From a8e049200472eba1e9f863205e7ec59344cb13d3 Mon Sep 17 00:00:00 2001
From: Jean-Baptiste THERY <jb.thery@jcode.works>
Date: Sun, 28 Jun 2026 20:04:11 +0700
Subject: [PATCH] chore: tame dependabot updates

---
 .github/dependabot.yml                      | 27 ++++++++++++----
 .github/workflows/dependabot-auto-merge.yml | 36 +++++++++++++++++++++
 2 files changed, 56 insertions(+), 7 deletions(-)
 create mode 100644 .github/workflows/dependabot-auto-merge.yml

diff --git a/.github/dependabot.yml b/.github/dependabot.yml
index b23304b..50a70e1 100644
--- a/.github/dependabot.yml
+++ b/.github/dependabot.yml
@@ -7,19 +7,23 @@ updates:
       day: monday
       time: "08:00"
       timezone: Asia/Bangkok
-    assignees:
-      - jb-thery
     labels:
       - dependencies
-    open-pull-requests-limit: 5
+    open-pull-requests-limit: 2
     commit-message:
       prefix: chore
       include: scope
     groups:
-      npm-minor-and-patch:
+      npm-safe-updates:
+        patterns:
+          - "*"
         update-types:
           - minor
           - patch
+    ignore:
+      - dependency-name: "*"
+        update-types:
+          - version-update:semver-major
 
   - package-ecosystem: github-actions
     directory: /
@@ -28,11 +32,20 @@ updates:
       day: monday
       time: "08:30"
       timezone: Asia/Bangkok
-    assignees:
-      - jb-thery
     labels:
       - dependencies
-    open-pull-requests-limit: 5
+    open-pull-requests-limit: 1
     commit-message:
       prefix: chore
       include: scope
+    groups:
+      github-actions-safe-updates:
+        patterns:
+          - "*"
+        update-types:
+          - minor
+          - patch
+    ignore:
+      - dependency-name: "*"
+        update-types:
+          - version-update:semver-major
diff --git a/.github/workflows/dependabot-auto-merge.yml b/.github/workflows/dependabot-auto-merge.yml
new file mode 100644
index 0000000..afbb76a
--- /dev/null
+++ b/.github/workflows/dependabot-auto-merge.yml
@@ -0,0 +1,36 @@
+name: Dependabot auto-merge
+
+on:
+  pull_request:
+    types: [opened, synchronize, reopened, ready_for_review]
+
+permissions:
+  contents: write
+  pull-requests: write
+
+jobs:
+  auto-merge:
+    name: Auto-merge safe Dependabot updates
+    if: github.actor == 'dependabot[bot]' && github.event.pull_request.draft == false
+    runs-on: ubuntu-latest
+    steps:
+      - name: Classify update
+        id: classify
+        env:
+          PR_TITLE: ${{ github.event.pull_request.title }}
+        run: |
+          node <<'NODE'
+          const fs = require("node:fs")
+          const title = process.env.PR_TITLE ?? ""
+          const match = title.match(/\bfrom\s+v?(\d+)(?:\.\d+)*\s+to\s+v?(\d+)(?:\.\d+)*/i)
+          const isMajor = Boolean(match && match[1] !== match[2])
+          fs.appendFileSync(process.env.GITHUB_OUTPUT, `is_major=${isMajor}\n`)
+          console.log(isMajor ? "Major update detected; leaving PR for manual review." : "Safe update detected; enabling auto-merge.")
+          NODE
+
+      - name: Enable auto-merge after required checks pass
+        if: steps.classify.outputs.is_major != 'true'
+        env:
+          GH_TOKEN: ${{ github.token }}
+          PR_URL: ${{ github.event.pull_request.html_url }}
+        run: gh pr merge --auto --squash --delete-branch "$PR_URL"