ci: add auto-merge workflow for dependabot and pre-commit PRs

Author: gamaware

.github/workflows/auto-merge-dependabot.yml

@@ -0,0 +1,42 @@
+# -----------------------------------------------------------------
+# Dependabot & Pre-commit Auto-merge
+#
+# Auto-approves and enables squash auto-merge for:
+#   - Dependabot PRs (all ecosystems)
+#   - Pre-commit hook update PRs (chore/update-pre-commit-hooks branch)
+#
+# Requires: PRE_COMMIT_PAT secret (fine-grained PAT with PR write)
+# to satisfy CODEOWNERS approval requirement.
+#
+# Gate: CI must pass before GitHub executes the auto-merge.
+# -----------------------------------------------------------------
+name: Auto-merge Dependabot & Pre-commit
+run-name: "Auto-merge: PR #${{ github.event.pull_request.number }}"
+
+on:
+  pull_request_target:
+    types: [opened, synchronize, reopened]
+
+permissions:
+  contents: write
+  pull-requests: write
+
+jobs:
+  auto-merge:
+    name: Auto-approve and merge
+    runs-on: ubuntu-latest
+    if: >-
+      github.actor == 'dependabot[bot]' ||
+      startsWith(github.head_ref, 'chore/update-pre-commit-hooks')
+    steps:
+      - name: Approve PR (as repo owner via PAT)
+        run: gh pr review --approve "$PR_URL"
+        env:
+          PR_URL: ${{ github.event.pull_request.html_url }}
+          GH_TOKEN: ${{ secrets.PRE_COMMIT_PAT }}
+
+      - name: Enable auto-merge (squash)
+        run: gh pr merge --auto --squash "$PR_URL"
+        env:
+          PR_URL: ${{ github.event.pull_request.html_url }}
+          GH_TOKEN: ${{ secrets.PRE_COMMIT_PAT }}