From f71a07fae1040eaba828f580fb855b3011b9fe41 Mon Sep 17 00:00:00 2001
From: Daniel Orbach <ddorbach@gmail.com>
Date: Wed, 11 Mar 2026 00:13:32 +0200
Subject: [PATCH 1/5] github: monitor Go module dependencies with Dependabot

Weekly schedule with go.mod commit prefix matches the convention
established in go-digitaltwin/go-digitaltwin. No dependency groups
yet since the module has no third-party imports.
---
 .github/dependabot.yml | 15 +++++++++++++++
 1 file changed, 15 insertions(+)
 create mode 100644 .github/dependabot.yml

diff --git a/.github/dependabot.yml b/.github/dependabot.yml
new file mode 100644
index 0000000..95b7278
--- /dev/null
+++ b/.github/dependabot.yml
@@ -0,0 +1,15 @@
+# Dependabot Configuration
+#
+# Weekly update checks balance responsiveness with notification fatigue.
+# Patch updates auto-merge via dependabot-automerge workflow.
+
+version: 2
+updates:
+  - package-ecosystem: gomod
+    directory: /
+    schedule:
+      interval: weekly
+    commit-message:
+      prefix: "go.mod"
+    labels:
+      - dependencies

From 7b39b43ee21634cf2dfa170daf375b5b90762e7b Mon Sep 17 00:00:00 2001
From: Daniel Orbach <ddorbach@gmail.com>
Date: Wed, 11 Mar 2026 00:13:54 +0200
Subject: [PATCH 2/5] github: monitor GitHub Actions dependencies with
 Dependabot

Keeps action versions (checkout, setup-go, golangci-lint, etc.)
current alongside Go module monitoring.
---
 .github/dependabot.yml | 9 +++++++++
 1 file changed, 9 insertions(+)

diff --git a/.github/dependabot.yml b/.github/dependabot.yml
index 95b7278..81decfc 100644
--- a/.github/dependabot.yml
+++ b/.github/dependabot.yml
@@ -13,3 +13,12 @@ updates:
       prefix: "go.mod"
     labels:
       - dependencies
+
+  - package-ecosystem: github-actions
+    directory: /
+    schedule:
+      interval: weekly
+    commit-message:
+      prefix: "github"
+    labels:
+      - dependencies

From 5bafdd7b94def2199162a3054d3accea1c6deedf Mon Sep 17 00:00:00 2001
From: Daniel Orbach <ddorbach@gmail.com>
Date: Wed, 11 Mar 2026 00:14:21 +0200
Subject: [PATCH 3/5] github: auto-merge Dependabot patch updates after CI
 passes

Patches carry minimal risk of breaking changes. Approving and
enabling auto-merge lets them land without human intervention
once the CI workflow reports success.
---
 .github/workflows/dependabot-automerge.yml | 55 ++++++++++++++++++++++
 1 file changed, 55 insertions(+)
 create mode 100644 .github/workflows/dependabot-automerge.yml

diff --git a/.github/workflows/dependabot-automerge.yml b/.github/workflows/dependabot-automerge.yml
new file mode 100644
index 0000000..7d10f49
--- /dev/null
+++ b/.github/workflows/dependabot-automerge.yml
@@ -0,0 +1,55 @@
+# Dependabot Auto-merge Workflow
+#
+# Patch updates auto-merge after CI passes. Minor and major updates
+# require human review until LLM-assisted review is available (#5).
+#
+# Squash commits default to using the PR description as body, but
+# Dependabot PRs include lengthy changelogs and compatibility notes.
+# The merge step overrides the body to keep commit messages clean.
+
+name: "🤖 Dependabot"
+
+on:
+  pull_request:
+    # Path filter avoids creating workflow runs for unrelated PRs while
+    # still catching all Dependabot updates (Go modules and Actions).
+    paths:
+      - "go.mod"
+      - "go.sum"
+      - ".github/workflows/**"
+
+permissions:
+  contents: write # Required by: gh pr merge --auto
+  pull-requests: write # Required by: gh pr review --approve
+
+jobs:
+  automerge:
+    name: Review & Merge
+    runs-on: ubuntu-latest
+    if: github.actor == 'dependabot[bot]'
+    steps:
+      - name: Fetch Dependabot metadata
+        id: metadata
+        uses: dependabot/fetch-metadata@v2
+        with:
+          github-token: "${{ secrets.GITHUB_TOKEN }}"
+          compat-lookup: true
+
+      - name: Approve patch
+        if: steps.metadata.outputs.update-type == 'version-update:semver-patch'
+        run: gh pr review --approve -b "Patch update — auto-approved" "$PR_URL"
+        env:
+          PR_URL: ${{ github.event.pull_request.html_url }}
+          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+
+      - name: Auto-merge patch
+        if: steps.metadata.outputs.update-type == 'version-update:semver-patch'
+        run: gh pr merge --auto --squash "$PR_URL" --body "$BODY"
+        env:
+          PR_URL: ${{ github.event.pull_request.html_url }}
+          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+          BODY: |
+            This patch update was merged automatically since patch-level
+            changes carry minimal risk of breaking existing functionality.
+
+            Compatibility score: ${{ steps.metadata.outputs.compatibility-score }}%

From fd0132f715f2469d7cb5221a90bbb465813749ef Mon Sep 17 00:00:00 2001
From: Daniel Orbach <ddorbach@gmail.com>
Date: Wed, 11 Mar 2026 00:14:49 +0200
Subject: [PATCH 4/5] github: document deferred LLM review for minor and major
 updates

The automerge workflow currently handles only patches. TODO comments
mark where Claude-assisted review steps will slot in once the Claude
Code workflow (#5) is resolved: approve-and-merge for minor updates,
comment-only analysis for major updates.
---
 .github/workflows/dependabot-automerge.yml | 11 +++++++++++
 1 file changed, 11 insertions(+)

diff --git a/.github/workflows/dependabot-automerge.yml b/.github/workflows/dependabot-automerge.yml
index 7d10f49..a1a59bb 100644
--- a/.github/workflows/dependabot-automerge.yml
+++ b/.github/workflows/dependabot-automerge.yml
@@ -42,6 +42,17 @@ jobs:
           PR_URL: ${{ github.event.pull_request.html_url }}
           GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
 
+      # TODO(#5): Review minor updates with Claude before auto-merging.
+      # Once the Claude Code workflow lands, add a step here that uses
+      # claude-code-action to review the diff and approve if acceptable,
+      # followed by an auto-merge step gated on the same condition.
+
+      # TODO(#5): Analyze major updates with Claude, require human merge.
+      # Major updates may contain breaking changes. The planned step uses
+      # claude-code-action to post a review comment with migration notes
+      # and risk analysis, but does not approve or merge. A human reads
+      # the analysis and decides whether to proceed.
+
       - name: Auto-merge patch
         if: steps.metadata.outputs.update-type == 'version-update:semver-patch'
         run: gh pr merge --auto --squash "$PR_URL" --body "$BODY"

From 0393e0286de89eff7608445d0c7e37ed1227a570 Mon Sep 17 00:00:00 2001
From: Daniel Orbach <ddorbach@gmail.com>
Date: Wed, 11 Mar 2026 19:30:29 +0200
Subject: [PATCH 5/5] github: restrict automerge workflow to the default branch

---
 .github/workflows/dependabot-automerge.yml | 1 +
 1 file changed, 1 insertion(+)

diff --git a/.github/workflows/dependabot-automerge.yml b/.github/workflows/dependabot-automerge.yml
index a1a59bb..fd66959 100644
--- a/.github/workflows/dependabot-automerge.yml
+++ b/.github/workflows/dependabot-automerge.yml
@@ -11,6 +11,7 @@ name: "🤖 Dependabot"
 
 on:
   pull_request:
+    branches: [main]
     # Path filter avoids creating workflow runs for unrelated PRs while
     # still catching all Dependabot updates (Go modules and Actions).
     paths: