"
+    labels:
+      - dependencies
+
+  - package-ecosystem: github-actions
+    directory: /
+    schedule:
+      interval: weekly
+    commit-message:
+      prefix: "github"
+    labels:
+      - dependencies

.github/workflows/dependabot-automerge.yml

@@ -0,0 +1,67 @@
+# Dependabot Auto-merge Workflow
+#
+# Patch updates auto-merge after CI passes. Minor and major updates
+# require human review until LLM-assisted review is available (#5).
+#
+# Squash commits default to using the PR description as body, but
+# Dependabot PRs include lengthy changelogs and compatibility notes.
+# The merge step overrides the body to keep commit messages clean.
+
+name: "🤖 Dependabot"
+
+on:
+  pull_request:
+    branches: [main]
+    # Path filter avoids creating workflow runs for unrelated PRs while
+    # still catching all Dependabot updates (Go modules and Actions).
+    paths:
+      - "go.mod"
+      - "go.sum"
+      - ".github/workflows/**"
+
+permissions:
+  contents: write # Required by: gh pr merge --auto
+  pull-requests: write # Required by: gh pr review --approve
+
+jobs:
+  automerge:
+    name: Review & Merge
+    runs-on: ubuntu-latest
+    if: github.actor == 'dependabot[bot]'
+    steps:
+      - name: Fetch Dependabot metadata
+        id: metadata
+        uses: dependabot/fetch-metadata@v2
+        with:
+          github-token: "${{ secrets.GITHUB_TOKEN }}"
+          compat-lookup: true
+
+      - name: Approve patch
+        if: steps.metadata.outputs.update-type == 'version-update:semver-patch'
+        run: gh pr review --approve -b "Patch update — auto-approved" "$PR_URL"
+        env:
+          PR_URL: ${{ github.event.pull_request.html_url }}
+          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+
+      # TODO(#5): Review minor updates with Claude before auto-merging.
+      # Once the Claude Code workflow lands, add a step here that uses
+      # claude-code-action to review the diff and approve if acceptable,
+      # followed by an auto-merge step gated on the same condition.
+
+      # TODO(#5): Analyze major updates with Claude, require human merge.
+      # Major updates may contain breaking changes. The planned step uses
+      # claude-code-action to post a review comment with migration notes
+      # and risk analysis, but does not approve or merge. A human reads
+      # the analysis and decides whether to proceed.
+
+      - name: Auto-merge patch
+        if: steps.metadata.outputs.update-type == 'version-update:semver-patch'
+        run: gh pr merge --auto --squash "$PR_URL" --body "$BODY"
+        env:
+          PR_URL: ${{ github.event.pull_request.html_url }}
+          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+          BODY: |
+            This patch update was merged automatically since patch-level
+            changes carry minimal risk of breaking existing functionality.
+
+            Compatibility score: ${{ steps.metadata.outputs.compatibility-score }}%