From c5797f7e879a22712c1a0a5686a8bd64ec578e62 Mon Sep 17 00:00:00 2001
From: Claude <noreply@anthropic.com>
Date: Sat, 7 Mar 2026 06:36:53 +0000
Subject: [PATCH 1/5] Add Dependabot auto-merge workflow for patch and minor
 updates

Adds a GitHub Actions workflow that automatically enables auto-merge
(squash) on Dependabot PRs for patch and minor version updates. GitHub's
auto-merge will wait for all required status checks to pass before
merging, so major/breaking updates still require manual review.

https://claude.ai/code/session_012ieS3tLTHwwnh9aftVAPVY
---
 .github/workflows/dependabot-auto-merge.yml | 23 +++++++++++++++++++++
 1 file changed, 23 insertions(+)
 create mode 100644 .github/workflows/dependabot-auto-merge.yml

diff --git a/.github/workflows/dependabot-auto-merge.yml b/.github/workflows/dependabot-auto-merge.yml
new file mode 100644
index 000000000..8f6937cf7
--- /dev/null
+++ b/.github/workflows/dependabot-auto-merge.yml
@@ -0,0 +1,23 @@
+name: Dependabot Auto-Merge
+on: pull_request
+
+permissions:
+  contents: write
+  pull-requests: write
+
+jobs:
+  dependabot-auto-merge:
+    runs-on: ubuntu-latest
+    if: github.actor == 'dependabot[bot]'
+    steps:
+      - name: Fetch Dependabot metadata
+        id: metadata
+        uses: dependabot/fetch-metadata@v2
+        with:
+          github-token: "${{ secrets.GITHUB_TOKEN }}"
+      - name: Enable auto-merge for Dependabot PRs
+        if: steps.metadata.outputs.update-type == 'version-update:semver-patch' || steps.metadata.outputs.update-type == 'version-update:semver-minor'
+        run: gh pr merge --auto --squash "$PR_URL"
+        env:
+          PR_URL: ${{ github.event.pull_request.html_url }}
+          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}

From 28bdadf7d2657389f189aff7533cb2527ed99179 Mon Sep 17 00:00:00 2001
From: Claude <noreply@anthropic.com>
Date: Sat, 7 Mar 2026 06:40:40 +0000
Subject: [PATCH 2/5] Use immutable user ID instead of actor name for
 Dependabot check

The actor name string could theoretically be spoofed. The user ID
49699333 is the immutable numeric ID for the dependabot[bot] GitHub
App and cannot be forged by other users.

https://claude.ai/code/session_012ieS3tLTHwwnh9aftVAPVY
---
 .github/workflows/dependabot-auto-merge.yml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/.github/workflows/dependabot-auto-merge.yml b/.github/workflows/dependabot-auto-merge.yml
index 8f6937cf7..396d8042b 100644
--- a/.github/workflows/dependabot-auto-merge.yml
+++ b/.github/workflows/dependabot-auto-merge.yml
@@ -8,7 +8,7 @@ permissions:
 jobs:
   dependabot-auto-merge:
     runs-on: ubuntu-latest
-    if: github.actor == 'dependabot[bot]'
+    if: github.event.pull_request.user.id == 49699333
     steps:
       - name: Fetch Dependabot metadata
         id: metadata

From 87c9a4ab14c9fc795902a477f4a94aad8f708efb Mon Sep 17 00:00:00 2001
From: Claude <noreply@anthropic.com>
Date: Sat, 7 Mar 2026 07:48:37 +0000
Subject: [PATCH 3/5] Auto-merge all Dependabot PRs regardless of semver update
 type

Remove the patch/minor restriction and the now-unused fetch-metadata
step so all Dependabot PRs are auto-merged (major included).

https://claude.ai/code/session_012ieS3tLTHwwnh9aftVAPVY
---
 .github/workflows/dependabot-auto-merge.yml | 6 ------
 1 file changed, 6 deletions(-)

diff --git a/.github/workflows/dependabot-auto-merge.yml b/.github/workflows/dependabot-auto-merge.yml
index 396d8042b..5e8754bab 100644
--- a/.github/workflows/dependabot-auto-merge.yml
+++ b/.github/workflows/dependabot-auto-merge.yml
@@ -10,13 +10,7 @@ jobs:
     runs-on: ubuntu-latest
     if: github.event.pull_request.user.id == 49699333
     steps:
-      - name: Fetch Dependabot metadata
-        id: metadata
-        uses: dependabot/fetch-metadata@v2
-        with:
-          github-token: "${{ secrets.GITHUB_TOKEN }}"
       - name: Enable auto-merge for Dependabot PRs
-        if: steps.metadata.outputs.update-type == 'version-update:semver-patch' || steps.metadata.outputs.update-type == 'version-update:semver-minor'
         run: gh pr merge --auto --squash "$PR_URL"
         env:
           PR_URL: ${{ github.event.pull_request.html_url }}

From d248dba918aeb4bfb097232a5762f4dccbfdbebc Mon Sep 17 00:00:00 2001
From: Claude <noreply@anthropic.com>
Date: Sat, 7 Mar 2026 07:52:37 +0000
Subject: [PATCH 4/5] Align dependabot auto-merge workflow with official GitHub
 docs example

Rewrite to closely follow the recommended pattern from:
https://docs.github.com/en/code-security/tutorials/secure-your-dependencies/automating-dependabot-with-github-actions#enable-auto-merge-on-a-pull-request

- Use user.login check with repository guard
- Pin fetch-metadata action to commit SHA
- Keep squash merge strategy and auto-merge all update types

https://claude.ai/code/session_012ieS3tLTHwwnh9aftVAPVY
---
 .github/workflows/dependabot-auto-merge.yml | 12 +++++++++---
 1 file changed, 9 insertions(+), 3 deletions(-)

diff --git a/.github/workflows/dependabot-auto-merge.yml b/.github/workflows/dependabot-auto-merge.yml
index 5e8754bab..b31e21a1b 100644
--- a/.github/workflows/dependabot-auto-merge.yml
+++ b/.github/workflows/dependabot-auto-merge.yml
@@ -1,4 +1,5 @@
-name: Dependabot Auto-Merge
+# https://docs.github.com/en/code-security/tutorials/secure-your-dependencies/automating-dependabot-with-github-actions#enable-auto-merge-on-a-pull-request
+name: Dependabot auto-merge
 on: pull_request
 
 permissions:
@@ -6,10 +7,15 @@ permissions:
   pull-requests: write
 
 jobs:
-  dependabot-auto-merge:
+  dependabot:
     runs-on: ubuntu-latest
-    if: github.event.pull_request.user.id == 49699333
+    if: github.event.pull_request.user.login == 'dependabot[bot]' && github.repository == 'graphql-java/graphql-java'
     steps:
+      - name: Dependabot metadata
+        id: metadata
+        uses: dependabot/fetch-metadata@d7267f607e9d3fb96fc2fbe83e0af444713e90b7
+        with:
+          github-token: "${{ secrets.GITHUB_TOKEN }}"
       - name: Enable auto-merge for Dependabot PRs
         run: gh pr merge --auto --squash "$PR_URL"
         env:

From 3d150b88e6ba92967def55cf72e710fa0e7ce32e Mon Sep 17 00:00:00 2001
From: Claude <noreply@anthropic.com>
Date: Sat, 7 Mar 2026 08:32:32 +0000
Subject: [PATCH 5/5] Use pull_request_target to avoid showing on
 non-Dependabot PRs

The workflow was appearing as a (skipped) build step on every PR.
Switching to pull_request_target prevents it from showing up at all
on non-Dependabot PRs.

https://claude.ai/code/session_012ieS3tLTHwwnh9aftVAPVY
---
 .github/workflows/dependabot-auto-merge.yml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/.github/workflows/dependabot-auto-merge.yml b/.github/workflows/dependabot-auto-merge.yml
index b31e21a1b..b1f3088ac 100644
--- a/.github/workflows/dependabot-auto-merge.yml
+++ b/.github/workflows/dependabot-auto-merge.yml
@@ -1,6 +1,6 @@
 # https://docs.github.com/en/code-security/tutorials/secure-your-dependencies/automating-dependabot-with-github-actions#enable-auto-merge-on-a-pull-request
 name: Dependabot auto-merge
-on: pull_request
+on: pull_request_target
 
 permissions:
   contents: write