deps: add Dependabot config for automated dependency updates

- Daily npm dependency checks at 04:00 Europe/Berlin - Grouped updates: payload-core, react-nextjs, fullcalendar, dev-deps - Weekly GitHub Actions updates - Auto-merge workflow for patch updates after CI passes - Minor dev-dependency updates also auto-merged - Critical after CVE-2025-55182 incident on 2025-12-09
2026-03-17 17:24:12 +00:00 · 2026-02-22 16:43:42 +00:00 · 2026-02-22 16:43:42 +00:00 · 0065712752
commit 0065712752
parent 03c0e5e5d8
2 changed files with 114 additions and 0 deletions
--- a/.github/dependabot.yml
+++ b/.github/dependabot.yml
@ -0,0 +1,69 @@
+# Dependabot configuration for automated dependency updates
+# Critical: CVE-2025-55182 compromise was caused by delayed security updates
+version: 2
+
+updates:
+  # npm (pnpm) dependencies - daily checks for security-critical updates
+  - package-ecosystem: "npm"
+    directory: "/"
+    schedule:
+      interval: "daily"
+      time: "04:00"
+      timezone: "Europe/Berlin"
+    labels:
+      - "dependencies"
+    # pnpm is auto-detected via lockfile
+    versioning-strategy: "increase"
+    open-pull-requests-limit: 20
+    groups:
+      payload-core:
+        patterns:
+          - "@payloadcms/*"
+          - "payload"
+          - "payload-oapi"
+        update-types:
+          - "minor"
+          - "patch"
+      react-nextjs:
+        patterns:
+          - "react"
+          - "react-dom"
+          - "next"
+          - "@types/react"
+          - "@types/react-dom"
+          - "eslint-config-next"
+        update-types:
+          - "minor"
+          - "patch"
+      fullcalendar:
+        patterns:
+          - "@fullcalendar/*"
+        update-types:
+          - "minor"
+          - "patch"
+      dev-dependencies:
+        dependency-type: "development"
+        update-types:
+          - "minor"
+          - "patch"
+        exclude-patterns:
+          - "@types/react"
+          - "@types/react-dom"
+          - "eslint-config-next"
+    commit-message:
+      prefix: "deps"
+      prefix-development: "deps(dev)"
+      include: "scope"
+
+  # GitHub Actions - weekly updates
+  - package-ecosystem: "github-actions"
+    directory: "/"
+    schedule:
+      interval: "weekly"
+      day: "monday"
+      time: "04:00"
+      timezone: "Europe/Berlin"
+    labels:
+      - "dependencies"
+    commit-message:
+      prefix: "deps(actions)"
--- a/.github/workflows/dependabot-auto-merge.yml
+++ b/.github/workflows/dependabot-auto-merge.yml
@ -0,0 +1,45 @@
+name: Dependabot Auto-Merge
+
+on:
+  pull_request:
+
+permissions:
+  contents: write
+  pull-requests: write
+
+jobs:
+  auto-merge:
+    name: Auto-merge patch updates
+    runs-on: ubuntu-latest
+    if: github.actor == 'dependabot[bot]'
+    steps:
+      - name: Fetch Dependabot metadata
+        id: metadata
+        uses: dependabot/fetch-metadata@v2
+        with:
+          github-token: "${{ secrets.GITHUB_TOKEN }}"
+
+      - name: Wait for CI to pass
+        uses: lewagon/wait-on-check-action@v1.3.4
+        with:
+          ref: ${{ github.event.pull_request.head.sha }}
+          repo-token: ${{ secrets.GITHUB_TOKEN }}
+          check-name: "CI Success"
+          wait-interval: 30
+          allowed-conclusions: success
+
+      - name: Auto-merge patch updates
+        if: steps.metadata.outputs.update-type == 'version-update:semver-patch'
+        run: gh pr merge --auto --squash "$PR_URL"
+        env:
+          PR_URL: ${{ github.event.pull_request.html_url }}
+          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+
+      - name: Auto-merge minor updates (dev dependencies only)
+        if: >-
+          steps.metadata.outputs.update-type == 'version-update:semver-minor' &&
+          steps.metadata.outputs.dependency-type == 'direct:development'
+        run: gh pr merge --auto --squash "$PR_URL"
+        env:
+          PR_URL: ${{ github.event.pull_request.html_url }}
+          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}